Getting Started with Passkeys in the Digital World Hey there, if you've been diving into modern web tech, you might've come across passkeys—they're like the cool new way to ditch those pesky passwords for good. But here's a head-scratcher that pops up a lot: even with all this fancy passwordless magic, why do you still have to set up an account with a username or email, and sometimes even a traditional password, right at the beginning? Let's break it down step by step, like we're chatting over coffee. The Basics of What Passkeys Actually Do Imagine passkeys as your personal digital keychain, powered by tech like WebAuthn standards. They're designed to let you log in using biometrics, like your fingerprint or face scan, or even hardware tokens, without ever typing out a password. The goal? Make things safer and smoother by cutting out weak links like easily guessed passwords. But the setup phase? That's where things get interesting, and it's not as contradictory as it seems. Why the Initial Account and Password Step Isn't Going Away Think about it this way: when you're creating a fresh account on a site or app, the system needs a reliable way to identify you from the get-go. That's where your email or username comes in—it's like your unique address in the online universe. Without it, how would the service know who you are or send you recovery info if something goes wrong? Now, tossing in a password during this creation might feel outdated, but it's often there as a safety net. Not every device supports passkeys yet, and some folks might need a fallback for older browsers or when they're on a shared computer. Identity Verification: Services use your email to confirm you're real and to handle things like two-factor checks. Recovery Options: If you lose access to your passkey device, that initial password can be a lifesaver for getting back in. Backward Compatibility: Not all platforms are fully passkey-ready, so blending old and new methods ensures everyone can join in. How This Plays Out in Real Scenarios Picture signing up for a new banking app. You pick an email, set a temporary password, and then the app prompts you to create a passkey. That first password might stick around for emergencies, but once your passkey is active, you can wave goodbye to typing it in daily. It's all about building a secure foundation before going fully hands-off. For more on the tech behind this, check out the WebAuthn Guide—it's a solid resource for geeking out on the details. And if you're curious about implementing this yourself, here's a quick code snippet to illustrate a basic passkey flow:⛶title: [TIL] Why the Passkeys process still requires an account and password when creating an account?
published: false
date: 2022-12-09 00:00:00 UTC
tags:
canonical_url: http://www.evanlin.com/til-why-passkeys-need-idpw/
---


# Background:

I wrote an article about [Passkeys after WWDC](https://www.evanlin.com/til-apple-passkeys/). As a result, I saw an interesting tweet a few days ago, which made me re-examine how familiar I am? What are the differences in the actual Passkeys process (first time and subsequent times)? This article will summarize this part.

# (Updated 2022/12/10) If it's the first time creating an account, how many steps are required? Why?


The tweet I saw before mentioned why [Yubico/java-webauthn-server has nearly 21 steps](https://github.com/Yubico/java-webauthn-server#architecture)? This also made me curious to check the original meaning of the related process:


(Pic from [https://github.com/Yubico/java-webauthn-server#architecture](https://github.com/Yubico/java-webauthn-server#architecture))

According to the diagram of this component, everyone will be very curious. Here, you need to combine it with another diagram to see:


- **Step: 1 ~ 4:**
- When creating an account, because it needs to support older browsing devices (browsers/OS), you still need an account and password here. The entire process is the same as the previous database, but the following process is a bit different.
- If there is a User-Agent that supports Passkeys and doesn't need Backward Compatibility, you actually don't need 1 ~ 4 (but you should have them).
- **Step: 5:**
- This is based on the [PKCE method](https://www.evanlin.com/go-oauth-pkce/) to generate a Challenge, which is a value that has been AES encrypted.
- **Step 6 ~ 9:**
- At this time, you can generate a credential ID (optional) and return it to the client side as the value generated by the client agent.
- User-Agent may pass Challenge + credential command + credential ID
- **Step 9 ~ 18:**
- This is where the Client Agent will be activated to open the Passkeys support login process.
- The encrypted credential is transmitted to the server side through private encryption.
- After decrypting with the Public key that was accessed before, confirm whether it is the same credential ID.
- **Step 18 ~ 21:**
- Registration is completed after Auth is completed.

### Several key points are:

- The related process is definitely more cumbersome than the original ID/PW (may be more selective of devices).
- But after the first registration is completed, if the device allows it, you don't need to enter ID / PW afterwards.
- The demo example also uses Passkeys from the first time, but this often cannot be used universally for older devices.

