What's the point of registration/login without email address? I like this playground overall, but I cannot see any use case for passkey-only workflow. Is it implied that you would ask for an email in the step following registration (making it a 2-step process)?
The username/email address of the user creating the passkey is hardcoded in this playground, in the 'User' object of the createCredentialOptions (see it here th-cam.com/video/tumEVnhgWO4/w-d-xo.html). In the real world you would have your user login as normal with username and password, then give an option to create a passkey, thus when you create the passkey you know all the info about the user. From then on the user can opt to login using the passkey and post login your app would contain the same info about the logged in user. Hope this makes sense.
If you are willing to waste 35 minutes on a passkey video (which probably took even longer to shoot and edit), you are already beyond saving. You started off with the question "What do we need to implement passkey authentication?", which completely ignores the fact you don't need to implement passkeys in the first place. If you were truly pragmatic you'd focus on reality and proper password implementation instead of time-wasting passkey propaganda.
Thanks for the feedback. Can you justify your opinion and share which authentication method you are proposing as an alternative? and what your issue is with passkeys?
I am glad to see how much unnecessary code it requires (on top of choosing serverless function as authentication backend and managing CORS manually... yuck). It just proves to me that I did a good choice by setting up authentication with Node.js and Passport. I have passwordless login + as many OAuth options as I need. It truly looks like a weird cult when I hear "passkeys are the future", while from the looks of it - they are just a risky bet on poor relative of MFA. Just imagine all these poor souls that have ditched passwords and "feel" secure because their phone asks for biometrics. Hackers will just harvest their private keys just like they sniffed for regular passwords. Yubikeys and/or MFA - I get their benefits. But passkeys? Sadly, I don't think I'm going to use, recommend or implement them anywhere.
What's the point of registration/login without email address? I like this playground overall, but I cannot see any use case for passkey-only workflow. Is it implied that you would ask for an email in the step following registration (making it a 2-step process)?
The username/email address of the user creating the passkey is hardcoded in this playground, in the 'User' object of the createCredentialOptions (see it here th-cam.com/video/tumEVnhgWO4/w-d-xo.html). In the real world you would have your user login as normal with username and password, then give an option to create a passkey, thus when you create the passkey you know all the info about the user. From then on the user can opt to login using the passkey and post login your app would contain the same info about the logged in user. Hope this makes sense.
If you are willing to waste 35 minutes on a passkey video (which probably took even longer to shoot and edit), you are already beyond saving.
You started off with the question "What do we need to implement passkey authentication?", which completely ignores the fact you don't need to implement passkeys in the first place.
If you were truly pragmatic you'd focus on reality and proper password implementation instead of time-wasting passkey propaganda.
Thanks for the feedback. Can you justify your opinion and share which authentication method you are proposing as an alternative? and what your issue is with passkeys?
I am glad to see how much unnecessary code it requires (on top of choosing serverless function as authentication backend and managing CORS manually... yuck). It just proves to me that I did a good choice by setting up authentication with Node.js and Passport. I have passwordless login + as many OAuth options as I need. It truly looks like a weird cult when I hear "passkeys are the future", while from the looks of it - they are just a risky bet on poor relative of MFA. Just imagine all these poor souls that have ditched passwords and "feel" secure because their phone asks for biometrics. Hackers will just harvest their private keys just like they sniffed for regular passwords. Yubikeys and/or MFA - I get their benefits. But passkeys? Sadly, I don't think I'm going to use, recommend or implement them anywhere.