.

Passkeys in Identity: Passwordless that actually works

Ronnie Manning, Chief Brand Advocate, Yubico

Passwords have had a long run, but let’s be honest, they are the weakest link in identity and access management. They frustrate users, drain IT budgets and are far too easy for attackers to exploit. After years of patchwork fixes, we finally have something better: passkeys.

Passkeys represent one of the most exciting shifts in authentication because they combine stronger security with a smooth user experience. Passkeys are starting to appear everywhere, from consumer apps to social media and within the enterprise, including IAM platforms. As promising as they are, it’s important to know that there are different kinds of passkeys, and if organizations don’t deploy them thoughtfully, they are not getting all of the benefits and protection that they need.

Most people’s first encounter with passkeys is probably the “synced” variety, where credentials are stored in a cloud account which can be copied across devices. These are convenient and practical for everyday scenarios, but they rely heavily on the security of the underlying sync process and the security of the user’s account that manages it. For high-risk individuals or organizations with strict compliance requirements, that dependency introduces serious concerns.

By contrast, “device-bound” passkeys never leave the hardware that they are created on. That means no cloud syncing, no duplication and no easy path for phishing or account takeover. Device-bound passkeys can live on a phone or laptop, but the strongest option is a dedicated hardware security key, which offers a portable, cross-platform, easy-to-use and reliable experience.

The strength of an IAM strategy within an enterprise depends not only on what’s enabled, but also on what’s left behind. We are seeing more and more instances where weak recovery methods such as username and password, SMS codes, authenticator apps or push notifications, are allowed within the enterprise. Attackers know this and simply downgrade their attacks to target the weakest authentication option in the chain. That’s why recovery has become the Achilles’ heel of many passkey and passwordless deployments. Eliminating those fallback methods is just as important as adopting passkeys in the first place. The primary authenticator must be at the same security level as the backup for account recovery.

For CIOs and CISOs, this is where strategy and governance come into play. It’s not enough to check the box that says “supports passkeys.” Enterprise security demands configurability and control. That means a best practice of enforcing device-bound passkeys, requiring them for applications outside the single sign-on perimeter, disabling synced passkeys in enterprise contexts and using hardware-backed passkeys as the recovery root of trust. As mentioned before, it also means removing every non-passkey fallback option. The organizations that take this approach not only harden their defenses but also see practical benefits: fewer recovery issues, lower help desk costs and greater resilience against phishing.

It’s important to note that the responsibility doesn’t fall on the deployment within the enterprises alone. Identity providers, product creators and software engineers that build MFA support across the broad range of applications and services also have a critical role. If you’re building a banking app, a government portal or a SaaS platform, the decision to support or block “device-bound” passkeys on hardware security keys is effectively a decision about who gets access to the strongest level of protection. And the truth is, it often takes more effort to block hardware security keys than it does to support them.

The benefits of getting passkey implementations right are substantial. Every user across an organization is delivered modern, phishing-resistant MFA and cost-efficient recovery processes. High-risk users gain a lifeline against targeted attacks. Every individual or organization can become “at risk” overnight and a security breach or successful phishing attack can change the threat landscape in an instant. Having flexible, device-bound passkeys available as a primary option provides peace of mind and a path to stronger protection when it’s needed most.

The larger point here is that authentication should never be rigid or one-size-fits-all. It has to be flexible, adaptable and inclusive. Enterprises need the ability to set policies that match their threat landscape. Product leaders need to give their users options instead of defaulting to the lowest common denominator and having to settle for weak recovery methods or security shortcuts.

Passkeys represent our best chance yet to say goodbye to passwords, and strengthen the IAM landscape. But success isn’t automatic, it depends on how we implement them, the policies we enforce and the choices we make for resilience. If we get it right, in the coming years, passwordless won’t just be a vision; it will be a reality that actually works for everyone.

Hot Topics

Related Articles