The idea of building your own passkey implementation sounds appealing: full control, custom integrations and no vendor lock-in. After all, FIDO2 is based on open standards and writing the first lines of WebAuthn code seems easy enough. How hard can it really be?

But this is often where the complexity starts, especially when you plan to build a solution for a large-scale consumer deployment scenario with millions of users in an industry such as:

• Banking & Financial Services (e.g. online, banking, payments, fintech)
• Government & Public Services (e.g. citizen portals, tax & social security platforms
• Insurance & Healthcare (e.g. patient portals, digital insurance platforms)
• E-commerce & Retail (e.g. marketplaces, loyalty programs)
• Telecom & Utilities (e.g. mobile carriers, energy providers)
• Travel & Hospitality (e.g. airline accounts, hotel loyalty programs)

The real challenge begins beyond the first successful passkey login and often just unveils while you are already implementing your passkeys solution. Suddenly things like odd edge cases, confusing user errors and potential user lock-outs due to non-availability of passkeys appear. What seemed like a straightforward integration turns into months or even years of development effort, unexpected maintenance costs and a potentially failed passkey project.

However, building your own solution can also be the right choice for certain organizations and specific requirements. We’ve talked to dozens of organizations about their passkey implementation plans and accompanied some on their journey hands-on. This guide will help you determine when a Do-It-Yourself (DIY) passkey approach might make sense and when choosing an established passkey provider is the smarter decision.

With our Buy vs. Build Passkey Guide, we want to answer the following questions:

1. What components are needed to implement passkeys and go passwordless?
2. Should I implement passkeys in-house or use an external passkey vendor?
3. What is the benefit of having a passkey vendor when there are open-source libraries?
4. What are the biggest challenges in building a passkey solution?
5. What are the risks of implementing passkeys in-house?

Passwords are outdated, insecure and frustrating. Passkeys eliminate phishing risks, improve user experience and simplify authentication - making them the news standard of secure logins. Whether you build in-house or use an external solution, integrating passkeys is a major upgrade for security and usability.

Google found that leading with the ease of use story or the speed story resonates and works. People generally grumble about signing in, so anything that makes the process easier and faster is a win.

On top of these security benefits, there’s huge potential for operational cost savings with passkeys. You can reduce the number of SMS OTPs sent to users that can stack up massively for large user bases. Moreover, the burden password and MFA recoveries put on your customer support teams is also a cost factor that can be eliminated.

Aside, passkeys improve the login success rates and login times for users, ultimately resulting in better conversion rates, which is a major driver for top line growth in industries like e-commerce, retail or travel.

The end goal for many organizations considering the introduction of passkeys is to go fully passwordless. To reach this goal, there are typically four phases that need to be completed. The speed at which these phases progress depends largely on the organization's technical capabilities, login patterns and user base. In some cases, external factors such as public pressure to introduce more secure authentication or financial constraints may also play a role.

Let’s go through these four phases and describe them, as implementing passkeys is only one step in ensuring the success of a passkey project.

The first step in the transition to a fully passwordless system is to integrate passkeys as a login method. At this stage, passwords and other authentication methods remain in place as fallbacks to ensure users can still access their accounts if they haven’t yet adopted passkeys. Successful integration requires seamless compatibility with existing login flows and security policies. Organizations should focus on making passkey creation straightforward, ensuring that both technical and non-technical users can adopt the new authentication method without friction.

Once passkeys are integrated, the next challenge is driving user adoption of passkeys. Many organizations underestimate the importance of this phase, but without widespread user adoption, a passkey project is likely to fail. The goal is to encourage as many users as possible to create and use passkeys, ideally making them the default login method.

Key tactics for increasing adoption include proactive user education, UI nudges that promote passkey creation and incentive programs that reward users for switching. Organizations should set a critical adoption threshold, such as 50-80% of active users utilizing passkeys, before progressing to the next phase. For a deeper understanding of why adoption is crucial, refer to our dedicated article on how poor adoption rates can jeopardize your passkey project.

