A production-focused guide to shipping passkeys beyond the demo stage, covering the real-world gaps developers encounter with WebAuthn. Topics include the correct data model for storing credentials (including backupEligible/backupState flags), account recovery strategies, cross-device authentication edge cases, and a catalog of real production failures (Safari cookie issues, subdomain RP ID splits, counter rollback, exclude list explosions). Includes working server-side code using SimpleWebAuthn, browser compatibility notes for mid-2026, and strong advice to keep passwords as a fallback during rollout rather than deleting them on passkey enrollment.
Table of contents
What Passkeys Actually Are, Stripped of MarketingThe Protocol in One PageThe Account Model You Actually NeedThe Recovery ProblemThe Cross-Device RealityWhat Breaks in the WildThe Code That Holds UpThe Browser Compatibility Floor in 2026What I Would Tell My Past SelfSort: