Free trial

Passkeys implementation: Build or buy?

Cybersecurity and strong authentication
FIDO passkeys implementation showing gears icon representing setup and dollar sign icon representing cost savings
Top takeaways summary
  • Passkeys offer strong security and user-friendly authentication, but deciding whether to build or buy impacts cost, compliance, and has long-term implications.
  • Building in-house can seem cost-effective but carries hidden risks: maintenance, integration challenges, and evolving FIDO/WebAuthn standards.
  • Partnering with an experienced vendor reduces risk.

There is a lot to consider when selecting cybersecurity solutions to make your enterprise safe. Maybe you are thinking you can solve the problem on your own and go the build vs. buy route. Let’s explore the considerations for adopting FIDO-based passkey authentication, as the decision carries considerable weight and potential consequences.

When organizations contemplate a passkeys implementation as an alternative to passwords, they often start by focusing on the minimum viable product (MVP). However, the real challenge lies beyond the MVP—the unknowns that come with version 1.1 and beyond. The technology landscape is constantly evolving, demanding adaptability and scalability. This is when the decision between starting from scratch and leveraging an experienced vendor becomes critical.

6 considerations when determining whether to build or buy your passkeys implementation

1. Completeness: Beyond the MVP

Building a passkeys authentication solution from scratch may seem like an attractive proposition, especially for the sake of cost-effectiveness and fitting into existing infrastructure. However, it’s crucial to consider the road beyond the MVP. Rapid technological advancements necessitate staying up-to-date and future-ready. Vendors with experience in user-friendly passwordless authentication solutions offer much more than an MVP and also pave the way for future expansions and improvements, helping avoid technological dead-ends.

2. Support for diverse environments: Native apps, web apps, devices, and regulatory requirements

The ability of passkeys to seamlessly integrate across diverse environments is a fundamental requirement. Most established vendors excel in providing such integration, saving organizations time and resources.

In contrast, building this integration in-house can be time-consuming and expensive. Even more so when compliance requirements need to be addressed. Dedicated passwordless authentication vendors bring years of experience, providing compatibility across a wide range of devices and regulatory environments.

3. Seamless integration and backend infrastructure support

The tech landscape is no longer homogeneous. Maintaining compatibility across various hardware and software versions can be a significant challenge when building in-house. Dedicated vendors can simplify this process by integrating seamlessly with an organization’s existing backend infrastructure, including cloud hardware security modules (HSMs) and secret stores. This integration capability minimizes extensive code changes.

4. Maintenance challenges: Keeping pace with specifications

Keeping current on evolving FIDO and WebAuthn specifications is crucial for passkey solutions. Organizations often underestimate the effort and resources required for ongoing maintenance when building in-house. Partnering with experienced authentication vendors means that passkey features remain up-to-date. This reduces maintenance burdens, allowing organizations to stay focused on their core objectives.

5. Minimizing development risks and project failures for a passkeys implementation

In-house development involves inherent uncertainties, especially when introducing a new concept like passkeys for the first time. Organizations can miss crucial elements or face unforeseen obstacles, leading to increased costs, delays, or compromises in user experience.

Partnering with a seasoned passwordless authentication provider reduces these risks by utilizing their vast expertise and insights gained from successful passkey implementations.

6. Capitalizing on investment and experience

While building a passkey solution independently may seem appealing from a cost perspective, it often fails to account for hidden expenses and missed opportunities. Unknown-unknowns can be costly both in terms of time and money.

Leveraging a vendor like OneSpan, with expertise and a wealth of investment in FIDO-based implementations, provides a smoother fit into existing infrastructure and access to valuable intellectual property.

Case study page showing FIDO passkeys implementation process: challenges, objectives, and deployment steps
Case study

ROI from passwordless authentication

This enterprise partnered with OneSpan to deploy FIDO-based passwordless authentication across its mobile apps, achieving 70% faster sign-in speeds and growing to over 77M FIDO registrations over five years.

Learn how they did it

There is another option beyond the binary build vs. buy decision

Consider a hybrid approach that combines off-the-shelf systems with custom-built components. This strategy balances cost-efficiency with flexibility. It allows organizations to focus internal resources on areas that create differentiation while leveraging proven technologies for foundational needs.

Think of it like building a house. While design choices and finishes can be fully customized, the framing, wiring, and plumbing — the critical underpinnings — follow established standards.

That’s what OneSpan offers. Businesses can innovate and enhance their brand experience as much as they wish, but the underlying authentication infrastructure must provide one fundamental outcome: proving who’s there.

Every digital interaction should start with trust.

Building your passkeys implementation from the ground up is not easy and getting it wrong can have serious consequences. Cybercriminals are constantly evolving, so it’s crucial to anticipate vulnerabilities and maintain a secure, frictionless user experience. Doing so requires deep expertise in encryption, user authentication, and compliance. That’s what OneSpan delivers.

Final thoughts on the passkeys implementation decision

The decision to build custom software or buy off-the-shelf solutions is one of the most debated topics in the software industry. It’s a choice that can define a business’s operations, scalability, and long-term competitive advantage.

Both approaches come with distinct pros and cons, and the differences help organizations make informed decisions aligned with their unique business objectives.

Build vs buy white paper cover
White paper

Want more clarity on the trade-offs?

To learn more, read our white paper: Build vs. buy: Rethinking authentication in the era of FIDO. In it, we explore 3 options for implementing FIDO-based authentication solutions – including a hybrid approach.

Stay informed
FAQ

Why is the decision between building or buying a passkey solution so critical?
The choice impacts cost, compliance, scalability, and long-term security. While building in-house may seem cost-effective initially, it carries hidden risks such as ongoing maintenance, integration challenges, and keeping up with evolving FIDO/WebAuthn standards. Buying from an experienced vendor reduces these risks and facilitates future readiness.
What are the main challenges of building a passkey solution internally?
Building in-house requires significant resources for integration across diverse environments, maintaining compatibility with backend infrastructure, and staying current with security specifications. Organizations often underestimate these efforts, leading to increased costs, delays, and potential vulnerabilities.
Is there an alternative to choosing strictly between build or buy?
Yes. A hybrid approach combines off-the-shelf solutions with custom-built components. This strategy offers flexibility and cost-efficiency, allowing businesses to innovate while leveraging proven technologies for foundational security needs.
Contents
Sign up for OneSpan updates
Share