From Passwords to Passkeys: 5 Things to Watch Out

Passkeys have gone from a niche curiosity to mainstream rollout in the span of a couple of years. Google, Apple, Microsoft, GitHub, and several other SaaS vendors all support passkeys now. The pitch is simple: replace the password with a cryptographic key pair tied to your device, and phishing becomes significantly more difficult. No shared secret, nothing to leak in a breach.

That position is largely accurate. But passkeys aren't a drop-in replacement, and organizations that treat them as one tend to learn this the hard way. Here are five things worth thinking through before you start the rollout.

1. User Education is Harder Than it Looks

The technical aspects of passkeys are invisible to end users by design - you tap your fingerprint, the browser handles the rest. Easy peasy. However, a user who's never understood passkeys has no mental model for why they can't log in after switching phones, or why their passkey registered on Chrome does not work on Safari. Educating users about the mechanics of passkeys and providing clear instructions on setup and usage across different platforms and devices is crucial for ongoing peace of mind. Every user should know the answer to a simple question: what do I do if I get locked out?

Here are some considerations to ease passkey adoption:

• Develop comprehensive training materials, including video tutorials, step-by-step guides, and FAQs, to help users understand passkeys and how to use them effectively.
• Leverage internal communication channels, such as email campaigns, intranet portals, and town hall meetings, to raise awareness about the transition to passkeys and their advantages.
• Implement a phased rollout approach, starting with a pilot group or specific departments, to gather feedback and refine the educational materials before organization-wide deployment.
• Provide dedicated support resources, such as a help desk or knowledgeable champions within each department, to assist users with passkey setup and troubleshooting.

2. Cross-Platform Support is Still Uneven

While passkeys are designed to be a cross-platform solution, the implementation and support across different operating systems, browsers, and devices may vary. Synced passkeys via iCloud Keychain and Google Password Manager work well within their respective ecosystems - crossing between them is where things get awkward. Organizations must assess whether their existing systems and applications are compatible with passkeys or if modifications are necessary.

Here are some considerations to improve passkey compatibility:

• Continuously monitor and track WebAuthn support across different platforms, browsers, and device types used within your organization.
• Develop and maintain a compatibility matrix to help users understand which devices and browsers are fully supported for passkey authentication.
• Implement fallback authentication mechanisms, such as one-time passcodes or security keys, for scenarios where passkey support is limited or unavailable.
• Work closely with device manufacturers, platform providers, and browser vendors to stay informed about their WebAuthn roadmaps and provide feedback on your organization's specific requirements.

3. Device Loss and Account Recovery is a Real Problem

With passwords, a reset flow is annoying but well-understood. With passkeys, a lost or wiped device can mean a locked account. This makes account recovery and backup mechanisms crucial to prevent users from being permanently locked out of their accounts if they lose their devices or face other issues. Organizations should assess the security guarantees offered by different types of devices, and implement robust account recovery processes.

Here are some considerations to manage passkey usage:

• Require users to register at least two passkeys, where supported.
• Implement a secure backup and recovery mechanism for passkeys to enable users to restore their credentials on new devices.
• Establish alternative account recovery procedures, such as using secondary authenticators or predefined recovery questions.
• Provide clear guidelines for users on how to backup and recover their passkeys, as well as the steps to follow in case of a lost or stolen device.
• Integrate passkey recovery processes into your organization's existing account management and support workflows to ensure a consistent experience.

4. Passkeys Don't Eliminate Phishing, They Reshape It

This one is widely misunderstood. While passkeys offer improved security against traditional password-based attacks, they are not immune to social engineering attacks. Users can still be socially engineered into registering a new passkey on an attacker-controlled device, or into approving an authentication request they didn't initiate. User training needs to reflect this: the threat is no longer "don't type your password into fake sites," it's "don't approve auth requests you didn't trigger."

Here are some considerations to improve passkey threat model:

• Implement regular training sessions to educate users about the risks of phishing and social engineering attacks specifically related to passkeys.
• Conduct regular simulated phishing exercises to test user awareness and resilience against passkey-related phishing attempts.
• Ensure that all APIs handling passkey operations are secure, with strong authentication, authorization, and encryption mechanisms.
• Design passkey interfaces with clear, unambiguous indicators showing the legitimacy of authentication or registration requests.
• Implement confirmation prompts that require users to verify key details of the request, such as the website's URL, before approving passkey operations.
• Integrate passkeys with additional MFA methods, such as biometrics or hardware tokens, to provide layered security.
• Use contextual MFA, which adjusts the required authentication factors based on risk assessment.

5. The Migration and Co-Existence Period is the Hardest

For most organizations, the migration to passkeys will be a gradual process, and they will need to support both passwords and passkeys during the transition period. That coexistence introduces complexity — particularly around session management, account recovery paths, and audit logging — that's easy to underestimate. Prioritize high-risk systems first (admin access, privileged accounts, anything with access to sensitive data), and plan for the long tail.

Here are some considerations to implement passkeys successfully:

• Conduct a thorough audit of your existing authentication infrastructure, applications, and workflows, to identify integration points for passkey support.
• Prioritize the integration efforts based on the criticality of the systems and the potential security impact of migrating to passkeys.
• Leverage existing identity and access management (IAM) solutions and authentication frameworks that support WebAuthn and passkey integration.
• Adopt a modular approach to passkey integration, allowing for gradual rollout and minimizing disruptions to existing systems and workflows.
• Establish a dedicated team or working group to oversee the integration efforts, coordinate with different stakeholders, and ensure consistent implementation across the organization.