Support legacy users
Not every developer has the luxury of a greenfield project. Most likely you have existing users who authenticate using username & password or social login. You'll need to consider how best to support those users. There are several approaches, each with their own benefits and drawbacks.
We recommend a rolling migration to passkey authentication.
Optional Passkeys
In this scenario, users (existing and new) continue to use username/password authentication. However they have the option of adding a passkey to their account and using it for authentication.
Benefits
- Simplicity - There's no need to migrate legacy users onto passkeys
- Familiarity - Users feel comfortable using passwords (despite the multitude of risks)
- Usability - Even if they forget their password, they can use their passkey to login
Drawbacks
- Security - All the risks and issues associated with password based authentication remain
- Maintenance - You need to maintain two authentication mechanisms
- Overhead - Users still need to rotate their passwords, respond to third party breaches etc.
Assume Alice uses alice@gmail.com/topSecret to login to your site. She most likely uses the same credentials on other sites, which might not be as security conscious as you.
If another site is compromised, an attacker will use the same credentials on multiple site, perhaps including yours. This is known as credential stuffing. Unfortunately there is little you can do to guard against this attack other than introducing two factor authentication.
Passkeys as two factor authentication
Users are required to use two factor authentication in addition to password authentication. They may be required to login, for "unknown devices" or particular, security crititial operations. Passkeys can be used for two factor authentication.
Benefits
- Security - Two factor authentication significantly improves security
- Usability - Unlike SMS codes or TOTP authenticators, passkeys are frictionless. They're also backed up
- Cost - SMS based verification can get expensive. Passkeys are free
Drawbacks
- Maintenance - You need to maintain two authentication mechanisms
- Overhead - Users still need to rotate their passwords, respond to any third party breaches etc.
- Redundancy - Employing passwords and passkeys, especially when
userVerificationis set adds little in the way of security
Rolling Passkey migration
Users are invited to authenticate using their existing username/password, then prompted to create a passkey. Once the passkey is created, password based authentication is disabled for that user.
Remember to check for browser support before asking a user to register a passkey!
Benefits
- Security - Legacy authentication is phased out in favor of a much stronger, yet frictionless authentication
- Low risk - No "big bang" change. Users gradually roll over to the new mechanism
- Opt-out - If some users really don't want to use passkeys, they can retain password based authentication
Drawbacks
- Adoption - Unless you take some enforcement action, users may continue to use their passwords
- Usability - Some users will login with their legacy credentials, others will need to log in with their passkey. Many won't remember whether they created a passkey. See authentication flows
- Maintenance - Until every user has migrated, you'll need to maintain the legacy code
- Browser support - Not all browsers support passkeys (although most now do). You'll need to think about a fallback mechanism
Supporting multiple authentication mechanisms is nothing new, if you've implemented social login you've already faced the issue. Fortunately there are several approaches you can take to guide users as they decide how to sign in. See our section on passkey authentication flows for more information.