SKILL-058 Authentication and account lifecycle Locked skill

Passkeys / WebAuthn

The server stores only a public key. The private key never leaves the user's device, so there's nothing to phish and nothing to steal from your database.

Unlock download Unlock downloads

What this skill helps you build

Let users sign in with a passkey — a phishing-resistant public-key credential bound to their device — instead of a password.

The production takeaway

The server stores only a public key. The private key never leaves the user's device, so there's nothing to phish and nothing to steal from your database.

Inside this skill

The full skill expands these implementation areas with decisions, edge cases, prompts, tests, and framework-specific code.

Authentication and account lifecycle

What this helps you build

Passwordless sign in backed by WebAuthn / passkeys : the user authenticates with Touch ID, Face ID, Windows Hello, or a security key, and your server verifies a cryptographic signa

🔒

Authentication and account lifecycle

When to use this

Reach for passkeys when: You want to kill passwords for sign in, or offer a phishing resistant upgrade alongside them. You need strong second factor auth without SMS which is phish

🔒

Authentication and account lifecycle

The core idea

WebAuthn is public key cryptography wrapped in two browser ceremonies . On registration the authenticator generates a key pair; the private key stays on the device , and the public

🔒

Unlock the full implementation

Paid access includes the complete skill body, implementation prompt, common mistakes, production checklist, and code examples where this skill includes them.

Unlock all skills — $199 Browse the library