Password-based authentication poses significant risks: it is vulnerable to phishing attacks, suffers from the use of weak passwords, and is hardly able to meet the growing demands of IT security. Traditional access methods are therefore considered insecure and difficult to scale. Passkeys now offer companies a modern, user-friendly, and significantly more secure approach. Passkeys are based on the FIDO2 standard and enable completely passwordless authentication without sacrificing flexibility or control.
While many platforms and devices now support passkeys, integrating them into existing corporate infrastructures is by no means trivial. Both technical requirements (e.g., device security, authentication interfaces) and organizational and procedural aspects must be taken into account in order to introduce passkeys in a meaningful, secure, and sustainable manner.
The aim of this article is to provide a structured overview of the most important requirements for introducing passkeys in a corporate environment. From the technological basis to system integration and user acceptance, this guide is intended to help those responsible for IT, security, and digitalization make informed decisions and identify and avoid typical stumbling blocks at an early stage.
The integration of passkeys requires a basic understanding of the underlying technologies. Two key components here are FIDO2 and WebAuthn. Both form the technological basis for secure, user-friendly, and phishing-resistant authentication.
FIDO2 is an open authentication standard developed by the FIDO Alliance in collaboration with the World Wide Web Consortium (W3C). It consists of two components:
FIDO2 replaces the classic password with an asymmetric key pair:
The private key remains securely on the user's device, while the public key is stored with the service. This largely eliminates classic attack scenarios such as phishing, credential stuffing, or brute force attacks.
WebAuthn is the technical framework through which passkeys are integrated into web applications. Using JavaScript-based APIs, developers can implement login, registration, or authorization processes directly in the browser with passkeys.
Important features of WebAuthn in a business context:
For companies, this means that an existing web application can be made passkey-enabled with relatively little effort, provided that the backend infrastructure and authentication server support this.
For passkeys to function securely and scalably within a company, a suitable authentication server is required. This server manages the public keys, orchestrates the authentication flows, and ideally integrates seamlessly into existing identity and access systems.
Examples of established solutions in the enterprise environment:
These services not only handle authentication, but often also manage user identities, device binding, recovery scenarios, and auditing.
Understanding technology, checking compatibility
Before passkeys can be introduced company-wide, IT managers should use a checklist to check whether the company is ready for the introduction of passkeys. Only if the technological foundations are in place can passkey integration be implemented reliably, securely, and user-friendly.
Download checklist โIs my company ready for passkeys?โ
The technical feasibility and acceptance of passkey integration depends entirely on the compatibility of the end devices and platforms used. Modern authentication with passkeys is based on local security elements such as TPM (Trusted Platform Module) chips or Secure Enclaves and therefore requires certain minimum hardware and software environment requirements.
All major operating systems and platform providers have now integrated support for passkeys or FIDO2/WebAuthn. However, the specific implementations, management options, and cross-device functions differ:
Note: Cross-platform use of passkeys is possible in principle, but requires cloud-based synchronization services (e.g., iCloud, Google Sync) or hardware-based solutions such as security keys.
To use passkeys as a platform authenticator, the device must have certain security features. Key requirements include:
For IT departments, this means that they need to carry out a device compatibility check and, if necessary, gradually replace older end devices or retrofit them with external authenticators.
Authenticator types: Platform-based or external
Passkeys can be provided via various types of authenticators. Choosing the right type depends on security requirements, user profiles, and administrative effort.
|
Authenticator type |
Description |
Benefits |
Restrictions |
|
Platform authenticator |
Built into the device (e.g., Windows Hello, Face ID) |
User-friendly, no additional device required |
Device-specific, limited recovery |
|
Roaming authenticator |
External device such as YubiKey or Titan Key |
Cross-platform, high level of security |
Requires physical carrying |
|
Cloud-synchronized passkeys |
Stored in Google/Apple account, available on multiple devices |
Cross-device usage, convenient onboarding |
Dependence on the ecosystem (vendor lock-in) |
A successful introduction of passkeys in a company begins with an inventory of the device fleet. The following questions need to be clarified:
A targeted combination of compatible hardware, clearly defined authenticators, and a device management concept creates the basis for secure and scalable passkey use in the company.
