LoginOS
← Decision Log
ADR-002 Accepted

When should we propose passkey enrollment?

Recommendation

After successful login, after successful recovery, and in account settings.

Context

Following ADR-001's decision against forced enrollment, we need specific, well-timed moments to offer passkeys so adoption still grows meaningfully over time.

Options considered

  • Prompt at signup only

    Show the enrollment prompt once, during initial account creation.

  • Prompt at three trust moments

    Surface enrollment after successful login, after successful recovery, and as a persistent option in account settings.

  • Passive settings-only

    Only make passkey enrollment available in account settings, with no active prompting.

Rationale

Each of the three chosen moments corresponds to a point where the member already trusts the product and has a concrete reason to act: login confirms the product works, recovery highlights the exact pain passkeys solve, and settings serves members who want control on their own schedule. This is detailed in [Progressive passkey enrollment](/patterns/progressive-passkey-enrollment) and [Recovery as passkey trigger](/patterns/recovery-as-passkey-trigger).

Risks

  • Over-prompting could feel repetitive if frequency isn't capped per session.
  • Members without biometric-capable devices will see the prompt but can't act on it — copy must handle this gracefully.