As passkey adoption reaches a critical mass, organizations can begin phasing out passwords. However, removing passwords too early or without careful planning can lead to usability issues and increased support requests. A phased approach is recommended:

• Start by removing passwords from accounts where users consistently authenticate with passkeys.
• Offer password removal as an option in account settings for early adopters.
• Use data-driven insights to identify users who are ready to go fully passwordless. For example, users with multiple passkeys registered across different devices can be prioritized for password removal.
• Proactively communicate the benefits of password removal to build user confidence.

By strategically guiding users toward full passwordless authentication, organizations can maximize security without disrupting the user experience.

Once passwords are removed, account recovery mechanisms must be robust and secure. Traditional recovery methods often rely on manual interventions, such as support tickets or email resets, which can introduce security risks and operational costs. Organizations must implement modern, self-service account recovery solutions that maintain security while improving user experience.

Key elements of automated account recovery include:

• Liveness checks: Prevent unauthorized account takeovers by ensuring the user is physically present.
• ID verification: Leverage government-issued IDs and biometric verification to confirm identity.
• Fallback passkeys: Allow users to recover accounts using backup passkeys stored on other devices of them.

Many organizations already invest in automated recovery processes independently of their passwordless transition to reduce costs and enhance usability. However, in a passkey-driven ecosystem, these mechanisms become even more critical to maintaining security and reducing friction.

Based on these four phases, we will now try to help you evaluate the buy vs. build decision. Thus, it’s very important for the long-term success of your passkey project to have all phases in mind and not just integrate passkeys (this can still be an objective but then you leave the full potential of passkeys unused).

Choosing between a DIY and external passkey solution depends on your company’s technical resources, security priorities, size of deployment and long-term passkey strategy. In the next section, we’ll break down the key aspects to help you make the best decision.

The following table shows different evaluation criteria that you need to assess. Based on the statement that you lean more toward, different number of points are provided.

How to use the evaluation matrix:

For each criterion, choose whether your company needs a simpler or more elaborated solution.

• Assign 1 point for each answer where the complexity in your case is lowest and lights more the with the description on the left.
• Assign 5 points for each category where your answer aligns more with the highest complexity description on the right.
• If you're unsure, use 3 points as a neutral option.

Download the full Buy vs Build Passkey guide for free and get access to all the evaluation criteria.

When deciding whether to build or buy a passkey solution, it’s important to look at the entire process, not just a single phase of passkey rollout. Even if your near-term priority is to offer passkeys as an MVP, you should anticipate the longer-term implications especially driving adoption. Below is how we recommend using this guide and interpreting your results, with an emphasis on why adoption matters more than almost any other factor.

No matter how advanced your passkey solution is, if users don’t adopt it by creating passkeys and using passkeys for login, the entire project is at risk. In our experience, organizations often underestimate the effort needed to move users away from passwords. Even if you implement passkeys seamlessly at a technical level, low adoption will lead to:

• Persistent reliance on passwords, negating the security benefits of passkeys.
• Minimal ROI, as the cost savings (fewer password resets, reduced SMS OTPs) hinge on significant passkey usage for login.
• Fractured user experience, if most sign-ins still happen via traditional methods and only a small subset uses passkeys.

High adoption sometimes 50% or even +80% of your user base is typically required before you can make meaningful strides toward reducing or removing passwords altogether. Organizations like Google and Amazon set explicit adoption targets and systematically run A/B tests, user education campaigns and UI nudges to ensure passkeys are widely embraced. This concentrated effort on adoption is not optional; it’s what transforms your passkey rollout from a feature into a tangible competitive advantage.

This guide is designed to help you make informed decisions about passkey implementations at every stage of the journey:

1. Phase 1 (Integrate Passkeys): If you’re simply considering whether to adopt passkeys and how to integrate them, focus on the Build vs. Buy criteria for passkey integration.
2. Phase 2 (Increase Adoption): If you want passkeys to be more than a feature, plan early to drive user adoption - even for an MVP as it requires additional technology investment often substantially more than the initial implementation.
3. Phase 3 (Remove Passwords): If eliminating passwords is a longer-term strategic goal, ensure your architecture and user flows are designed with that eventual step in mind.
4. Phase 4 (Automate Account Recovery): Even if you’re not ready to go fully passwordless today, be sure your passkey approach can evolve to robust, seamless recovery to avoid future roadblocks.

