Zombie passkeys: The hidden challenge of passkey authentication

In the evolving landscape of passwordless authentication, passkeys have emerged as a promising solution to enhance security and user experience. However, like any technology, passkeys come with their own set of challenges. One significant issue that both users and developers encounter is what we call "zombie passkeys" – passkeys that exist in a limbo state between client devices and authentication servers.

What are zombie passkeys?

Zombie passkeys occur when there's a synchronization disconnect between what's stored on a user's device and what's registered on the authentication server. This mismatch typically manifests in three common scenarios:

1. Server-side invalidation

When a passkey's public key is deleted or invalidated on the server, but the private key still exists on the user's device. The user's device thinks the passkey is valid, but the server will reject authentication attempts using it.

2. Client-side deletion

The opposite scenario: a user deletes a passkey from their device, but the server still has the public key associated with their account and expects them to use it for authentication.

3. Identity information mismatch

When a user changes their username, email address, or display name in your application, this updated information isn't automatically reflected in the passkey stored on their devices. The passkey continues to display outdated user information in the selection UI, creating confusion and a disjointed user experience.

The user experience impact

Zombie passkeys create frustrating experiences that can undermine confidence in your authentication system:

• Users attempt to use a suggested passkey during login, only to receive cryptic error messages like "This passkey cannot be used anymore."
• Users must navigate to their device's credential management system (Apple's Passwords app, Google Password Manager, 1Password, etc.) to manually identify and delete invalidated passkeys.
• Without proper cleanup, the same invalid passkey can be repeatedly offered to users during authentication attempts, creating a cycle of failed logins.
• When a passkey has been deleted from a device but the server still expects it, users encounter authentication flows requesting credentials they no longer possess.

These friction points can significantly impact user trust and satisfaction with your application.

Best practices for managing zombie passkeys

To mitigate these issues and provide a smoother authentication experience, consider implementing these best practices:

1. Clear communication during passkey management

When a user invalidates a passkey through your application:

• Explicitly inform them that the passkey still exists on their device
• Provide guidance on how to remove it from credential managers
• Consider offering step-by-step guides for common platforms

2. Graceful error handling

When detecting an attempt to use an invalidated passkey:

• Provide meaningful feedback explaining that the passkey is no longer valid
• Automatically offer alternative authentication methods if possible
• If your server knows the user has other valid passkeys, suggest using those instead

3. Design resilient authentication flows

• Don't assume passkeys will always be available – devices get lost, reset, or replaced
• Implement appropriate fallback mechanisms aligned with your security requirements
• When falling back to weaker authentication methods, consider multi-factor authentication options that blend security with convenience

4. Keep user identity information current

• When users update their profile information, suggest creating a new passkey with updated information
• Provide an easy way to replace outdated passkeys with current ones
• Clearly explain why updating passkeys after identity changes improves their experience

The future: WebAuthn Signals API

The WebAuthn community is actively addressing the zombie passkey problem through the development of the WebAuthn Signals API. This promising extension to the WebAuthn specification will enable servers to inform client devices and credential managers about deleted or invalidated passkeys, helping to maintain synchronization between systems.

Key benefits of the Signals API include:

• Automatic cleanup of invalidated passkeys on user devices
• Reduced confusion in the credential selection interface
• Improved overall authentication reliability
• Better synchronization between authentication servers and client devices

At Hanko, we're excited about this development and committed to implementing the Signals API as soon as it becomes available. We believe this advancement will significantly reduce the friction caused by zombie passkeys and enhance the overall security and usability of passkey-based authentication.

Conclusion

While zombie passkeys present challenges for both users and developers, implementing thoughtful error handling, clear communication, and resilient authentication flows can significantly improve the user experience. By understanding the limitations of current passkey implementations and preparing for upcoming improvements like the WebAuthn Signals API, developers can provide a smoother authentication experience that builds user trust.

As we continue advancing toward a passwordless future, addressing these synchronization issues becomes increasingly important. By following the best practices outlined above, you can minimize the impact of zombie passkeys while we collectively work toward more seamless authentication systems.

At Hanko, we're committed to staying at the forefront of authentication technology. Our platform is designed to handle these edge cases gracefully, and we're excited to adopt the WebAuthn Signals API as soon as it becomes available – helping you say goodbye to zombie passkeys forever.

‍

Want to implement secure, user-friendly authentication with passkeys in your application? Get started with Hanko today and provide your users with a modern authentication experience.

‍