Passkey security sidesteps many of the end-user and cybersecurity issues that plague traditional passwords. Learn how to successfully deploy passkeys in your organization.
CISOs know that the human element can be the weakest link in an enterprise's cybersecurity defenses, often surfacing when end users create weak passwords that threat actors easily crack. Seeking a stronger alternative, security teams are increasingly turning to passkeys.
Unlike passwords, which end users create, passkeys are digitally generated cryptographic credentials that work as part of an identity and access management (IAM) strategy. Passkeys use biometrics and are stored on a device -- such as a phone -- or as a hardware token. Passkeys don't communicate through a server; they are validated through authentication services.
Passwords vs. passkeys: A safer option
Beyond providing an alternative to weak passwords, passkeys that use biometrics or device-based cryptographic keys are significantly harder to capture through social engineering tactics such as phishing.
Offering options such as fingerprint access and device PINs, passkeys streamline logins and avoid the extra steps required by many security tools. Even as they enhance access security, passkeys keep the login process simple. Users don't have to remember complicated passwords or navigate constant password changes.
Through the use of digital authentication, passkeys are an effective option to eliminate the inherent weaknesses -- in terms of both security and ease of use -- of passwords.
Through the use of digital authentication, passkeys are an effective option to eliminate the inherent weaknesses -- in terms of both security and ease of use -- of passwords.
The rise of enterprise passkeys
A FIDO Alliance survey of 400 security decision-makers found that 87% of companies are implementing passkeys.
One driving force behind the transition is the increased emphasis on a zero-trust security approach, in which entities are denied access to enterprise resources until authenticated and verified.
Another reason passkeys are becoming more popular is that enterprises are under constant pressure to meet regulatory requirements and strengthen digital identity security. Passkeys provide stringent access controls and the audit trails necessary to prove compliance.
Most advanced identity management systems work with passkey technology, including mobile authenticators and biometric scanners. This provides another verification point, vital for organizations using mobile and cloud platforms, while requiring stronger controls than conventional passwords offer. Passkeys also often work with MFA that requires, at minimum, two forms of authentication to access enterprise resources.
Mapping a successful passkey deployment
Security decision-makers must choose whether to deploy enterprise or consumer passkeys, or both.
Enterprise passkeys are typically used for internal employees, contractors and partners who need access to confidential or high-value resources. It is crucial that enterprise passkeys work with existing infrastructure and policies, including single sign-on, management tools, corporate devices and policy enforcement.
Consumer passkeys are primarily for external users, including customers and subscribers. Internal end users might also need consumer passkeys to access external digital platforms. Ease-of-use is a major consideration during login and password resets, but the emphasis should be on interoperability and privacy.
In a hybrid passkey environment, some internal passkey users might use consumer passkeys to access external platforms or services that require them, such as SaaS tools or collaboration platforms. Seamless integration between enterprise and consumer systems can simplify UX and enhance security.
Planning a phased rollout
CISOs should consider a phased approach to passkey deployment. Pilot the implementation with a small group to measure UX and validate the technical setup. Follow with a broader rollout, extending passkeys to other groups while continuing to track UX and confirming passkey security.
Start with higher risk groups -- executives, IT administrators and personnel with access to sensitive systems -- before rolling out passkeys to all employees.
If contractors and third-party partners need to access enterprise resources, whether using a corporate-issued or personal device, consider more stringent and granular passkey policies.
For customers and subscribers, assess risk profiles, geographic locations, regulatory requirements and transaction volume.
Ultimately, the result is full deployment in which passkeys are the default authentication system for everyone.
How to evaluate passkey providers
Before selecting a passkey provider, conduct an internal needs assessment that accounts for authentication requirements, user base, compliance needs, critical applications and IT infrastructure. Involve compliance teams and business leadership. Once completed, build a short list of providers based on technical requirements, support offerings and reputation. Demos, limited pilot deployments, reference accounts and reviews can all help determine which vendors make this list.
Other considerations include the following:
Support of industry standards, including FIDO2 and WebAuthn.
Strong encryption for credentials, device binding and data.
MFA support.
Streamlined integration with existing systems.
Passkey functionality across platforms and devices.
Cost structure for subscription or license models.
Scalability as operational requirements shift.
How to deploy enterprise passkeys
As with any significant security deployment, CISOs and IT and security teams must plan for a passkey implementation.
Step 1. Review existing IAM strategy
Deployment starts with assessing current IAM technologies to assess where passkey integration makes sense. CISOs and their teams should look at access privileges and authentication methods in the context of business operations. Are privileges too broad? Are authentication processes adequate to meet regulatory requirements? What changes are needed to ensure a smooth passkey deployment? Do policies and practices align with business objectives?
Step 2. Leadership alignment
CISOs and their teams need to engage with stakeholders across lines of business to find champions and secure funding. C-level backing is key for both immediate budgetary needs and long-term security initiatives.
Step 3. Update access tools
Organizations that are not already using MFA should deploy mechanisms, such as biometrics or mobile- or hardware-based MFA, before adopting passkeys. This acclimates end users to new login processes that will be extended once passkeys are adopted. It also gives security teams the opportunity to test various authentication methods before deploying passkeys.
Step 4. Infrastructure assessment
For many organizations, managed authentication services are the right choice to automate provisioning, reset credentials and implement self-service features. CISOs and teams need to assess their infrastructure to determine the levels of data protection, endpoint encryption and device management. Re-examine data loss prevention rules to identify any required updates after passkeys are deployed.
Passkey adoption hurdles
Obstacles to successful passkey deployments on the technology side include incompatibility with legacy systems. In addition, some applications, devices and infrastructure might not work with passkeys. Upgrades can also be costly and complex. Lockouts are another issue with passkey rollouts. Teams should put backup, recovery and fallback authentication processes in place to prevent this.
CISOs might also encounter resistance from end users. Clearly communicated instructions and demonstrations, with ongoing support, can smooth the enrollment process.
The successful passkey deployment
Gauge the early success of a passkey deployment through its use. For example, monitor the percentage of eligible users enrolling a passkey.
Remember, however, that the true measure of success hinges on the IT and security benefits passkeys deliver. In time, the support desk should see a decline in password reset requests and, eventually, security teams should be able to report fewer credential-related incidents, such as phishing and account takeovers. With today's threat landscape, that makes for a safer environment to conduct business.
Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.
