{"id":24451,"date":"2025-07-28T19:22:30","date_gmt":"2025-07-28T15:22:30","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/passkey-enterprise-readiness-pros-cons\/24451\/"},"modified":"2025-07-28T19:22:30","modified_gmt":"2025-07-28T15:22:30","slug":"passkey-enterprise-readiness-pros-cons","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/passkey-enterprise-readiness-pros-cons\/24451\/","title":{"rendered":"Are passkeys enterprise-ready?"},"content":{"rendered":"<p>Every major tech giant touts passkeys as an effective, convenient password replacement that can end phishing and credential leaks. The core idea is simple: you sign in with a cryptographic key that\u2019s stored securely in a special hardware module on your device, and you unlock that key with biometrics or a PIN. We\u2019ve already covered the current state of passkeys for home users in detail across two articles (on <a href=\"https:\/\/www.kaspersky.com\/blog\/full-guide-to-passkeys-in-2025-part-1\/53688\/\" target=\"_blank\" rel=\"noopener nofollow\">terminology and basic use cases<\/a> and <a href=\"https:\/\/www.kaspersky.com\/blog\/full-guide-to-passkeys-in-2025-part-2\/53724\/\" target=\"_blank\" rel=\"noopener nofollow\">more complex scenarios<\/a>. However, businesses have entirely different requirements and approaches to cybersecurity. So, how good are passkeys and <a href=\"https:\/\/en.wikipedia.org\/wiki\/WebAuthn\" target=\"_blank\" rel=\"nofollow noopener\">FIDO2 WebAuthn<\/a> in a corporate environment?<\/p>\n<h2>Reasons for companies to switch to passkeys<\/h2>\n<p>As with any large-scale migration, making the switch to passkeys requires a solid business case. On paper, passkeys tackle several pressing problems at once:<\/p>\n<ul>\n<li>Lower the risk of breaches caused by stolen legitimate credentials \u2014 phishing resistance is the top advertised benefit of passkeys.<\/li>\n<li>Strengthen defenses against other identity attacks, such as brute-forcing and credential stuffing.<\/li>\n<li>Help with compliance. In many industries, regulators mandate the use of robust authentication methods for employees, and passkeys usually qualify.<\/li>\n<li>Reduce costs. If a company opts for passkeys stored on laptops or smartphones, it can achieve a high level of security without the extra expense of USB devices, smart cards, and their associated management and logistics.<\/li>\n<li>Boost employee productivity. A smooth, efficient authentication process saves every employee time daily and reduces failed login attempts. Switching to passkeys usually goes hand in hand with getting rid of the universally loathed regular password changes.<\/li>\n<li>Lightens the helpdesk workload by decreasing the number of tickets related to forgotten passwords and locked accounts. (Of course, other types of issues pop up instead, such as lost devices containing passkeys.)<\/li>\n<\/ul>\n<h2>How widespread is passkey adoption?<\/h2>\n<p>A <a href=\"https:\/\/fidoalliance.org\/new-fido-alliance-research-shows-87-percent-us-uk-workforces-are-deploying-passkeys-for-employee-sign-ins\/\" target=\"_blank\" rel=\"nofollow noopener\">FIDO Alliance report<\/a> suggests that <strong>87%<\/strong> of surveyed organizations in the US and UK have either already transitioned to using passkeys or are currently in the process of doing so. However, a closer look at the report reveals that this impressive figure also includes the familiar enterprise options like smart cards and USB tokens for account access. Although some of these are indeed based on WebAuthn and passkeys, they\u2019re not without their problems. They\u2019re quite expensive and create an ongoing burden on IT and cybersecurity teams related to managing physical tokens and cards: issuance, delivery, replacement, revocation, and so on. As for the heavily promoted solutions based on smartphones and even cloud sync, 63% of respondents reported using such technologies, but the full extent of their adoption remains unclear.<\/p>\n<p>Companies that transition their entire workforce to the new tech are few and far between. The process can get both organizationally challenging and just plain expensive. More often than not, the rollout is done in phases. Although pilot strategies may vary, companies typically start with those employees who have access to IP (39%), IT system admins (39%), and C-suite executives (34%).