Passkeys, FIDO2, and WebAuthn Security Keys

Posted: March 27, 2026 to Cybersecurity.

The End of Passwords: Why Passkeys Matter for Business

Passwords are the weakest link in enterprise security. Despite decades of password policies, training, and managers, credential-based attacks account for over 80% of breaches. Passkeys, built on the FIDO2 and WebAuthn standards, eliminate this entire attack category by replacing passwords with cryptographic key pairs.

Unlike passwords, passkeys cannot be phished, cannot be reused across sites, and cannot be stolen from a server breach. They represent the most significant authentication improvement since multi-factor authentication.

Understanding the Technology Stack

WebAuthn (Web Authentication API)

WebAuthn is the W3C standard that enables web applications to use public-key cryptography for authentication. It defines how browsers and servers communicate during registration and authentication ceremonies.

FIDO2

FIDO2 is the umbrella specification that combines WebAuthn (the browser API) with CTAP2 (Client to Authenticator Protocol), which defines how authenticators (security keys, phones, biometric readers) communicate with the browser.

Passkeys

Passkeys are the user-facing implementation of FIDO2 credentials. They can be device-bound (stored on a specific hardware key) or synced (backed up across devices via iCloud Keychain, Google Password Manager, or 1Password).

How It Works

1. Registration: The user's device creates a public-private key pair. The public key is sent to the server. The private key stays on the device
2. Authentication: The server sends a challenge. The device signs it with the private key. The server verifies the signature with the stored public key
3. Result: No shared secret ever crosses the network. Nothing reusable is stored on the server

Security Advantages Over Passwords and Traditional MFA

Attack Type	Passwords	Password + SMS MFA	Password + TOTP	Passkeys
Phishing	Vulnerable	Vulnerable	Vulnerable	Immune
Credential stuffing	Vulnerable	Partially protected	Partially protected	Immune
Server breach (credential theft)	Vulnerable	Vulnerable (passwords exposed)	Vulnerable (passwords exposed)	Immune (no secrets on server)
SIM swapping	N/A	Vulnerable	Not affected	Immune
Man-in-the-middle	Vulnerable	Vulnerable	Vulnerable	Immune (origin-bound)
Brute force	Vulnerable	Mitigated	Mitigated	Immune

The key insight is that passkeys are phishing-resistant by design. The credential is cryptographically bound to the specific website origin, so it cannot be used on a look-alike phishing domain.

Types of Passkeys and Security Keys

Platform Authenticators (Built-in)

• Apple Face ID/Touch ID: Passkeys synced via iCloud Keychain across Apple devices
• Windows Hello: Biometric or PIN-based authentication tied to the Windows device
• Android biometrics: Passkeys synced via Google Password Manager

Roaming Authenticators (External Hardware)

• YubiKey 5 Series: USB-A, USB-C, NFC. Supports FIDO2, PIV, OTP. Industry standard. $45-75
• YubiKey Bio: Fingerprint reader built into the key. $90-95
• Google Titan Key: USB-C + NFC. $30. Good budget option
• Feitian ePass: Various form factors including Bluetooth. Budget-friendly options from $15

Enterprise Deployment Strategy

Phase 1: Assessment (Weeks 1-2)

1. Audit current authentication methods across all applications
2. Identify applications that support FIDO2/WebAuthn
3. Assess user device capabilities (biometrics, USB ports, NFC)
4. Define the target authentication architecture

Phase 2: Pilot (Weeks 3-6)

1. Select a pilot group (IT staff and willing early adopters)
2. Deploy hardware security keys to pilot users
3. Enable passkey authentication on 2-3 critical applications
4. Collect feedback on user experience and issues

Phase 3: Rollout (Weeks 7-16)

1. Expand to all users department by department
2. Enable passkeys on remaining compatible applications
3. Set password-optional or password-free policies where supported
4. Update help desk procedures for passkey-related support

Phase 4: Enforcement (Ongoing)

1. Require passkeys for high-privilege accounts
2. Phase out SMS-based MFA
3. Monitor adoption metrics and address holdouts
4. Update security policies to reflect passkey requirements

Implementation Considerations

Synced vs. Device-Bound Passkeys

Synced passkeys (iCloud, Google) prioritize user convenience by working across devices automatically. Device-bound passkeys (hardware security keys) prioritize security by ensuring the credential never leaves the physical device. Most enterprises benefit from a hybrid approach: synced passkeys for general staff, hardware keys for privileged accounts.

Account Recovery

The biggest challenge in passkey deployment is account recovery. If a user loses their security key and has no backup authenticator, they are locked out. Solutions include:

• Require registration of at least two authenticators
• Provide a secure recovery process (in-person identity verification)
• Use synced passkeys as a backup alongside hardware keys
• Maintain a supervised recovery station with manager approval

Compatibility

As of 2026, passkey support is widespread but not universal. Major platforms (Google Workspace, Microsoft 365, Okta, Duo, AWS, GitHub) all support FIDO2. Legacy applications may require identity provider integration or wrapper solutions.

Cost-Benefit Analysis

Factor	Passwords + MFA	Passkeys + Hardware Keys
Hardware cost per user	$0	$50-100 (2 keys)
Password reset costs/year	$200-500 per user	$0
Phishing incident risk	High	Near zero
User friction	High (complex passwords, MFA prompts)	Low (biometric or tap)
Help desk tickets	30-50% are password-related	Minimal after deployment

For most organizations, the hardware key investment pays for itself within 6-12 months through reduced password reset costs and eliminated phishing incidents alone.

According to CISA's MFA guidance, phishing-resistant MFA (which includes FIDO2/passkeys) is the strongest form of multi-factor authentication available and is recommended for all critical systems.

Integration with Zero Trust

Passkeys are a foundational component of zero trust architecture. They provide strong, phishing-resistant authentication that can be combined with device posture checks, conditional access policies, and continuous verification for a comprehensive zero trust implementation.

Frequently Asked Questions

What happens if I lose my security key?

If you registered a backup authenticator (second key, synced passkey, or platform authenticator), use that to log in and register a replacement. If you have no backup, contact your IT administrator for supervised account recovery. This is why registering two authenticators is critical.

Are passkeys more secure than authenticator apps?

Yes. Authenticator apps (TOTP) generate codes that can be phished by real-time proxy attacks. Passkeys are cryptographically bound to the legitimate website origin, making phishing impossible regardless of how convincing the fake site looks.

Can passkeys work without internet?

Hardware security keys work offline because the authentication is performed locally between the key and the browser. However, the application you are authenticating to typically requires internet connectivity.

Do all applications support passkeys?

Support is growing rapidly. Major platforms (Google, Microsoft, Apple, AWS, GitHub) all support FIDO2 passkeys. Legacy applications can often be connected through identity providers like Okta or Azure AD that support passkeys at the provider level.

How do passkeys work with shared devices?

On shared devices like kiosks, hardware security keys are the best option because the credential stays on the physical key, not the shared device. Each user taps their personal key to authenticate, and no credential remains on the device after use.

What is the deployment timeline for a mid-sized company?

A typical deployment takes 3-4 months: 2 weeks for assessment, 4 weeks for pilot, 6-8 weeks for full rollout. Ongoing enforcement and optimization continue after initial deployment. Companies with simpler IT environments may complete the process faster.