Of these, Phase 2 (Increase Adoption) is the most important. You can evaluate each section separately, but keep in mind that your long-term success and ROI often hinge on how seriously you take adoption from the outset.

If you’re at the early stage of deciding to implement passkeys, begin with the first section of the evaluation matrix (passkey integration) and fill it out with management, IT, product owners, and other key decision-makers. Ask yourselves:

1. What is our desired passkey login rate? Is 5% enough to prove feasibility or do we need 50–80% before we consider passkeys a success?
2. Do we have budget and executive buy-in to run A/B-tests over months, run optimization campaigns, create educational materials and refine user flows continuously so that users understand and want to switch to passkeys? Is enough engineering capacity available to implement all necessary reporting, analytics and tests? Can we release frequently enough to achieve those goals?
3. What’s the long-term vision? Are we aiming for password removal or just providing an alternative?

Answering these questions upfront ensures your passkey project doesn’t become a dead-end. Organizations that fail to plan for adoption often find themselves stuck with passwords for years to come, undercutting the entire security and user experience strategy.

Throughout the matrix, each evaluation criterion can land you anywhere from lowest complexity (1) to highest complexity (5). The more of your answers that shift to and beyond the neutral zone (3), the stronger the case for using a specialized passkey vendor:

• High complexity requirements - such as advanced fallback methods, strict compliance, deep analytics and multi-device UX - multiply your engineering and maintenance burden.
• Strong emphasis on adoption - achieving high passkey adoption quickly or removing passwords typically requires well-tested user flows, detailed telemetry, and structured nudges.

These factors can overwhelm in-house teams, both technically and organizationally. A managed passkey solution can often deliver proven best practices, quick updates, and real-world expertise to ramp up adoption much faster than a DIY approach.

As a passkey specialist, we at Corbado have a strong viewpoint. If passkeys are on your roadmap and you want a state-of-the-art implementation that actively drives adoption, Corbado Connect can help you tackle complexities at scale. Here’s why:

Adoption is built into the solution: Our platform is designed around maximizing user opt-in through smart nudges, analytics, and continuous A/B testing which also drives cost savings.

Next Steps:

1. Fill out each relevant section of the evaluation matrix - considering both immediate and long-term goals.
2. Prioritize adoption in your decision-making - align with stakeholders on explicit adoption targets and resources to achieve them.
3. Compare TCO for in-house vs. vendor solutions once you understand your complexity and adoption ambitions and go through your internal process to evaluate build or buy.

4. Consult passkey experts (like Corbado) if your strategic goals point toward a fully managed platform that handles both technical and adoption challenges effectively.

By addressing passkeys in a holistic manner and making adoption one of the key targets, you’ll achieve the best outcomes. That means stronger security, simplified logins, and a real path to a passwordless future. If you’re interested in learning more about Corbado Connect and how we help our clients achieve high passkey adoption, we’re here to talk.

Now that we’ve helped to determine the right approach to answer the question “Buy vs Build?”, we analyze how to evaluate the success of a passkey deployment. Therefore, we define input and output KPIs of a passkey project.

Input KPIs help track the early-stage adoption of passkeys and whether the necessary conditions for widespread use are being established. These indicators precede actual login behavior but are crucial for enabling meaningful adoption and optimize the deployment.

These input KPIs serve as leading indicators of future passkey adoption and allow organizations to fine-tune user education, UX flows, and technical implementation.

Output KPIs (OKRs) measure the actual success of passkey adoption by evaluating user behavior, operational improvements and business impact. These indicators reflect the real-world effectiveness of a passkey deployment. The Passkey Login Rate is a core Output KPI because it directly reflects actual passkey adoption and usage. A rising passkey login rate indicates successful onboarding and continued user preference for passkeys over legacy authentication methods.

