PayCal Technologies Inc.

Faster Passkey Sign-In Early Access

PayCal can now let an opted-in browser show available passkeys as soon as a user selects Sign in, removing the email-first step when the browser already has a PayCal passkey ready.

Published: · Status: Early Access · Product and security

What Changed

The normal PayCal passkey flow starts with an email address. PayCal uses that email to look up matching passkey records, asks the browser for one of those credentials, and verifies the signed response before creating a session.

Faster Passkey Sign-In changes the first prompt. When the setting is enabled for a browser, selecting Sign in can ask the browser to show locally available PayCal passkeys immediately. If the user chooses one and completes the local device check, PayCal verifies the result through the same WebAuthn server checks as the standard flow.

How It Helps Users

  • Less typing: returning users can skip entering an email address on browsers they have opted in.
  • Fast household switching: on shared computers, the browser may offer the PayCal passkeys available on that device.
  • Clear fallback: if the prompt is unavailable or dismissed, regular sign-in options still appear.
  • No weaker login: the shortcut changes when the browser prompt appears, not what PayCal verifies.

How The Early Access Setting Works

  1. A signed-in eligible user enables Faster Passkey Sign-In under Settings, Early Access.
  2. PayCal writes a signed activation cookie for that browser only.
  3. On the sign-in page, PayCal checks the runtime feature flag and the signed activation cookie.
  4. If both allow the feature, PayCal asks the browser for a discoverable PayCal passkey using Chrome's Immediate UI mode.
  5. PayCal creates a session only after verifying the WebAuthn challenge response, origin, relying party ID, credential signature, and credential record.

Cookie And Privacy Boundary

The activation cookie is a browser preference, not a login credential. It records that this browser opted in to the faster prompt and includes only feature metadata such as version and expiry. It is signed by PayCal so the browser cannot safely forge or alter it.

The cookie does not contain an email address, user UUID, passkey credential ID, biometric data, session token, or secret that can sign a user in. Clearing site data or disabling the setting removes the opt-in.

What Does Not Change

  • Existing passkeys are not modified.
  • Biometrics stay on the user's device and are never sent to PayCal.
  • PayCal still issues a fresh challenge for each sign-in attempt.
  • No session is created unless server-side WebAuthn verification succeeds.
  • macOS, Chrome, or the authenticator may still require Touch ID, Apple Watch approval, or the system password before releasing the passkey assertion.

Why It Is Early Access

Browser passkey prompts are still evolving. Chrome's Immediate UI mode gives PayCal a useful way to reduce sign-in friction, but real device behavior varies across operating systems, shared computers, private browsing, and account-switching situations.

Early Access lets PayCal test the experience with clear opt-in, a browser-specific cookie, feedback collection, and runtime kill switches before considering a broader default rollout.