Going passwordless: a practical guide to passkeys
Passwords are the weakest link in most breaches. Here's how we rolled out passkeys for a fintech client without locking anyone out.
The most secure password is the one that doesn't exist. Passkeys — built on the WebAuthn standard — replace shared secrets with public-key cryptography tied to a device. For a fintech client drowning in credential-stuffing attempts, the move was overdue.
Why passkeys win
With a passkey, the private key never leaves the user's device and there's nothing phishable to steal. No password to reuse, no database of hashes to breach, no SMS code to intercept.
The hard part isn't the cryptography — the browser and platform do that. The hard part is the rollout. You can't flip a switch and strand users who haven't enrolled a passkey yet.
The migration plan
- Phase 1: offer passkeys as an optional second factor.
- Phase 2: prompt enrollment at login for active users.
- Phase 3: make passkeys the default, with a recovery path for lost devices.
Account recovery is where passwordless projects live or die. We paired passkeys with a verified email and a hardware-key fallback for high-value accounts. Six months in, account takeover attempts against enrolled users dropped to effectively zero.