Frequently Asked Questions
Table of Contents
- Backend Implementation for Hybrid Authentication
- Database Schema for Passkey Support
- Testing Passkey Implementation
- Migration Path - Adding Passkeys to Existing Password System
- Real-World Limitations
Can I use the first tool and the second tool together?
Yes, many users run both tools simultaneously. the first tool and the second tool serve different strengths, so combining them can cover more use cases than relying on either one alone. Start with whichever matches your most frequent task, then add the other when you hit its limits.
Which is better for beginners, the first tool or the second tool?
It depends on your background. the first tool tends to work well if you prefer a guided experience, while the second tool gives more control for users comfortable with configuration. Try the free tier or trial of each before committing to a paid plan.
Is the first tool or the second tool more expensive?
Pricing varies by tier and usage patterns. Both offer free or trial options to start. Check their current pricing pages for the latest plans, since AI tool pricing changes frequently. Factor in your actual usage volume when comparing costs.
How often do the first tool and the second tool update their features?
Both tools release updates regularly, often monthly or more frequently. Feature sets and capabilities change fast in this space. Check each tool’s changelog or blog for the latest additions before making a decision based on any specific feature.
What happens to my data when using the first tool or the second tool?
Review each tool’s privacy policy and terms of service carefully. Most AI tools process your input on their servers, and policies on data retention and training usage vary. If you work with sensitive or proprietary content, look for options to opt out of data collection or use enterprise tiers with stronger privacy guarantees.
Backend Implementation for Hybrid Authentication
To support both passkeys and passwords in production:
// Hybrid authenticator for Node.js/Express
import { verifyRegistrationResponse, verifyAuthenticationResponse } from '@simplewebauthn/server';
class HybridAuthenticator {
async registerUser(username, credentialData, passwordHash = null) {
// Store both if provided
const user = {
id: generateUserId(),
username,
passkeyCredential: null,
passwordHash: null
};
if (credentialData) {
// Passkey registration
const verified = await verifyRegistrationResponse({
response: credentialData,
expectedChallenge: challengeCache.get(username),
expectedOrigin: 'https://yourdomain.com',
expectedRPID: 'yourdomain.com',
});
user.passkeyCredential = {
credentialID: Buffer.from(verified.registrationInfo.credentialID).toString('base64'),
credentialPublicKey: verified.registrationInfo.credentialPublicKey,
counter: verified.registrationInfo.counter
};
}
if (passwordHash) {
// Fallback password
user.passwordHash = passwordHash; // Should be Argon2, not plaintext
}
await db.users.create(user);
return user;
}
async authenticateUser(username, credentials) {
const user = await db.users.findOne({ username });
if (!user) throw new Error('User not found');
// Try passkey first
if (credentials.passkey && user.passkeyCredential) {
try {
const verified = await verifyAuthenticationResponse({
response: credentials.passkey,
expectedChallenge: challengeCache.get(username),
expectedOrigin: 'https://yourdomain.com',
expectedRPID: 'yourdomain.com',
credential: {
credentialPublicKey: user.passkeyCredential.credentialPublicKey,
credentialID: user.passkeyCredential.credentialID,
counter: user.passkeyCredential.counter
}
});
if (verified.verified) {
// Update counter to detect cloned keys
user.passkeyCredential.counter = verified.authenticationInfo.newCounter;
await db.users.updateOne({ username }, user);
return { success: true, method: 'passkey' };
}
} catch (err) {
// Fall through to password attempt
console.log('Passkey auth failed, trying password');
}
}
// Fallback to password
if (credentials.password && user.passwordHash) {
const valid = await argon2.verify(user.passwordHash, credentials.password);
if (valid) {
return { success: true, method: 'password' };
}
}
throw new Error('Authentication failed');
}
}
Database Schema for Passkey Support
CREATE TABLE users (
id VARCHAR(36) PRIMARY KEY,
username VARCHAR(255) UNIQUE NOT NULL,
password_hash VARCHAR(255), -- NULL if passkey-only
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE TABLE passkey_credentials (
id VARCHAR(36) PRIMARY KEY,
user_id VARCHAR(36) NOT NULL,
credential_id BYTEA UNIQUE NOT NULL,
credential_public_key BYTEA NOT NULL,
counter INTEGER NOT NULL DEFAULT 0,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_used TIMESTAMP,
device_name VARCHAR(255),
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE TABLE authentication_attempts (
id VARCHAR(36) PRIMARY KEY,
user_id VARCHAR(36),
method VARCHAR(20), -- 'passkey' or 'password'
success BOOLEAN,
ip_address VARCHAR(45),
user_agent VARCHAR(500),
attempted_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
-- Detect potential attacks
CREATE INDEX idx_failed_attempts ON authentication_attempts(user_id, success, attempted_at)
WHERE success = false;
Testing Passkey Implementation
Test passkey registration with curl
curl -X POST https://yourdomain.com/api/auth/register/start \
-H "Content-Type: application/json" \
-d '{"username": "testuser"}'
Response contains challenge for passkey to sign
Client signs challenge using WebAuthn API
Then send signed response:
curl -X POST https://yourdomain.com/api/auth/register/complete \
-H "Content-Type: application/json" \
-d '{
"username": "testuser",
"credential": {
"id": "...",
"rawId": "...",
"response": {...},
"type": "public-key"
}
}'
Migration Path - Adding Passkeys to Existing Password System
For services with millions of existing password users:
- Phase 1 (Month 1-2): Add passkey option alongside password login
- Deploy passkey registration UI
- Do not require it yet
- Gather adoption metrics
- Phase 2 (Month 3-4): Encourage passkey adoption
- Show promotion to users logging in
- Offer incentives (reduced 2FA friction)
- Measure conversion rate
- Phase 3 (Month 5-6): Make passkey preferred
- Default to passkey during registration
- Offer password as fallback
- Maintain both indefinitely
- Phase 4 (Month 7+): Support both permanently
- Never force password-only users to switch
- But encourage it during account recovery flows
- Maintain password support for accessibility
This approach maintains backward compatibility while transitioning toward better security.
Real-World Limitations
Passkeys solve phishing, but not everything:
- SIM swaps: If attacker controls your phone number, they might reset your account
- Compromised device: If your phone/computer is hacked, attacker can use your passkey
- Backup recovery: Losing all devices means losing all passkeys (unless you set up recovery)
- App-specific issues: Some banking apps don’t support passkeys yet (2026 state)
Passkeys are significantly better than passwords, but they’re not a complete security solution without additional layers (like unusual login location alerts).
Related Articles
- Passkey Adoption Timeline by Platform: A Developer Guide
- Best Hardware Security Key Comparison: A Developer’s Guide
- YubiKey vs Titan Security Key: A Developer Comparison
- Password Manager Autofill Security Risks
- Password Manager Clipboard Security Best Practices
- AI Coding Assistant Session Data Lifecycle
Built by theluckystrike. More at zovo.one