← knowledge.oriz.in

Passkeys / WebAuthn

service authpasskeyswebauthnpasswordlessprimary

Passkeys / WebAuthn

Role

Phish-resistant, passwordless sign-in. The user's device (Touch ID, Face ID, Windows Hello, Android biometric, hardware key) is the authenticator; the family never holds a password.

Used as a first-class sign-in option on every site's <AccountPanel> and as the strongly recommended second factor for high-trust actions (subscription cancel, data export, journal unlock).

Free tier

Card / subscription required?

NO. Passkeys are an open W3C standard (WebAuthn level 2 / 3). Firebase's passkey integration is part of Auth — Spark plan covers it. SimpleWebAuthn is MIT-licensed.

Implementation path

  1. Primary path — Firebase Auth's passkey support. Enable passkeys in Firebase Console → Authentication → Sign-in method. Wire the JS SDK's passkey APIs into @chirag127/firebase-init so every site's <AccountPanel> shows a "Sign in with passkey" button.

  2. Escape hatch — @simplewebauthn/server on the Hono Worker. If Firebase's passkey support is incomplete for our needs (e.g. missing conditional UI, missing username-less flow, or an uncovered platform), fall back to a Worker-side WebAuthn flow:

    • /auth/passkey/register/options — issue PublicKeyCredentialCreationOptions.
    • /auth/passkey/register/verify — verify + persist credential ID + public key in Firestore under users/{uid}/passkeys/{id}.
    • /auth/passkey/authenticate/options + .../verify — the authentication side.
    • On success, mint a Firebase custom token via Firebase Admin's REST endpoint (per firebase-rest-firestore-not-admin.md) and signInWithCustomToken on the client.

    Verify Firebase's native support before adopting the escape hatch.

Alternatives

Swap cost

Medium — credential records persisted under users/{uid}/passkeys/{id} would migrate if we changed the verifier (Firebase native ↔ SimpleWebAuthn). Public-key material is portable; the wire format is the same in both directions.

Why this is our pick

Phish-resistant, hardware-backed, no shared secret. Modern browsers

Cross-refs