In the evolving landscape of passwordless authentication, passkeys have emerged as a promising solution to enhance security and user experience. However, like any technology, passkeys come with their own set of challenges. One significant issue that both users and developers encounter is what we call "zombie passkeys" – passkeys that exist in a limbo state between client devices and authentication servers.
Zombie passkeys occur when there's a synchronization disconnect between what's stored on a user's device and what's registered on the authentication server. This mismatch typically manifests in three common scenarios:
When a passkey's public key is deleted or invalidated on the server, but the private key still exists on the user's device. The user's device thinks the passkey is valid, but the server will reject authentication attempts using it.
The opposite scenario: a user deletes a passkey from their device, but the server still has the public key associated with their account and expects them to use it for authentication.
When a user changes their username, email address, or display name in your application, this updated information isn't automatically reflected in the passkey stored on their devices. The passkey continues to display outdated user information in the selection UI, creating confusion and a disjointed user experience.
Zombie passkeys create frustrating experiences that can undermine confidence in your authentication system:
These friction points can significantly impact user trust and satisfaction with your application.
To mitigate these issues and provide a smoother authentication experience, consider implementing these best practices:
When a user invalidates a passkey through your application:
When detecting an attempt to use an invalidated passkey:
The WebAuthn community is actively addressing the zombie passkey problem through the development of the WebAuthn Signals API. This promising extension to the WebAuthn specification will enable servers to inform client devices and credential managers about deleted or invalidated passkeys, helping to maintain synchronization between systems.
Key benefits of the Signals API include:
At Hanko, we're excited about this development and committed to implementing the Signals API as soon as it becomes available. We believe this advancement will significantly reduce the friction caused by zombie passkeys and enhance the overall security and usability of passkey-based authentication.
While zombie passkeys present challenges for both users and developers, implementing thoughtful error handling, clear communication, and resilient authentication flows can significantly improve the user experience. By understanding the limitations of current passkey implementations and preparing for upcoming improvements like the WebAuthn Signals API, developers can provide a smoother authentication experience that builds user trust.
As we continue advancing toward a passwordless future, addressing these synchronization issues becomes increasingly important. By following the best practices outlined above, you can minimize the impact of zombie passkeys while we collectively work toward more seamless authentication systems.
At Hanko, we're committed to staying at the forefront of authentication technology. Our platform is designed to handle these edge cases gracefully, and we're excited to adopt the WebAuthn Signals API as soon as it becomes available – helping you say goodbye to zombie passkeys forever.
Want to implement secure, user-friendly authentication with passkeys in your application? Get started with Hanko today and provide your users with a modern authentication experience.