Implementing WebAuthn Passkeys in a Node.js App

Passkeys solve the biggest auth issue in consumer apps: password fatigue. But rollout quality matters. A weak implementation can lock out users or create brittle fallback paths.

1) Registration ceremony

During registration, generate challenge options on the server, bind to the current user, and store challenge state with short expiry.

1import { generateRegistrationOptions } from "@simplewebauthn/server";
2 
3export function getRegistrationOptions(user) {
4  return generateRegistrationOptions({
5    rpName: "Dude Lemon Platform",
6    rpID: "app.dudelemon.com",
7    userID: user.id,
8    userName: user.email,
9    attestationType: "none",
10    authenticatorSelection: {
11      residentKey: "preferred",
12      userVerification: "preferred"
13    }
14  });
15}

2) Verify and persist credential metadata

After browser returns the credential response, verify signature and challenge server-side. Persist credential ID, public key, counter, transports, and device hints.

1import { verifyRegistrationResponse } from "@simplewebauthn/server";
2 
3export async function verifyPasskey(registrationResponse, expectedChallenge) {
4  const verification = await verifyRegistrationResponse({
5    response: registrationResponse,
6    expectedChallenge,
7    expectedOrigin: "https://app.dudelemon.com",
8    expectedRPID: "app.dudelemon.com"
9  });
10 
11  if (!verification.verified) throw new Error("Passkey verification failed");
12  return verification.registrationInfo;
13}

3) Authentication ceremony

Authentication options must be scoped to known credentials for the user when possible. Update signature counter after successful auth to detect cloned keys.

• Expire challenges quickly (2-5 minutes).
• Always verify origin and RP ID on backend.
• Store audit events for passkey add/remove actions.
• Offer secure fallback (email OTP or TOTP), not weak fallback.

“Strong auth is a product feature, not just a security checkbox.”

4) Data model requirements for passkey credentials

Store credential metadata in a dedicated table keyed by user and credential ID. Include public key, counter, device type hints, transport methods, AAGUID (if available), created timestamp, and last-used timestamp. This model supports audits, revocation, and account recovery workflows.

5) Migration strategy from passwords to passkeys

Migrate progressively. Allow password login while nudging users to add passkeys after successful authentication. Track enrollment rate per device family and improve UX where drop-offs are highest.

• Phase 1: optional passkey enrollment after password login.
• Phase 2: passkey-first UI for enrolled users.
• Phase 3: restricted password fallback for exception cases only.
• Phase 4: policy-based enforcement for high-risk accounts.

6) Security hardening checklist for production

• Apply strict origin and RP ID validation.
• Enforce challenge expiry and one-time usage.
• Detect and investigate signature counter regressions.
• Alert on unusual enrollment spikes by IP or ASN.
• Require step-up verification for credential deletion actions.

WebAuthn passkey implementation FAQ

Q: Can passkeys fully replace passwords today? A: For many apps yes, but enterprise and legacy edge cases still require carefully designed fallback paths.

Q: Do passkeys work across devices? A: Yes, when platform ecosystems sync credentials, but behavior varies by device and browser, so test your target mix.

Q: What is the biggest operational risk? A: Poor recovery UX. Passwordless is strong only when account recovery is equally robust.