▶ Watch this video on YouTube (opens in a new tab)
Everybody says the same thing about passkeys: passwords are dead, use passkeys, done. Great. But nobody tells you what's actually happening between the browser, the device, and your server. The concept is easy. The mechanics are a fog.
So here's the one idea worth holding onto: no shared secret ever crosses the wire. When you register, your device makes a key pair and keeps the private key to itself. The server only ever sees the public key. Signing in is just a fresh challenge that your device signs with that private key. That's why passkeys are phishing-resistant and breach-proof — there's nothing on the server worth stealing.
The nice surprise is that .NET 10 bakes this into ASP.NET Core Identity. No Fido2NetLib, no external library. Four SignInManager methods handle the entire ceremony, and your storage layer just saves and retrieves credentials.
I also walk through swapping SQL Server for Cosmos DB — embedding passkeys in the user document instead of a separate table.
The full layer-by-layer walkthrough is in the video.
