Session Abstract: Passkey is a promising technology to eventually replace the password, but there are many usability, backward compatibility, and security issues that hinder immediate, widespread adoption. If you are thinking about adopting passkey, it is important for you to know the tradeoffs and the approaches to minimize the drawbacks.
This talk goes through several limitations of passkey and their implications. First, passkey presents a weaker security guarantee compared to the previous version of the FIDO spec. We will suggest several ways to beef up the security guarantee if your app desires a stronger guarantee. Second, passkey management is very different from password management, due to its asymmetric nature. We will discuss potential solutions to minimize the inconsistency and avoid user confusion. Third, not all devices support passkey, and the implementations across platforms are inconsistent. We will discuss detection strategies and fallback mechanisms to be backward compatible.
We will share lessons learned while implementing passkey at Cash App, as well as our design decisions to build a seamless passkey user experience. If you are evaluating passkey, come learn what to consider and how to avoid the landmines before adoption.