Passkeys — synced WebAuthn credentials — became the default consumer auth in 2025-2026. They're phishing-resistant by construction (the relying party ID is part of the signature) and require no password reset flows. For new apps in 2026, password-first auth is already the legacy option.
Why passkeys won
Sync between devices (iCloud Keychain, Google Password Manager, 1Password). Same UX as Face ID/Touch ID. No password to phish. No SMS to SIM-swap. Adoption finally crossed the chasm.
The protocol
Registration: server sends a challenge; authenticator generates a keypair, signs the challenge with the private key, returns public key. Login: server sends challenge; authenticator signs with private key; server verifies with stored public key. No secrets transit the wire after enrollment.
Backend implementation
SimpleWebAuthn (Node), webauthn4j (Java), py_webauthn (Python). Store: credential ID, public key, sign counter (anti-replay), user handle. ~150 lines of code per language.
Account recovery — the hard part
Lost device = lost passkey? No, because synced. But: cross-platform recovery (passkey on iPhone, need to sign in on Android) needs QR-code-based hybrid transport. Plan for the user who has a synced passkey but a borrowed device.
Fallbacks done right
Email magic links as backup. Don't fall back to passwords — defeats the purpose. Recovery codes printable at registration. SMS only as last resort, with explicit risk warning.