# Passkeys Login Experience



# Support for related devices


(From: [https://www.passkeys.io/](https://www.passkeys.io/))

Here you can see that the WebAuthn called inside Passkeys is actually related to the App and OS version of the browser. So if you want to fully implement the Passkeys system as soon as possible, it is actually the browser support. If it is natively supported by a system similar to Apple, it can also be implemented in the development of the App as soon as possible.

# Finally


(From: [WWDC22 Session: Meet passkeys](https://developer.apple.com/videos/play/wwdc2022/10092/) )

As in the end of this video, Passkeys is not about saving the entire login process. Instead, it is about enhancing the security and user convenience of the entire login process. In order to achieve the true Password-less realm, it actually requires the cooperation of many industries:

- The server side needs to use WebAythn to write its own login application.
- And keep the versions of the related servers up to date
- Also remind users to use the latest version of the phone (seems simpler).

# Reference

- [Apple Doc: Supporting Passkeys](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys)
- [WWDC22 Session: Meet passkeys](https://developer.apple.com/videos/play/wwdc2022/10092/)
- [WWDC21 Session: Move beyond passwords](https://developer.apple.com/videos/play/wwdc2021/10106/)
- [FIDO2: Web Authentication (WebAuthn)](https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn/)
- [Passkeys for web authentication](https://www.hanko.io/blog/passkeys-part-1)
- [What Apple’s WWDC Passkeys Announcement Means for Enterprise IAM](https://blog.hypr.com/what-apples-wwdc-passkeys-announcement-means-for-enterprise-iam)
- [https://github.com/duo-labs/webauthn](https://github.com/duo-labs/webauthn)
- [WebAuthn.io: A demo of the WebAuthn specification](https://webauthn.io/)
- [What is WebAuthn? How to Authenticate Users Without a Password](https://www.freecodecamp.org/news/intro-to-webauthn/)
Looking Ahead: The Evolution of Secure Logins As more devices and browsers catch up, we might see setups that skip passwords entirely, relying solely on passkeys from the jump. But for now, this hybrid approach keeps things practical and secure. It's like training wheels on a bike—you need them at first to build confidence before zooming off freely. Got questions or want to share your experiences with passkeys? Drop a comment below!

Hey there, if you're into tech like I am, you might find this adventure intriguing. Let's dive into why I'm kicking off this structured path. What's Driving This Adventure? Picture this: over the coming four months, I'm diving headfirst into the world of backend and platform engineering, aiming to take on real SRE responsibilities. Forget about just stacking up certifications or breezing through online courses. This is all about rolling up my sleeves to assemble actual infrastructures, purposefully stressing them until they crack, and then pulling out those hard-earned insights that really make a difference in how I think. How This Path Stands Out from the Crowd Most educational routes out there emphasize crafting cool functionalities, right? But I'm zeroing in on the tougher side: mastering the art of keeping systems running smoothly. It's one thing to get your scripts humming on a local machine, but it's a whole different game ensuring everything holds up when facing real-world demands in a live setup. Rather than slapping together a basic app, I'm tackling how to manage it during breakdowns. Beyond coding, this means pushing deployments live, keeping an eye on performance metrics, and honing my skills in bouncing back from crashes. And instead of rote learning designs, I'm picking architectures on purpose, sticking with them through the ups and downs, and truly grasping what those decisions cost in the long run. Mapping Out the Roadmap I've divided this quest into four key stages, each one layering new skills onto the foundation of the last. Stage 1 (Weeks 1-4): Laying the Core of Services kicks off by developing a solid backend application, but with a sharp eye on defining clear interfaces and agreements right from the start. I'll weave in robust error management as a core element, not some last-minute fix. Plus, visibility tools will be baked in from day one—after all, managing something invisible is like navigating in the dark. Stage 2 (Weeks 5-8): Facing Real-World Operations ramps it up by launching that app into a genuine cloud setup, complete with actual expenses and authentic risks of downtime. Here, I'll introduce controlled disruptions to uncover weak spots and their ripple effects. It's about drilling response techniques for crises, so I build that instinctive cool-headedness when warnings start popping up. Stage 3 (Weeks 9-12): Adopting a Platform Mindset expands the view from isolated apps to building blocks that others can reuse. I'll set up specific goals for service performance and allocate allowances for errors, viewing dependability as a deliberate choice in design, not just a nice-to-have. This stage flips the script to think like a true platform pro: how can I streamline the process for fellow devs to create sturdy systems? Stage 4 (Weeks 13-16): Mastering the Art of Sharing Knowledge highlights that great engineering isn't complete without solid ways to convey it. I'll focus on producing clear docs and breakdowns, ensuring the technical side shines through in ways that resonate and inform.