<\/p>\n<h2>Potential obstacles to passkey adoption<\/h2>\n<p>When an organization decides to transition to passkeys, it will inevitably face a host of technical challenges. These alone could warrant their own article. But for this piece, let\u2019s stick to the most obvious issues:<\/p>\n<ul>\n<li>Difficulty (and sometimes outright impossibility) of migrating to passkeys when using legacy and isolated IT systems \u2014 especially on-premises Active Directory<\/li>\n<li>Fragmentation of passkey storage approaches within the Apple, Google, and Microsoft ecosystems, complicating the use of a single passkey across different devices<\/li>\n<li>Additional management difficulties if the company allows the use of personal devices (BYOD), or, conversely, has strict prohibitions such as banning Bluetooth<\/li>\n<li>Ongoing costs for purchasing or leasing tokens and managing physical devices<\/li>\n<li>Specific requirement of non-syncable hardware keys for high-assurance-with-attestation scenarios (and even then, not all of them qualify \u2014 <a href=\"https:\/\/media.fidoalliance.org\/wp-content\/uploads\/2022\/03\/FIDO-White-Paper-Choosing-FIDO-Authenticators-for-Enterprise-Use-Cases-RD10-2022.03.01.pdf\" target=\"_blank\" rel=\"nofollow noopener\">the FIDO Alliance provides specific recommendations<\/a> on this)<\/li>\n<li>Necessity to train employees and address their concerns about the use of biometrics<\/li>\n<li>Necessity to create new, detailed policies for IT, cybersecurity, and the helpdesk to address issues related to fragmentation, legacy systems, and lost devices (including issues related to onboarding and offboarding procedures)<\/li>\n<\/ul>\n<h2>What do regulators say about passkeys?<\/h2>\n<p>Despite all these challenges, the transition to passkeys may be a foregone conclusion for some organizations if required by a regulator. Major national and industry regulators generally support passkeys, either directly or indirectly:<\/p>\n<p>The <a href=\"https:\/\/pages.nist.gov\/800-63-4\/\" target=\"_blank\" rel=\"nofollow noopener\">NIST SP 800-63<\/a> Digital Identity Guidelines permit the use of \u201csyncable authenticators\u201d (a definition that clearly implies passkeys) for Authenticator Assurance Level 2, and device-bound authenticators for Authenticator Assurance Level 3. Thus, the use of passkeys confidently checks the boxes during ISO 27001, HIPAA, and SOC 2 audits.<\/p>\n<p>In its commentary on DSS 4.0.1, the PCI Security Standards Council explicitly <a href=\"https:\/\/www.pcisecuritystandards.org\/faq\/articles\/Frequently_Asked_Question\/are-passkeys-synced-across-devices-implemented-according-to-the-fido2-requirements-acceptable-for-use-as-phishing-resistant-authentication-to-meet-pci-dss-requirement-8-4-2\/\" target=\"_blank\" rel=\"nofollow noopener\">names FIDO2<\/a> as a technology that meets its criteria for \u201cphishing-resistant authentication\u201d.<\/p>\n<p>The <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=celex%3A32015L2366\" target=\"_blank\" rel=\"nofollow noopener\">EU Payment Services Directive 2<\/a> (PSD2) is written in a technology-agnostic manner. However, it requires Strong Customer Authentication (SCA) and the use of Public Key Infrastructure based devices for important financial transactions, as well as dynamic linking of payment data with the transaction signature. Passkeys support these requirements.<\/p>\n<p>The European directives <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32022R2554&amp;from=FR\" target=\"_blank\" rel=\"nofollow noopener\">DORA<\/a> and <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/nis2-directive\" target=\"_blank\" rel=\"nofollow noopener\">NIS2<\/a> are also technology-agnostic, and generally only require the implementation of multi-factor authentication \u2014 a requirement that passkeys certainly satisfy.<\/p>\n<p>In short, choosing passkeys specifically isn\u2019t mandatory for regulatory compliance, but many organizations find it to be the most cost-effective path. Among the factors tipping the scales in favor of passkeys are the extensive use of cloud services and SaaS, an ongoing rollout of passkeys for customer-facing websites and apps, and a well-managed fleet of corporate computers and smartphones.<\/p>\n<h2>Enterprise roadmap for transitioning to passkeys<\/h2>\n<ol>\n<li>Assemble a cross-functional team. This includes IT, cybersecurity, business owners of IT systems, tech support, HR, and internal communications.<\/li>\n<li>Inventory your authentication systems and methods. Identify where WebAuthn\/FIDO2 is already supported, which systems can be upgraded, where single sign-on (SSO) integration can be implemented, where a dedicated service needs to be created to translate new authentication methods into ones your systems support, and where you\u2019ll have to continue using passwords \u2014 under beefed-up SOC monitoring.