I’ve been a fan of passkeys ever since I first heard about them. I use them all over the place and have tried to bring it to Visualizer at least 2 times before. But every time I got stuck on some technicality or weird edge case, so I’ve always given up mid-way.

Then at Rails World 2025 I saw a talk by Jason Meller from 1Password. In it, he presented several different phishing attacks that are going on nowadays, including one that got Troy Hunt. If you don’t know who Troy Hunt is - he runs the website Have I Been Pwned. And if that guy can get phished, none of us are safe.

With the advent of AI tools, these attacks will become even more common, even more sophisticated, and, crucially, even easier to do at an ever larger scale. And the only way to protect against these kind of attacks is to use a phishing resistant authentication method. And the only 2 methods that work like this are: email magic links, and passkeys.

Personally I dislike magic links because they force me to leave the website and open my email client. Not to mention they’re near impossible to do on a device where you don’t have your email client. Or that sometimes email just takes it’s time. Or that sometimes it goes to spam or is blocked by some filter somewhere because reasons.

So, back to passkeys. At the talk I learned that since March 2025 all major browsers have native support, so implementing the frontend no longer requires a dependency. Because of that, the JavaScript code can be super simple and even somewhat understandable. And it works in all browsers, and all password manager extensions I tried. Except, somewhat ironically… 1Password. 🙈

They have an open issue for it for quite a while, and there’s a great technical deep dive that I found while searching for a fix. But basically they don’t implement toJSON method, which is why I had to build it by myself.

If you go to edit your profile you’ll now see a new section on the left where you can register passkeys. You can register as many as you want.

The next time you go to log in, or when you’re on a new device, you’ll automatically be prompted to provide a passkey. As soon as you do, and assuming it is registered and valid, you’re logged in instantly. No email, no password, no nothing. You can’t even make instant coffee that fast. 🫳🎤

Besides this, there were only smaller changes since the last update. The only visual being a new title font. I discovered Cormorant somewhat by accident and immediately loved it, so it was only natural to use it here. 😅

Enjoy your weekend, and let me know how passkeys are working for you! 🤝