In partnership with
New at hackr.io
This week we are simplifying threat modeling for busy dev teams, with a playbook you can run in under 30 minutes during sprint planning.
WebAuthn lets users sign in with device-bound credentials or synced passkeys, which means stronger security and a faster login. This guide shows you how to implement registration and authentication, how to make good UX choices, and how to avoid common mistakes.
Partner Message
Marketing that’s always on — even when you’re not. Get automation tools that send your messages for you.
You can’t be everywhere at once — but your marketing can.
With Constant Contact’s automation tools, your emails, texts, and offers go out at the right time, every time — without you having to lift a finger.
Want to show your audience you care about them? Use an automaton template to send birthday messages. Working on driving sales? Set up an abandoned cart email automation to gently urge almost-shoppers to become actual shoppers. Looking to bring lapsed customers back into the fold? Send automations with offers and promos to entice them to buy again. You can even create custom automation paths that work best for your business.
It couldn’t be easier. Just set up automatic triggered messages based on your customers’ behavior, and watch those messages run while you focus on everything else.
Hackr readers, if you’re ready to save time and put pesky administrative tasks on autopilot, give Constant Contact’s marketing automation tools a try. Get started today — for free.
The Scoop
WebAuthn, From Zero to Working Login
Understand the pieces
Relying Party ID must match your effective domain, origins must be HTTPS, and your app will create challenges on the server then verify signed responses. Authenticators can be platform bound or cross platform, and credentials can be discoverable for username-less flows.
Design the registration flow
Your server creates a challenge and public key options, the browser calls navigator.credentials.create, the authenticator stores a private key, and the client returns an attestation. Persist the credential ID, the public key, the user handle, and any flags that matter to your policy.
Design the authentication flow
Your server creates a challenge, the browser calls navigator.credentials.get, the authenticator signs the challenge, and the client returns an assertion. Verify the signature with the stored public key, check origin and RP ID, and confirm user presence and user verification per your requirements.
Pick a UX pattern
Offer passkeys first, keep a clean fallback like email magic link or TOTP, and explain what will happen on each device. Label platform authenticators as Phone or This device, and label cross-platform keys as Security key.
Handle real life
Support multiple credentials per user, rotate or remove credentials, and plan for device loss and recovery. Add reauthentication for risky actions, and store a signature counter to watch for cloned keys.
Ship with confidence
Use rate limiting on begin endpoints, strict Content Security Policy, and correct SameSite cookies. Test on localhost with a proper RP ID like localhost, then test on staging and production domains.
Partner Message
From Hype to Production: Voice AI in 2025
Voice AI has crossed into production. Deepgram’s 2025 State of Voice AI Report with Opus Research quantifies how 400 senior leaders - many at $100M+ enterprises - are budgeting, shipping, and measuring results.
Adoption is near-universal (97%), budgets are rising (84%), yet only 21% are very satisfied with legacy agents. And that gap is the opportunity: using human-like agents that handle real tasks, reduce wait times, and lift CSAT.
Get benchmarks to compare your roadmap, the first use cases breaking through (customer service, order capture, task automation), and the capabilities that separate leaders from laggards - latency, accuracy, tooling, and integration. Use the findings to prioritize quick wins now and build a scalable plan for 2026.
Advanced Skills
What Else Should You Know?
Attestation choices
Most consumer apps use none, while higher assurance apps may require packed or Apple attestation. Document why you collect it, and store only what you need.
Passkeys that sync
Platform vendors sync discoverable credentials across devices for the same account. Decide when you want discoverable credentials, and how you will handle account recovery and device churn.
Authenticator policy
Require user verification for payments or admin actions. Allow user presence for low risk flows. Make the policy explicit in code and tests.
Account linking
Treat first registration as bootstrapping. Let users add more credentials later, link a security key for travel, and remove old ones in a clear management screen.
Telemetry and alerts
Log RP ID checks, origin checks, verification flags, and error reasons. Alert on verification failures, origin mismatches, or unexpected authenticator data.
Compliance and privacy
Explain to users what data is stored, how attestation is used, and how to remove credentials. Keep data retention lean.
That’s it for today.
Thanks for being part of the community at Hackr.io. Keep learning, keep sharing your projects, and keep building secure software.
The Hackr.io Team