It’s important to optimize primarily for passkey login success and passkey login rate to ensure a frictionless user experience, while simultaneously working to increase user activation rates - but only when the login success rate is sufficiently high to avoid introducing user frustration. Additionally, tracking these KPIs by different segments (such as OS, browser, and device) and specific use cases (e.g., cross-device logins) can provide deeper insights into adoption patterns and potential friction points.

Accurately measuring both input (e.g. acceptance, creation) and output KPIs (e.g. login rate, fallback usage) requires gathering data from three main sources:

1. Frontend event data
2. Passkey / credential store
3. Legacy authentication & fallback logs

To calculate metrics like Passkey Acceptance Rate or Passkey Creation Success Rate, you must detect how many users see a post–sign-in nudge, how many click “Yes, create a passkey,” and whether they actually finish the passkey creation. This calls for JavaScript (or native mobile) event tracking to capture:

• When and if the nudge is shown (first vs. subsequent times)
• How long they take to complete the nudge
• If they abort the passkey creation ceremony once or multiple times

You’ll also need user agent parsing or client hints to tie acceptance rates back to specific OS / browser versions to be able to detect specific broken paths.

After a user initiates registration on the frontend, the server must confirm if a new passkey was really stored. You’ll need access to the database or an external identity provider’s API that records each credential’s creation event. This repository helps you count how many passkeys exist per user and track the final outcome (success or failure), ensuring you know precisely which attempts ended in completed registrations.

For metrics like Fallback Rate, you must look at your current authentication logs & processes. By unifying these logs with frontend events, you see if a user started a passkey login, got an error, and switched to the fallback login (e.g. SMS or password).

Finally, measuring time-based KPIs such as Passkey Login Time vs. Legacy Login Time relies on both client and server timestamps. Because many organizations only log successful sign-ins, you must add instrumentation for partial or failed passkey flows to truly gauge friction and fallback. Integrating these three data sources, while respecting privacy and regulatory constraints, is often more complex than anticipated and is another factor that leads some teams to adopt specialized passkey platforms that provide built-in analytics and event tracking.

Corbado Connect components implicitly collect all the described data points (hundreds of different ones) by automatically generating a unique process for every user starting an authentication process. Through seamless integration, Corbado also gathers authentication metrics from your existing solution. This holistic view precisely pinpoints improvements for users, providing comprehensive insights into all essential passkey KPIs without additional effort on your end.

Additionally, the following output KPIs effects should also appear after a successful passkey deployment and are most of the time already collected within the enterprise:

Operational & Cost Reduction Metrics

• Reduction in SMS OTP Usage – Number of SMS OTPs saved due to passkey authentication (direct cost savings).
• Reduction in Password Reset Requests – Decrease in helpdesk interactions related to forgotten passwords.
• Reduction in Customer Support Tickets – Lower volume of authentication-related customer service issues.
• Reduction in Support Call Volume – Fewer inbound calls related to account access issues.

Business & UX Impact Metrics

• User Retention Rates – Percentage of users who continue authenticating after first login.
• Conversion Rate – How often users complete transactions after authentication.
• Drop-Off Rate in Login Funnels – Whether passkeys reduce the number of users abandoning login attempts.

By specifically tracking passkey input and output KPIs and relating them to other data, organizations can quantify the impact of their passkey deployment and make data-driven improvements to maximize adoption, reduce costs, and enhance security.

Choosing the right passkey solution depends on your specific challenges, security requirements and cost considerations. Below are key recommendations for buy vs. build decisions across different sectors.

Key Considerations:

• Regulatory compliance (e.g. PSD2, SOC 2, ISO 27001, GDPR) requires strict security measures in passkey authentication.
• Passkey cost comparison is crucial, as banks often underestimate the long-term complexity and maintenance of in-house solutions.
• Secure authentication is essential to reduce account takeover fraud and phishing

Recommendation:
Most banks and financial institutions should rely on a passkey vendor solution rather than building in-house, as managing passkey infrastructure internally introduces hidden complexities that exceed traditional IT expertise. Implementing passkey authentication at scale requires continuous optimizations and updates, WebAuthn compatibility management and seamless integration with legacy banking systems - all of which passkey vendors already handle.

