Recipe: Passkeys (WebAuthn) rollout plan
Ship WebAuthn passkeys to your user base without breaking existing password flows. Phased rollout, fallback paths, and UX guardrails.
Phase 1 — Opt-in beta
Gate behind a feature flag. Surface a “Try passkeys” banner in security settings. Register a platform authenticator via navigator.credentials.create. Store credential ID + public key. Keep password as primary.
Phase 2 — Cross-device
Add caBLE (hybrid transport) so users can auth from their phone on desktop. Surface QR during sign-in when no local credential is found. Fall back to password silently.
Phase 3 — Promote to primary
Once adoption hits 40%, prompt remaining users to enroll. Offer a “passwordless” toggle that removes the password factor. Keep recovery codes as a break-glass path.
Guardrails
- Never lock a user out — always keep one fallback factor active.
- Rate-limit credential creation to 5 per hour per user.
- Log every assertion with device info for fraud review.
- Require user verification (
userVerification: required) for sensitive ops.