Should we force passkeys?
Recommendation
No. Introduce progressive opt-in first.
Context
Passkeys offer clear phishing-resistance and usability gains, and it's tempting to mandate them at signup to accelerate adoption and simplify the login surface.
Options considered
-
Force passkey enrollment at signup
Require every new account to register a passkey before completing signup, with no password fallback offered.
-
Progressive opt-in
Offer passkey enrollment at high-motivation moments (post-login, post-recovery, account settings) while keeping existing methods fully available.
-
No passkey support
Do not invest in passkeys yet; wait for broader ecosystem and member-device maturity.
Rationale
Forcing enrollment at signup โ before any trust is established โ produces high abandonment, and permanently locks out members on unsupported devices or shared browsers. Progressive opt-in captures the same long-term adoption without the drop-off, and matches how Google and Apple introduce passkeys today (see [Benchmarks](/benchmarks)).
Risks
- Slower passkey adoption curve than a forced rollout.
- Requires maintaining password and itsme/CSAM paths in parallel for longer.