CodingChatGPTClaudeGemini

WebAuthn Passkey Implementation Checklist Builder

Design a WebAuthn passkey rollout with registration flows, account recovery, device coverage, security controls, browser support, and QA test cases.

Prompt Template

You are a senior authentication engineer. Create a WebAuthn/passkey implementation checklist for:

Application type: [consumer app, B2B SaaS, marketplace, banking, healthcare, internal tool]
Stack: [frontend framework, backend language, auth provider, database, hosting]
Current auth methods: [email/password, magic link, SSO, OAuth, MFA, biometric login]
Passkey goal: [passwordless login, MFA step-up, phishing resistance, enterprise requirement]
User segments: [mobile-first, desktop, enterprise SSO, admins, high-risk users]
Devices/browsers to support: [iOS, Android, macOS, Windows, Chrome, Safari, Edge, Firefox]
Account recovery policy: [email recovery, support review, backup codes, admin reset, identity checks]
Security requirements: [resident keys, attestation, user verification, replay protection, rate limiting]
UX constraints: [progressive rollout, legacy users, shared devices, accessibility, localization]
Analytics/monitoring: [registration success, login failure, recovery rate, device mix, fraud signals]

Deliver:
1. Architecture overview and relying party configuration notes
2. Registration flow checklist with edge cases
3. Login/authentication flow checklist with fallback rules
4. Account recovery and lost-device decision tree
5. Database fields and credential lifecycle considerations
6. Security controls and abuse-prevention checks
7. Browser/device compatibility QA matrix
8. Analytics events and operational alerts
9. Rollout plan from beta to default-on
10. Common implementation mistakes to avoid

Example Output

Credential table fields: user_id, credential_id, public_key, sign_count, transports, backup_eligible, backup_state, created_at, last_used_at, revoked_at.

Recovery rule: if a user loses all passkeys, require verified email + existing MFA factor or admin-reviewed identity proof for high-risk accounts.

QA case: Safari iOS registration, Chrome desktop cross-device QR login, revoked credential replay attempt.

Tips for Best Results

  • 💡Specify your auth provider because managed passkey features vary widely.
  • 💡Include your recovery policy early; passkeys fail in production when recovery is an afterthought.
  • 💡Ask the model to separate security requirements from UX recommendations if stakeholders need review.

Try it with

ChatGPTClaudeGemini

Related Prompts

Coding

OAuth Login Flow Debugging Checklist Builder

Troubleshoot OAuth and OIDC login failures with a structured checklist covering redirects, scopes, PKCE, cookies, callbacks, and provider configuration.

ChatGPTClaudeGemini
Coding

Code Review Assistant

Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.

ChatGPTClaudeGemini
Coding

Debugging Detective

Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.

ChatGPTClaudeGemini