Download โDevice checklist โ Prerequisites for using passkeysโ
ย
|
Criterion |
Platform authenticator ย (e.g., Windows Hello, Face ID) |
Roaming authenticatorย |
Cloud-synchronized passkeys |
|
User-friendliness |
โ High |
โ ๏ธ Medium (device required) |
โ High |
|
Platform independence |
โ Device-dependent |
โ High |
โ Medium (depending on cloud provider) |
|
Level of security |
โ High |
โ Very high |
โ ๏ธ High, but dependent on cloud access security |
|
Use without an internet connection |
โ Possible |
โ Possible |
โ Not without sync service |
|
Administrability within the company |
โ Can be integrated into MDM |
โ Via hardware management |
โ ๏ธ Restricted via third-party platforms |
|
Recovery/backup strategies |
โ ๏ธ Device-based, local |
โ Physical backup possible |
โ Cloud backup available |
|
Compliance & Data Protection |
โ Managed locally |
โ Local administration |
โ ๏ธ Depending on the cloud provider and hosting location |
|
Expenses |
โ Low (integrated into device) |
โ ๏ธ Additional costs per device |
โ No direct hardware costs |
|
Exemplary application scenarios |
Office workplace, internal apps |
Admins, developers, regulated industries |
Sales, field service, BYOD users |
ย
๐ย Recommendations for selecting authenticator types
|
Requirements within the company |
Recommended authenticator type |
| Maximum security & portability | ๐ Roaming authenticator (e.g., security key) |
| Low barriers to entry, high level of comfort | ๐ป Platform authenticator (e.g., fingerprint sensor in the device) |
| Flexible use on multiple devices | โ๏ธ Cloud-synchronized passkeys |
| Combination of safety and comfort | ๐ Hybrid model: Platform + roaming authenticator |
๐ย Practical tip:
Simply supporting passkeys in devices and applications is only part of the challenge. Comprehensive integration into the existing IT infrastructure is crucial for sustainable and secure implementation in the enterprise. Identity and access management (IAM) is particularly important here. Aspects such as compatibility, scalability, and governance must be carefully planned and implemented.
Functional identity and access management (IAM) is a prerequisite for the effective use and management of passkeys in the enterprise. IAM systems form the bridge between users, applications, and authentication technologies.
Typical requirements for IAM systems for passkey integration:
Ability to register and manage passwordless login methods
Device binding & registration: Traceability, management of multiple devices per user
Role- and policy-based access control: Integration of passkeys into existing policies
Self-service functions: User-friendly management, recovery options, device change
|
Provider / System |
Passkey compatibility |
Special features |
|
Microsoft Entra ID (formerly Azure AD) |
โย Fully integrated |
Native FIDO2 support, deep M365/Windows integration |
|
Okta |
โ Via WebAuthn / Auth0 |
Flexible, API-based, good for hybrid scenarios |
|
SAP IDM |
โ ๏ธ Possible via extensions |
Adjustments necessary, especially for legacy systems |
|
ForgeRock, Ping Identity |
โ Support WebAuthn |
Suitable for complex, highly secure environments |
SoftGuide template for an integration checklist: Passkey introduction into existing infrastructure available for download
Passkeys can be used in different integration models. The choice of model depends on the type of application, the target group, and the desired level of security.
Table with integration models
|
Model |
Description |
Suitability |
|
Passkey-Only |
Full passwordless login with local or synchronized key |
For modern web applications with good UX |
|
Passkey + Passwort (Step-up) |
User logs in with password, then passkey is used as second factor |
For migration or sensitive actions |
|
Passkey as an additional login method |
Users can choose between a password and a passkey |
For transition phases and BYOD environments |
|
Identifier-First Login |
First enter the user name, then decide based on the available factor (passkey, password, etc.) |
For dynamic authentication with flexibility |
|
Cross-Device Passkey Login |
User authenticates on device A (e.g., smartphone) to log in on device B (e.g., desktop) |
For cross-device use in the home office or in the field |
A consistent login experience across all devices significantly increases acceptance, especially when users can utilize familiar elements such as biometric login or smartphones.
The introduction of passkeys brings a significant increase in authentication security when designed with recovery strategies, platform changes, and compatibility with existing procedures in mind. A systematic look at security mechanisms, backup solutions, and interoperability is crucial for stability and long-term usability in a corporate context.
Passwordless login using passkeys is based on asymmetric cryptography, where the private key remains stored on the device. If this device is lost or replaced, it must be ensured that access is not permanently blocked.
Table with important backup strategies in the corporate environment
|
Method |
Description |
Suitability |
Risks / Notes |
|
Cloud synchronization |
Automatic backup via Apple iCloud or Google Password Manager |
BYOD, mobile employees |
Depending on the provider, check data protection |
|
Registration of multiple devices |
Users can activate Passkey on multiple devices |
For larger workforces with notebooks and smartphones |
Initial higher setup costs |
|
Backup authenticator |
Additional hardware key as a backup |
High-security areas |
Requires careful management |
|
Self-service recovery |
IT-supported device replacement with identity verification |
Internal user management |
Technically complex, but controllable |
The integration of passkeys marks an important milestone on the path to modern, user-friendly, and secure authentication in the corporate environment. Not only does it solve the password problem, but FIDO2 and WebAuthn also offer a technologically robust, phishing-resistant standard that is already available across platforms today.
However, for this technology to reach its full potential, a number of prerequisites must be met, both at the technical level (e.g., device security, protocol support, authentication server) and at the organizational level (e.g., migration strategy, training, IAM connection).
Passkeys are not an isolated technology, but part of a strategic shift in identity management. When implemented correctly, they not only strengthen IT security, but also improve the user experience and reduce administrative overhead in the company in the long term.