Are passkeys enterprise-ready?

Every major tech giant touts passkeys as an effective, convenient password replacement that can end phishing and credential leaks. The core idea is simple: you sign in with a cryptographic key that’s stored securely in a special hardware module on your device, and you unlock that key with biometrics or a PIN. We’ve already covered the current state of passkeys for home users in detail across two articles (on terminology and basic use cases and more complex scenarios. However, businesses have entirely different requirements and approaches to cybersecurity. So, how good are passkeys and FIDO2 WebAuthn in a corporate environment?

Reasons for companies to switch to passkeys

As with any large-scale migration, making the switch to passkeys requires a solid business case. On paper, passkeys tackle several pressing problems at once:

• Lower the risk of breaches caused by stolen legitimate credentials — phishing resistance is the top advertised benefit of passkeys.
• Strengthen defenses against other identity attacks, such as brute-forcing and credential stuffing.
• Help with compliance. In many industries, regulators mandate the use of robust authentication methods for employees, and passkeys usually qualify.
• Reduce costs. If a company opts for passkeys stored on laptops or smartphones, it can achieve a high level of security without the extra expense of USB devices, smart cards, and their associated management and logistics.
• Boost employee productivity. A smooth, efficient authentication process saves every employee time daily and reduces failed login attempts. Switching to passkeys usually goes hand in hand with getting rid of the universally loathed regular password changes.
• Lightens the helpdesk workload by decreasing the number of tickets related to forgotten passwords and locked accounts. (Of course, other types of issues pop up instead, such as lost devices containing passkeys.)

How widespread is passkey adoption?

A FIDO Alliance report suggests that 87% of surveyed organizations in the US and UK have either already transitioned to using passkeys or are currently in the process of doing so. However, a closer look at the report reveals that this impressive figure also includes the familiar enterprise options like smart cards and USB tokens for account access. Although some of these are indeed based on WebAuthn and passkeys, they’re not without their problems. They’re quite expensive and create an ongoing burden on IT and cybersecurity teams related to managing physical tokens and cards: issuance, delivery, replacement, revocation, and so on. As for the heavily promoted solutions based on smartphones and even cloud sync, 63% of respondents reported using such technologies, but the full extent of their adoption remains unclear.

Companies that transition their entire workforce to the new tech are few and far between. The process can get both organizationally challenging and just plain expensive. More often than not, the rollout is done in phases. Although pilot strategies may vary, companies typically start with those employees who have access to IP (39%), IT system admins (39%), and C-suite executives (34%).

Potential obstacles to passkey adoption

When an organization decides to transition to passkeys, it will inevitably face a host of technical challenges. These alone could warrant their own article. But for this piece, let’s stick to the most obvious issues:

• Difficulty (and sometimes outright impossibility) of migrating to passkeys when using legacy and isolated IT systems — especially on-premises Active Directory
• Fragmentation of passkey storage approaches within the Apple, Google, and Microsoft ecosystems, complicating the use of a single passkey across different devices
• Additional management difficulties if the company allows the use of personal devices (BYOD), or, conversely, has strict prohibitions such as banning Bluetooth
• Ongoing costs for purchasing or leasing tokens and managing physical devices
• Specific requirement of non-syncable hardware keys for high-assurance-with-attestation scenarios (and even then, not all of them qualify — the FIDO Alliance provides specific recommendations on this)
• Necessity to train employees and address their concerns about the use of biometrics
• Necessity to create new, detailed policies for IT, cybersecurity, and the helpdesk to address issues related to fragmentation, legacy systems, and lost devices (including issues related to onboarding and offboarding procedures)

What do regulators say about passkeys?

Despite all these challenges, the transition to passkeys may be a foregone conclusion for some organizations if required by a regulator. Major national and industry regulators generally support passkeys, either directly or indirectly:

The NIST SP 800-63 Digital Identity Guidelines permit the use of “syncable authenticators” (a definition that clearly implies passkeys) for Authenticator Assurance Level 2, and device-bound authenticators for Authenticator Assurance Level 3. Thus, the use of passkeys confidently checks the boxes during ISO 27001, HIPAA, and SOC 2 audits.

In its commentary on DSS 4.0.1, the PCI Security Standards Council explicitly names FIDO2 as a technology that meets its criteria for “phishing-resistant authentication”.

The EU Payment Services Directive 2 (PSD2) is written in a technology-agnostic manner. However, it requires Strong Customer Authentication (SCA) and the use of Public Key Infrastructure based devices for important financial transactions, as well as dynamic linking of payment data with the transaction signature. Passkeys support these requirements.

The European directives DORA and NIS2 are also technology-agnostic, and generally only require the implementation of multi-factor authentication — a requirement that passkeys certainly satisfy.

In short, choosing passkeys specifically isn’t mandatory for regulatory compliance, but many organizations find it to be the most cost-effective path. Among the factors tipping the scales in favor of passkeys are the extensive use of cloud services and SaaS, an ongoing rollout of passkeys for customer-facing websites and apps, and a well-managed fleet of corporate computers and smartphones.

Enterprise roadmap for transitioning to passkeys

1. Assemble a cross-functional team. This includes IT, cybersecurity, business owners of IT systems, tech support, HR, and internal communications.
2. Inventory your authentication systems and methods. Identify where WebAuthn/FIDO2 is already supported, which systems can be upgraded, where single sign-on (SSO) integration can be implemented, where a dedicated service needs to be created to translate new authentication methods into ones your systems support, and where you’ll have to continue using passwords — under beefed-up SOC monitoring.
3. Define your passkey strategy. Decide whether to use hardware security keys or passkeys stored on smartphones and laptops. Plan and configure your primary sign-in methods, as well as emergency access options such as temporary access passcodes (TAP).
4. Update your corporate information security policies to reflect the adoption of passkeys. Establish detailed sign-up and recovery rules. Establish protocols for cases where transitioning to passkeys isn’t on the cards (for example, because the user must rely on a legacy device that has no passkey support). Develop auxiliary measures to ensure secure passkey storage, such as mandatory device encryption, biometrics use, and unified endpoint management or enterprise mobility management device health checks.
5. Plan the rollout order for different systems and user groups. Set a long timeline to identify and fix problems step-by-step.
6. Enable passkeys in access management systems such as Entra ID and Google Workspace, and configure allowed devices.
7. Launch a pilot, starting with a small group of users. Collect feedback, and refine your instructions and approach.
8. Gradually connect systems that don’t natively support passkeys using SSO and other methods.
9. Train your employees. Launch a passkey adoption campaign, providing users with clear instructions and working with “champions” on each team to speed up the transition.
10. Track progress and improve processes. Analyze usage metrics, login errors, and support tickets. Adjust access and recovery policies accordingly.
11. Gradually phase out legacy authentication methods once their usage drops to single-digit rates. First and foremost, eliminate one-time codes sent through insecure communication channels, such as text messages and email.