engineering by snakken
Field Note 2026-04-28 · 2 min read

Passkeys only: no passwords to leak

Snakken ships without a password field. Field notes from building passkey-only authentication for a mobile app — what got easier, what got harder, and why "we can't leak what we don't have" is worth the support cases.

Snakken has no passwords. Not "passkeys preferred", not "passwordless available in settings" — there is no password column, no reset flow, no complexity meter. You sign up with a passkey or you don't sign up. Some short field notes from building that, while the app makes its way to the stores.

What got easier

An entire threat catalogue evaporates: credential stuffing, password reuse, phishing pages that harvest logins, the breach disclosure where you explain your hashing parameters. Our auth server stores public keys; the corresponding secrets live in the secure hardware of the user's own device.

"We can't leak what we don't have" is the rare security property you can explain in one sentence at a kitchen table — fitting, for a neighbourhood app.

What got harder

Recovery is the honest cost. With passwords, account recovery is an email link; with device-bound credentials, losing the device can mean losing the account, and the recovery story has to be designed before launch, not patched after the first support ticket.

Platform sync (iCloud Keychain, Google Password Manager) softens this for most people, most of the time — but "most" is doing real work in that sentence, and the edge cases are exactly the people angriest at you.

The mobile wrinkle

WebAuthn was born in the browser; our users live in a native app. The flow runs through the system browser against our identity provider rather than a WebView — WebViews and platform authenticators are a famously unhappy pair — and the redirect back into the app has to survive every flavor of app-switching the OS can think of.

Budget more time for this than for the cryptography, which you should not be writing anyway.

A note on minimums

Passkeys also quietly improved our data minimisation: no password means no "security questions", no password hints, no last-changed timestamps. The authentication table is close to the theoretical minimum of what a login system must know about a person.

Red team and dev team agree on this one, which does not happen every week.

// Published under CC BY 4.0 — take the patterns, cite the source. · ← All articles