FrontendInterviews.dev

Passkeys and WebAuthn for Frontend Authentication

Medium•

Registration

Credential creation

  • - Challenge-bound operation
  • - Store credential metadata

Authentication

Assertion verification

  • - Origin-bound proof
  • - Server signature verification

Recovery

Lost-device resilience

  • - Fallback design required
  • - Avoid weak bypass paths

Platform reality

Support variability

  • - Browser/device differences
  • - Cross-device UX considerations

Core Lens

Design around ceremony correctness, recovery UX, and platform support constraints.

Flow

Challenge issued→
Credential ceremony→
Assertion verify→
Session establish

WebAuthn is a browser authentication standard built on public-key cryptography. Instead of sending passwords, authenticators generate signatures proving possession of a private key associated with a particular origin.

Passkeys are a product-level evolution of WebAuthn that allow credentials to be synced across devices or stored securely in platform key stores.

Frontend systems are responsible for initiating the WebAuthn ceremonies, guiding the user through authentication UX, and handling capability differences across browsers and devices.

Quick Navigation: WebAuthn Mental Model • Why Passkeys Are Phishing Resistant • Registration Ceremony • Authentication Ceremony • Passkeys and Discoverable Credentials • Frontend UX Responsibilities • Recovery and Account Portability • Platform and Browser Variability

Quick Decision Guide

Senior-Level Decision Guide:

- Passkeys use WebAuthn public-key authentication instead of passwords. - WebAuthn relies on strict challenge verification and origin binding. - Passkeys improve phishing resistance because credentials cannot be reused across origins. - Recovery flows and cross-device usability are essential for real adoption. - Platform support and UX fallbacks must be designed intentionally.

WebAuthn Mental Model

Three primary actors participate in WebAuthn:

•Relying Party (your backend service)
•Client (browser or mobile runtime)
•Authenticator (device hardware or secure platform store)

The authenticator holds the private key. The server stores the public key.

Authentication proves possession of the private key without transmitting it.

Why Passkeys Are Phishing Resistant

WebAuthn credentials are bound to a specific origin.

This means:

•a credential created for example.com cannot authenticate on fake-example.com
•phishing pages cannot reuse captured credentials
•private keys never leave the authenticator

This origin binding is the core security improvement compared to password authentication.

Registration Ceremony

The registration ceremony creates a new credential.

Typical flow:

1. Server generates a cryptographic challenge.

2. Browser calls navigator.credentials.create().

3. Authenticator generates a new key pair.

4. Public key and attestation data are returned.

5. Server verifies the response and stores the credential.

Challenges must be short-lived and single-use to prevent replay attacks.

Authentication Ceremony

During authentication:

1. Server generates a login challenge.

2. Browser calls navigator.credentials.get().

3. Authenticator signs the challenge using the private key.

4. Server verifies the signature using the stored public key.

Successful verification proves the user controls the registered authenticator.

Passkeys and Discoverable Credentials

Passkeys are typically implemented as discoverable credentials.

This allows:

•passwordless login without entering a username
•device-level credential discovery
•account selection UX controlled by the platform

Passkeys can also sync across devices through platform credential managers.

Frontend UX Responsibilities

Frontend applications control ceremony UX and error handling.

Important UX concerns include:

•guiding users through biometric or device authentication
•handling user cancellation gracefully
•supporting conditional UI when credentials are available
•providing clear fallback paths when passkeys are unsupported

Recovery and Account Portability

Real systems must handle users losing devices or switching platforms.

Recovery mechanisms may include:

•synced passkeys across devices
•additional authenticators per account
•backup authentication methods with risk controls

Weak recovery paths can undermine the entire security model.

Platform and Browser Variability

WebAuthn capabilities vary across environments:

•platform authenticators (Touch ID, Face ID, Windows Hello)
•hardware security keys
•cross-device passkey flows

Frontend apps should detect capabilities and adapt authentication UX accordingly.

Security Pitfalls

Common implementation mistakes include:

•weak challenge lifecycle management
•incorrect RP ID or origin validation
•allowing insecure fallback paths
•storing credential metadata incorrectly

Proper verification logic on the server is critical to maintaining WebAuthn security guarantees.

Interview Rubric (Senior Level)

A strong answer should explain:

•how WebAuthn ceremonies work
•why passkeys resist phishing attacks
•how origin binding protects credentials
•UX design for authentication and recovery
•platform support differences

Strong answers connect security guarantees with real-world adoption challenges.

Key Takeaways

1Passkeys are phishing-resistant credentials built on WebAuthn public-key authentication.
2WebAuthn authentication relies on challenge-response signatures tied to origin.
3Registration and authentication ceremonies serve different security purposes.
4Passkeys often use discoverable credentials to enable username-less login.
5Recovery and device portability are essential for real-world usability.
6Frontend UX and capability detection are critical for adoption.
7Strong interview answers connect security guarantees to user experience design.
Previous
Authorization Best Practices
Complete & Next
Cookie Security: SameSite, HttpOnly, Secure