WebAuthn · FIDO2 · Passkeys

The Passkey & WebAuthn Engineering Hub

Production-grade guides, cryptographic deep-dives, and battle-tested patterns for building phishing-resistant, passwordless authentication. From protocol fundamentals to backend verification — everything your team needs to ship passkeys correctly.

What you will find here

The Passkey & WebAuthn Engineering Hub is a focused technical library for teams integrating modern, passwordless authentication into web applications. Every guide targets real engineering decisions — from selecting COSE cryptographic algorithms and validating attestation certificates on the server, to designing a credential database schema that scales to millions of users.

WebAuthn eliminates shared secrets by replacing passwords with hardware-backed public key pairs. A private key is generated inside a Secure Enclave, TPM, or hardware security key and never leaves the device. Only a cryptographic proof (a signed challenge) travels over the wire — making phishing, credential stuffing, and replay attacks structurally impossible.

Whether you are building a greenfield passkey-first app, migrating legacy password flows, or hardening an enterprise identity platform to meet NIST SP 800-63B AAL2/AAL3 requirements, you will find authoritative patterns and TypeScript/JavaScript code examples throughout. Coverage spans all three layers of a deployment — the protocol, the backend verification pipeline, and the frontend where conditional mediation drives passkey autofill and progressive enhancement keeps every browser working.

Browse by section

Three deep-dive sections — protocol fundamentals, backend verification, and frontend UX — each with focused sub-topics and hands-on implementation guides.

WebAuthn & FIDO2 Protocol Fundamentals

Backend Verification & Secure Credential Storage

Frontend UX & Conditional Mediation

Deep-dive articles

Focused how-to guides that go a level deeper into specific implementation details.

How WebAuthn Prevents Phishing

The origin-binding guarantee that makes passkeys structurally immune to phishing and man-in-the-middle attacks.

Read →

FIDO2 Registration Flow: Step by Step

Every field in the registration ceremony unpacked — from PublicKeyCredentialCreationOptions to attestation verification.

Read →

WebAuthn vs Traditional OAuth Flows

Side-by-side comparison of WebAuthn assertions and OAuth2/OIDC — when to use each, and how they complement each other.

Read →

Resident vs Discoverable Credentials

When residentKey: required is the right call — and the UX and storage trade-offs it introduces.

Read →

Security Boundaries for Enterprise Apps

RP ID scoping, cross-origin authentication, and enterprise attestation policies for NIST AAL2/AAL3 compliance.

Read →

FIDO2 Challenge Generation Best Practices

Entropy requirements, storage lifetime, replay window, and safe challenge binding to session identifiers.

Read →

Signature Verification in Node.js

Using the Web Crypto API and @simplewebauthn/server to verify ES256 and RS256 signatures server-side.

Read →

Validating Attestation Statements

Packed, FIDO-U2F, and none formats — how to verify each attestation type and when to require MDS lookup.

Read →

Credential ID Lookup at Scale

Hash-based indexing, partial-match strategies, and caching patterns for sub-millisecond credential lookups.

Read →

Storing Public Keys in PostgreSQL

BYTEA vs text columns, CBOR decoding, JSONB for COSE keys, and migration scripts for credential tables.

Read →