Banks like Ubank, Revolut and Finom are leading the way in passkey adoption, recognizing the technology's potential to enhance security while improving user experience. The passkey ROI analysis often favors buying a passkey solution rather than investing in ongoing maintenance and updates, with implementations showing significant reductions in fraud attempts and authentication-related support costs.

Examples: Armstrong Bank, First Financial Bank, Ubank, Revolut, Finom, Neobank, Cathay Financial Holdings, Stripe, PayPal, Square

Key Considerations:

• HIPAA and GDPR compliance require strict authentication security in passkey adoption.
• Passkey implementation challenges include balancing security with ease of use for patients, medical staff and hospital IT administrators.
• Many healthcare authentication systems still rely on legacy infrastructure, making passkey integration more complex.

Recommendation:
A passkey vendor solution is the most effective way to meet compliance requirements while simplifying authentication. Passkey vendors handle security patches, compliance updates and authentication reliability, reducing the burden on IT teams.

Examples: CVS Health, Caremark, Helsana, NHS, Swica

Key Considerations:

• Conversion Rate Optimization (CRO) is business-critical - authentication friction directly impacts revenue.
• Multi-device scenarios must work seamlessly (users browse on mobile but complete checkout on desktop).
• Authentication errors directly increase cart abandonment rates, making UX-optimized login flows essential.

Recommendation:
E-commerce platforms benefit most from a passkey implementation provider offering high adoption rates. Major platforms like Amazon and Shopify have implemented passkey authentication, demonstrating the technology's growing adoption in e-commerce. Real-world data shows that over 27% of initial password logins fail, while passkey-based authentication can achieve up to 95-97% successful login rates as shown at previous adoptions. Passkey ROI analysis shows that higher conversion rates and lower fraud losses quickly justify the investment.

Amazon recently said that they set an ambitious target of 100% passkey adoption and the complete elimination of passwords.

Google also found out that trial users that interact with passkeys are 20% more likely to convert o paying customers than those who don’t.

Examples: KAYAK, Amazon, Mercari, Best Buy, eBay, Home Depot, Shopify, Target

Key Considerations:

• Cross-device authentication is essential, as users book trips on one device and check in on another.
• Passkey specialist vendors must ensure fast and secure logins for convenient bookings, check-ins and account management.
• Fraud prevention is a priority, as travel platforms handle high-value transactions.

Recommendation:
Most travel companies should implement passkey solutions to enhance security and user experience. Leading companies like Kayak and major airlines are already utilizing passkey authentication to improve their user experience. Pre-built solutions provide stronger fraud detection, seamless login experiences, and instant multi-device support. The hospitality sector is particularly benefiting from reduced check-in times and improved security through passkey implementation, ensuring smooth authentication across all touchpoints (apps, kiosks, web, and partner platforms).

Examples: Air New Zealand, Bolt, Grab, Uber, Hyatt

Key Considerations:

• Passkey implementation costs must align with compliance needs and user experience improvements.
• Many insurance customers are not highly tech-savvy, so user experience on all sorts of devices and browser is a must
• Passkey integration with identity verification is often required for policy management and claims processing.

Recommendation:
An external passkey solution is best suited for quick deployment and regulatory compliance. Insurance providers report up a significant reduction in authentication-related support tickets after implementing passkeys. A passkey implementation provider with customizable authentication flows and integrated identity verification ensures security while keeping customer logins simple. Passkey ROI analysis suggests that reducing password resets and fraud losses offsets vendor costs.

Examples: Branch

Key Considerations:

• Highest security standards and compliance requirements (e.g., NIST, Essential Eight framework requires phishing-resistant MFA).
• Large-scale deployment needs across diverse user populations with varying technical proficiency
• Integration requirements with existing government identity verification systems and legacy infrastructure

Recommendation:
For government agencies, a specialized passkey solution that meets strict security standards while ensuring accessibility is essential. The implementation success at VicRoads demonstrates that government organizations benefit most from external passkey solutions that handle compliance requirements and security updates automatically. Therefore, choose a passkey implementation provider that offers enterprise-grade security, supports multi-device authentication and provides adaptive authentication flows to accommodate all citizens.

