{"id":24461,"date":"2025-07-30T18:30:48","date_gmt":"2025-07-30T14:30:48","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/passkey-enterprise-issues-and-threats\/24461\/"},"modified":"2025-07-30T18:30:48","modified_gmt":"2025-07-30T14:30:48","slug":"passkey-enterprise-issues-and-threats","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/passkey-enterprise-issues-and-threats\/24461\/","title":{"rendered":"Enterprise passkey adoptions: nuances and challenges"},"content":{"rendered":"

Transition to passkeys promises organizations a cost-effective path toward robust employee authentication, increased productivity, and regulatory compliance. We\u2019ve already covered all the pros and cons of this business solution in a separate, in-depth article<\/a>. However, the success of the transition \u2014 and even its feasibility \u2014 really hinges on the technical details and implementation specifics across numerous corporate systems.<\/p>\n

Passkey support in identity management systems<\/h2>\n

Before tackling organizational hurdles and drafting policies, you\u2019ll have to determine if your core IT systems are ready for the switch to passkeys.<\/p>\n

Microsoft Entra ID (Azure AD) fully supports passkeys<\/a>, letting admins set them as the primary sign-in method. For hybrid deployments with on-premises resources, Entra ID can generate Kerberos tickets (TGTs)<\/a>, which your Active Directory domain controller can then process.<\/p>\n

However, Microsoft doesn\u2019t yet offer native passkey support for RDP, VDI, or on-premises-only AD sign-ins. That said, with a few workarounds, organizations can store passkeys on a hardware token like a YubiKey. This kind of token can simultaneously support<\/a> both the traditional PIV (smart cards) technology and FIDO2 (passkeys). There are also third-party solutions<\/a> for these scenarios, but you\u2019ll need to evaluate how using them impacts your overall security posture and regulatory compliance.<\/p>\n

Good news for Google Workspace and Google Cloud users: they offer full passkey support<\/a>.<\/p>\n

Popular identity management systems like Okta, Ping, Cisco Duo, and RSA IDplus also support FIDO2 and all major forms of passkeys.<\/p>\n

Passkey support on client devices<\/h2>\n

We have a detailed post on the subject<\/a>. All modern operating systems from Google, Apple, and Microsoft support passkeys. However, if your company uses Linux, you\u2019ll likely need extra tools, and overall support is still limited.<\/p>\n

Also, while for all major operating systems it might look like full support on the surface, there\u2019s a lot of variety in how passkeys are stored, and that can lead to compatibility headaches. Combinations of several systems like Windows computers and Android smartphones are the most problematic. You might create a passkey on one device and then find you can\u2019t access it on another. For companies with a strictly managed device fleet, there are a couple of ways to tackle this. For example, you could have employees generate a separate passkey for each company device they use. This means a bit more initial setup: employees will need to go through the same process of creating a passkey on every device. However, once that\u2019s done, signing in takes minimal time. Plus, if they lose one device, they won\u2019t be completely locked out of their work data.<\/p>\n

Another option is to use a company-approved password manager to store and sync passkeys across all employees\u2019 devices. This is also a must for companies using Linux computers, as its operating system can\u2019t natively store passkeys. Just a heads-up: this approach might add some complexity when it comes to regulatory compliance audits.<\/p>\n

If you\u2019re looking for a solution with almost no issues with sync and multiple platforms, hardware passkeys like the YubiKey are the way to go. The catch is that they can be significantly more expensive to deploy and manage.<\/p>\n

Passkey support in business applications<\/h2>\n

The ideal scenario for bringing passkeys into your business apps is to have all your applications sign in through single sign-on (SSO). That way, you only need to implement passkey support in your corporate SSO solution, such as Entra ID or Okta. However, if some of your critical business applications don\u2019t support SSO, or if that support isn\u2019t part of your contract (which, unfortunately, happens), you\u2019ll have to issue individual passkeys for users to sign in to each separate system. Hardware tokens can store anywhere from 25 to 100 passkeys, so your main extra cost here would be on the administrative side.<\/p>\n

Popular business systems that fully support passkeys include Adobe Creative Cloud<\/a>, AWS<\/a>, GitHub<\/a>, Google Workspace<\/a>, HubSpot<\/a>, Office 365<\/a>, Salesforce<\/a>, and Zoho<\/a>. Some SAP systems<\/a> also support passkeys.<\/p>\n

Employee readiness<\/h2>\n

Rolling out passkeys means getting your team up to speed regardless of the scenario. You don\u2019t want them scratching their heads trying to figure out new interfaces. The goal is for everyone to feel confident using passkeys on every single device. Here are the key things your employees will need to understand.<\/p>\n