Should I use passkeys for my app?
Yes if you're building new auth in 2026. Passkeys eliminate password-based phishing and credential stuffing — the top two account-takeover vectors. Every modern auth platform (Clerk, Auth0, Supabase Auth) supports them. Ship passkey + password as options; passkey by default for new users.
Passkeys are WebAuthn credentials synced across a user's devices via iCloud Keychain, Google Password Manager, or 1Password. They solve the password-reuse and phishing problems simultaneously.
**Why you want them** - Phishing-resistant by construction (credentials bound to origin) - No password to reuse or lose - Available on every modern browser + OS since 2023 - User experience: Face ID / Touch ID / Windows Hello
**What to ship** - Passkey primary flow on signup - Password fallback for users on unsupported devices (still ~5% of traffic) - 'Add a passkey' prompt for existing password users - Remove password option entirely for power users who want it
**Implementation options** - Clerk: passkey support out of the box - Auth0: passkey via the WebAuthn connection - Supabase Auth: adding passkey support in 2026 - Custom: @simplewebauthn/server + browser SDK
**What to skip** - SMS-based 2FA — SIM-swap attacks make it marginal - TOTP as only second factor — less user-friendly than passkey
Roll out carefully. Account-recovery paths must be bulletproof — losing a passkey without a recovery option is brutal UX.