Example: VicRoads, myGov, State of Michigan

Key Considerations:

• Scalability and reliability are critical, as telecom and utility providers often manage millions of users across various customer segments, requiring highly available and fault-tolerant authentication.
• Multi-device and cross-platform support is essential, as users access accounts via mobile apps or web portals. Seamless passkey authentication must work across all customer touchpoints.
• Support for legacy authentication systems is often necessary, as telecom and utility providers may need to integrate passkeys into existing IAM systems and customer identity platforms without disrupting current authentication flows.
• Fraud prevention and account security are top priorities, particularly for SIM swap fraud, identity theft, and unauthorized account access. Passkeys can significantly reduce phishing attacks and credential stuffing risks.

Recommendation:
For telecom and utility providers, adopting an external passkey solution is the recommended approach. Given the scale, complexity, and security demands of these industries, a managed passkey provider ensures compliance, high availability, and seamless integration with existing authentication infrastructure. Telecom giants and digital-first utility providers are already embracing passkeys as part of their security modernization efforts to reduce fraud and improve user experience. Additionally, outsourcing passkey implementation lowers the Total Cost of Ownership (TCO) compared to building in-house, as ongoing maintenance, security updates, and regulatory compliance are handled by the provider.

Example: Deutsche Telekom, Telstra, SK Telecom

Key Considerations:

• Multi-tenant authentication is essential for B2B SaaS, requiring scalable passkey integration across different IAM systems.
• Enterprises expect SSO (OIDC/SAML), therefore a seamless integration with Identity Providers is business-critical.
• Passkey implementation costs must be balanced against other security investments, such as multi-factor authentication (MFA) and zero-trust security models.

Recommendation:
For most B2B SaaS providers, an external passkey implementation is the optimal choice. Implementation is usually faster than in-house development. Digital B2B companies like Notion, Hubspot or Vercel have already embraced passkeys to enhance their authentication security. The Total Cost of Ownership is significantly lower than in-house development, as maintenance, updates, and compliance requirements are covered by the provider.

Example: Canva, DocuSign, Notion

Passkeys have become the global standard for authentication, simplifying logins for end users while enhancing security. As companies evaluate how to implement passkeys, they must decide whether to build an in-house solution or leverage a specialized passkey vendor. While DIY implementations offer full control, they require significant technical expertise, development resources, and continuous maintenance. In contrast, passkey vendors provide a faster, scalable, and cost-effective approach, ensuring high adoption rates, seamless user experience, and compliance with evolving security standards,

This guide addressed the following key questions::

• What components are needed to implement passkeys and go passwordless?

  A successful passkey deployment requires FIDO2/WebAuthn infrastructure, seamless UX flows, fallback mechanisms, and secure account recovery options. Companies must also consider cross-platform compatibility and security compliance.

• Should I implement passkeys in-house or use an external vendor?

  While in-house development offers control, it comes with high complexity, ongoing maintenance costs, and security responsibilities. Most large-scale consumer-facing organizations benefit from an external passkey solution that provides quick deployment, lower operational costs and reduced technical overhead.

• What is the benefit of having a passkey vendor when there are open-source libraries?

  Open-source WebAuthn libraries provide a starting point but lack enterprise-grade security, passkey-optimized user experience and adoption-enhancing features. A passkey vendor ensures seamless deployment, scalability, and optimized user adoption strategies that bring better ROI, reducing friction for both users and developers.

• What are the biggest challenges in building a passkey solution?

  Developing an in-house passkey system requires deep expertise in WebAuthn, multi-device support and passkey adoption. Maintaining ongoing device and browser complexity and ensuring high adoption rates further add to the complexity.

• What are the risks of implementing passkeys in-house?

  Companies risk high development costs, prolonged deployment timelines, and ongoing security maintenance burdens. Compliance failures, security vulnerabilities, and poor user adoption can derail the success of a passkey rollout. A vendor-managed passkey solution mitigates these risks by offering a proven, scalable authentication infrastructure with built-in security and regulatory compliance.