<\/li>\n<li>Define your passkey strategy. Decide whether to use hardware security keys or passkeys stored on smartphones and laptops. Plan and configure your primary sign-in methods, as well as emergency access options such as temporary access passcodes (TAP).<\/li>\n<li>Update your corporate information security policies to reflect the adoption of passkeys. Establish detailed sign-up and recovery rules. Establish protocols for cases where transitioning to passkeys isn\u2019t on the cards (for example, because the user must rely on a legacy device that has no passkey support). Develop auxiliary measures to ensure secure passkey storage, such as mandatory device encryption, biometrics use, and unified endpoint management or enterprise mobility management device health checks.<\/li>\n<li>Plan the rollout order for different systems and user groups. Set a long timeline to identify and fix problems step-by-step.<\/li>\n<li>Enable passkeys in access management systems such as Entra ID and Google Workspace, and configure allowed devices.<\/li>\n<li>Launch a pilot, starting with a small group of users. Collect feedback, and refine your instructions and approach.<\/li>\n<li>Gradually connect systems that don\u2019t natively support passkeys using SSO and other methods.<\/li>\n<li>Train your employees. Launch a passkey adoption campaign, providing users with clear instructions and working with \u201cchampions\u201d on each team to speed up the transition.<\/li>\n<li>Track progress and improve processes. Analyze usage metrics, login errors, and support tickets. Adjust access and recovery policies accordingly.<\/li>\n<li>Gradually phase out legacy authentication methods once their usage drops to single-digit rates. First and foremost, eliminate one-time codes sent through insecure communication channels, such as text messages and email.<\/li>\n<\/ol>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\">\n","protected":false},"excerpt":{"rendered":"<p>Regulation and the evolving threat landscape are driving companies to adopt more resilient forms of employee authentication. Are passkeys a cost-effective and straightforward replacement for traditional passwords? <\/p>\n","protected":false},"author":2722,"featured_media":24452,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[2707],"class_list":{"0":"post-24451","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-passkeys"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/passkey-enterprise-readiness-pros-cons\/24451\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/passkey-enterprise-readiness-pros-cons\/29336\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/passkey-enterprise-readiness-pros-cons\/12631\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/passkey-enterprise-readiness-pros-cons\/29284\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/passkey-enterprise-readiness-pros-cons\/28379\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/passkey-enterprise-readiness-pros-cons\/31240\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/passkey-enterprise-readiness-pros-cons\/29903\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/passkey-enterprise-readiness-pros-cons\/40189\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/passkey-enterprise-readiness-pros-cons\/13637\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/passkey-enterprise-readiness-pros-cons\/53986\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/passkey-enterprise-readiness-pros-cons\/23040\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/passkey-enterprise-readiness-pros-cons\/32509\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/passkey-enterprise-readiness-pros-cons\/29448\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/passkey-enterprise-readiness-pros-cons\/35204\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/passkey-enterprise-readiness-pros-cons\/34848\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/passkeys\/","name":"passkeys"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=24451"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24451\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/24452"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=24451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=24451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=24451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}