Why Passkeys?

Security benefits

Built on FIDO2 and WebAuthn
Browser-enforced origin binding
Strong phishing resistance
Private key never leaves the device

User experience

Device generates a key pair during registration.
Server stores only the public key.
Server sends a challenge during login.
Device signs it with the private key.
User confirms with biometrics or local device auth.

WebAuthn Implementation

Stored credential data

Persist the public key
Persist the signature counter
Optionally persist transports
Never store the private key

export const passkeys = sqliteTable('passkeys', {
  publicKey: text('public_key').notNull(),
  counter: integer('counter').notNull().default(0),
  transports: text('transports'),
});

Registration rules

Use @simplewebauthn/server
Require residentKey: 'required'
Require userVerification: 'required'
Prefer platform authenticators for one-click login

authenticatorSelection: {
  residentKey: 'required',
  userVerification: 'required',
  authenticatorAttachment: 'platform',
}