CISO Playbook: Passkeys

Are you considering or in the early stages of implementing passkeys at your organization? We’re sharing resources to help guide you through the process.

Safeguarding data is a primary focus of organizations’ Security and IT teams. Historically, initial access was often managed by passwords and multi-factor authentication (MFA), but threat actors have developed ways to intercept and compromise those credentials. These credential-based attacks can have significant operational, financial, and reputational consequences. Passkeys provide a stronger authentication solution via a cryptographic approach that’s based on a public-private keypair unique to each user and service.

We decided to transition to a passkey solution at Sophos but had a couple of false starts along the way. We learned a lot of lessons during the process and published this playbook to help others learn from our experiences and avoid the same pitfalls.

Read the blog post describing this playbook.

Resources:

Implementation guide - Provides a candid account of our three attempts at passkey rollout, including the cross-functional workstream that finally made it work and the lessons we learned at each stage
FAQ - Includes practical answers to questions about passkeys, such as how to select a passkey solution, how to generate buy-in, and what other considerations organizations may need to think about (e.g., technology limitations, privacy implications, recovery processes)
Overview slides (download the PowerPoint file) - Covers key points, including the benefits of passkeys and some of the lessons and success factors we identified during our journey
Rollout template (download the Excel file) - Contains project management tools such as a stakeholder RACI matrix, phased milestone tracker, readiness checklist, and common support scenarios for helpdesk teams