.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
For decades, passwords have been the standard method for protecting access to systems and accounts. However, passwords can be compromised or stolen via tactics such as brute-force attacks, phishing attacks, and infostealer malware. The shift to multi-factor authentication (MFA) added another layer of security by requiring additional authentication to verify the user’s identity – some combination of something you know, own, or (in the case of biometrics) are. While MFA is stronger than passwords alone, threat actors have discovered ways to circumvent it, including adversary-in-the-middle (AiTM) attacks, session hijacking, MFA fatigue, and social engineering to reset or disable MFA. Passkeys were introduced as a phishing-resistant MFA solution.
How passkeys work
Passkeys are built on FIDO2 public key cryptography, generating a unique public-private keypair for each user and service. The public key is sent to the server; the private key is stored in a credential manager (sometimes called the sync fabric) or on a hardware security key. During sign in, the server sends a random challenge to the user’s device. When the user provides their established verification (e.g., biometric input, PIN), the device signs the challenge with the private key. The server verifies the signature against the stored public key. No credentials are transmitted, so they cannot be intercepted by attackers or malware. Because passkeys are cryptographically bound to the origin, traditional phishing (e.g., soliciting credentials via fake login pages) is ineffective.
Benefits
Passkeys benefit organizations and employees. The following are some of the primary advantages:
- Enhanced security – Replacing passwords with passkeys reduces the risk of credential-based attacks (e.g., brute-force attacks, infostealers, phishing). These attacks can lead to operational disruptions, substantial recovery costs, and reputational damage.
- Convenience and time savings – Users do not have to worry about selecting, maintaining, and protecting system passwords. They also don’t have to determine if they need to enter a code or approve a push notification. The login process is simpler and faster, and the reduced friction is especially beneficial during security-critical and time-sensitive scenarios. A combination of passkeys and single sign-on for internal resources can streamline access even further. While some resources and websites will still require passwords or other authentication mechanisms, reducing the number of logins and reauthentication requests makes employees’ lives easier.
- Fewer help desk requests – While the adoption of passkeys will not eliminate access problems, it can significantly reduce the number of tickets related to password errors, reset requests, lost or malfunctioning authenticator devices, and delayed or missing verification codes due to poor mobile signal. Support teams can redirect the time typically consumed by these tickets to focus on other issues.
Considerations and caveats
Most organizations will not need to build passkey infrastructure from scratch. Major identity providers such as Microsoft, Google, and Okta offer passkey support as part of their existing authentication platforms. The implementation decision is less about selecting a standalone passkey product and more about how to enable and enforce passkeys within your current identity stack. Prior to evaluating various solutions, organizations need to have a firm understanding of their environment and must consider the implications for employees’ personal devices if applicable. Some solutions may not be compatible with all operating systems or with older versions. Organizations also need to consider where passkeys will be stored (e.g., directly on the user’s laptop, in a cloud-based password manager, on a physical token such as a YubiKey) and how to restore access if a passkey is lost, deleted, or corrupted. Our FAQ document addresses additional considerations.
Note that while passkeys provide a strong authentication option, they are not infallible. Overall security hygiene is important, including ensuring that appropriate security controls are in place, regularly auditing privileges and accesses, and keeping systems and software patched against known vulnerabilities. Organizations should also educate users about safeguarding access and how to recognize social engineering attempts.
Success factors for passkey implementation
Based on our passkey journey and advice published by other industry experts, successful implementation requires elements such as internal partnerships, proper planning, and clear communication. We identified the following factors that can ease the transition. These factors are covered in more detail in the implementation guide.
- Involve the right teams
- Keep users in mind
- Explain the benefits
- Own your past mistakes
- Diversify early adopters
- Counter resistance with facts and assurances
- Send clear communications at an appropriate cadence
- Write support scripts and train support teams early
- Listen to users
How we can help
During our passkey implementation, we encountered known and unexpected challenges. To help other organizations who are considering or embarking on the transition, we created a playbook containing an implementation guide, an FAQ, a downloadable passkey rollout template that can be used by project managers, and downloadable overview slides.