Passkeys replace two-step verification with a single biometric authentication: Face ID or fingerprint.
passkeys in active use globally
of enterprises actively deploying passkeys
improvement in mobile conversion with passkeys vs. passwords
The specs, not the wrappers. Understood at the level that matters when something breaks at 2am.
Auth0 internals, IaC, tenant configuration, early access program relationships. The platform layer beneath the protocol layer.
React, TypeScript, Python, Node.js. Frontend auth flows, backend migration architecture, mobile-native integration.
Pick up your phone and open your banking app. Face ID comes up. You think: good, it's protected.
I found out it wasn't. The biometric was blocking the screen. It wasn't blocking the account.
I examined a codebase that wasn't mine to own. What I found hadn't been named yet. It was a design constraint costing the business money. Short sessions, constant logouts, friction at the front door of a platform where people link their bank accounts.
The fix replaces a seven-step registration flow with one tap. Better security and less friction simultaneously. That's not a tradeoff. The rollout is in progress.
Native passkeys via Auth0 early access program. PKCE-compliant, no webview redirect. Face ID gates the refresh token via iOS Keychain: biometric-gated session instead of cosmetic UI overlay.
Four-phase rollout: A/B test identifier-first → global rollout → passkeys on Auth0 hosted server → native passkeys. Every phase has a defined rollback. Identifier-first is an Auth0 tenant-level prerequisite for passkeys. Surfacing that dependency ordered the entire roadmap.
Financial platforms often require a verification step after your password. 59% of users who started that enrollment didn't finish it. Significant. Quiet. Nobody had built the instrument to see it clearly.
The platform was already emitting the events. They just weren't connected to anything. A config change, a payload enhancement, a cross-team relationship: the drop-off became visible without a single new screen.
Security was right: MFA isn't going away. But passkeys are MFA: one tap, no enrollment flow, no drop-off. That 59% doesn't have to go with it.
Auth0 already emitted MFA enrollment funnel events. Forwarded to Segment via allowlist config change. No custom screens, no engineering lift. Identified ID mapping gap (Auth0 user ID incompatible with existing user identifier), enhanced pre-MFA event payload with Auth0 ID, coordinated with analytics engineering to build cross-reference table.
Imagine moving every single person in Texas into new houses, all in one night, without a single person losing their keys or even noticing they moved.
That's what a credential migration at this scale actually is. I built the strategy, testing protocols, launch checklists, and monitoring dashboards. Midway through, I hit a live platform concurrency limitation. I escalated it, resolved it, and kept moving.
Zero data loss. Zero downtime.
Auth0 bulk migration with custom testing strategies and rollback architecture. Hit Auth0 concurrency limitation mid-migration. Escalated to Auth0 engineering, got limits lifted, maintained timeline. Monitoring dashboards built in parallel to production migration to catch edge cases in real time.
I'm a senior software engineer with four years owning the identity platform at a fintech with 21 million monthly visitors.
Authentication sounds narrow. It isn't. Every user's first experience with a product runs through auth. Every session, every re-engagement, every moment of friction or trust: all of it flows through identity infrastructure.
I build the systems that get people in. I design the architecture that keeps sessions secure without making them short. I own the protocols: OAuth 2.0, PKCE, FIDO2, WebAuthn, passkeys. At the level that matters when something breaks at scale.
The part that doesn't show on a resume: I work backward from impact. When I see friction costing users, I know what it costs the business. When I see a security gap, I know which conversation to have and how to move it forward.
The work I'm most proud of started because I was curious about something that didn't quite add up.
Our mobile app had biometric authentication. Face ID. It felt secure. But I kept thinking: what is Face ID actually gating? I downloaded the mobile codebase (not my team's, not my assignment) because I needed to answer that question.
What I found was a design constraint nobody had named yet. The biometric protected the screen. The session underneath stayed open regardless, because it lived at the intersection of mobile, auth, and session management that no single team owned.
The fix was specific and small. The constraint had just never had a name, because no single team was looking at all three layers at once. I wasn't assigned to look. I looked anyway.
I started working on passkeys before most companies had it on their roadmap.
Not because I was assigned to it. Because I could see where authentication was going, and I wanted to be the person who understood it at depth before it became urgent.
The shift is happening now. But for financial platforms, it's not as simple as removing friction. MFA isn't optional when you're handling people's money. The question I kept coming back to: does it have to be a tradeoff? Passkeys are FIDO2-compliant MFA. One biometric tap, no enrollment flow to abandon, no second factor to fumble. The security bar stays. The drop-off disappears.
I proposed this architecture and I'm building it now: identifier-first flows as the prerequisite, Auth0 tenant configuration, a four-phase native passkeys rollout with defined rollbacks at every step. Not a proof of concept. Not a hackathon project. A production rollout on a platform with 21 million monthly visitors.
If you want someone who has been building toward this, not reacting to it: I'd like to talk.
The hard part isn't execution. It's knowing what to build, how much to invest, and when to stop.