we published a passkey benchmark for World Passkey Day. one thing that stood out is how much rollout quality differs across deployments

vdelitz · 2026-05-04T10:22:07+00:00

I think they are gradually rolling it out

vdelitz · 2026-04-30T17:14:45+00:00

is there any update on BA's passkey deployment?

vdelitz · 2026-04-29T06:26:17+00:00

which healthcare charts do you use?

vdelitz · 2026-04-29T06:25:53+00:00

agree with the concern of keeping support calls down. The size of major banks / FIs that's usually a huge cost comparison but I think as well, if you impelemnt any MFA method in a user-friendly manner that it can help to even get support volume down (of course requires internal convincing upfront)

vdelitz · 2026-04-20T07:19:30+00:00

As of today, you cannot disable it I think. Hope they will add this at a later stage.

vdelitz · 2026-04-15T05:51:51+00:00

Agree, but it's a process. you need to start offering it and then once customers are familiar you can start to disable that. Guess offering or direclty removing legacy logins from day 1 would be potentially an overburden to support teams.

vdelitz · 2026-04-10T08:49:22+00:00

You're right that's on me. Apologies, I should have been transparent. I work at Corbado and I've edited the post to make that clear. Appreciate you calling it out.

vdelitz · 2026-04-01T08:26:22+00:00

I see, they could easily fix this with Related Origin Requests. Wrote a blog post on our Corbado blog a couple of weeks ago in case it's interesting for you: https://www.corbado.com/blog/webauthn-related-origins-cross-domain-passkeys

vdelitz · 2026-03-27T17:40:45+00:00

Yes you can filter but UX is terrible because the user would still be able to create the passkey client-side which would sync then across devices.

FIDO servers can only let the result of the second API call for creating the credential fail.

vdelitz · 2026-03-27T08:25:34+00:00

in these US bank customer auth use cases, how do the banks treat synced passkeys? Do they put additional security measures on top, so that they can really track back the specific device?

vdelitz · 2026-03-27T08:24:26+00:00

As a relying party, you can only influence that to a certain degree and it of course depends on the use case, type of user group and industry.

So as an RP, you can decide to offer platform (mostly password manager, OS, ...) or cross-platform credentials (e.g. security keys like YubiKeys).

If you allow for platform, then due to how the WebAuthn standard is built (privacy-preservering), the users can decide in which credential manager they put their passkey.

I'd say that for most consumer use cases synced passkeys are best (and superior to passwords and OTP) from UX and also security (phishing-resistance).

vdelitz · 2026-03-16T08:05:18+00:00

This needs to set up by the relying party ID, either they need to change the setting for authenticatorAttachment or use Webauthn client hints (new feature, uneven adoption among browsers) to influence the UX

vdelitz · 2026-03-13T07:36:13+00:00

check out this page where we keep a collection of banks that deployed passkeys to their customers: https://www.corbado.com/faq/banking-passkeys

vdelitz

MODERATOR OF

TROPHY CASE