Passkeys are considered the secure and user-friendly future of authentication. But what does that actually mean for businesses? How can the transition from traditional passwords to passkeys be strategically planned and technically implemented? This article provides a practical overview.
Why Take Action Now?
Companies today must offer alternative forms of user authentication for systems and applications beyond just usernames and passwords. Over the years, methods have been established that offer at least one additional factor alongside the password. For example, two-factor authentication (2FA) involves sending a text message to a mobile device or using one-time password (OTP) tokens that display a code which must be entered.
These methods are not necessarily user-friendly and are considered insecure by today’s standards.
That said, using SMS or OTP tokens is still better than using nothing at all. Logging into systems and applications with only a username and password is simply no longer necessary—and, given increasingly sophisticated criminal tactics, it’s outright dangerous. With dark web toolkits offering industrial-scale social hacking and AI-generated phishing emails, traditional methods are no longer sufficient to secure systems and applications. Awareness campaigns and training are still valuable, but can no longer be the sole line of defense in the face of rapid technological adoption by cybercriminals.
Over time, the FIDO Alliance has pioneered new approaches aimed at eliminating passwords, preventing phishing attacks, and maintaining user convenience. One such innovation is passkeys.
Passkeys are phishing-resistant, password-free, and offer a consistent user experience across devices and platforms. With increasing support from Apple, Google, Amazon, PayPal, Microsoft, and others, major service providers now offer users the ability to secure many services with a passkey and log in using just that.
Passkeys can now be either device-bound (used only on one device) or synced across devices, allowing a user to authenticate on multiple devices signed in to the same service. This gives users the flexibility to choose whether to generate a unique passkey for each device or use one passkey across many.
As users become familiar with this technology in their personal lives, the pressure grows for companies to offer the same seamless experience in the workplace.
The introduction of passkeys—or any new authentication method—doesn’t happen overnight. A structured approach is essential to achieve the desired security level.
Below is an overview of the MTRIX approach model, which has proven successful in the past.
Get Expert Advice
Have questions or want to find the best solution for your organization? Our experts are here to help.
Step 1: Define Goals and Use Case Clusters
Not every application requires the same level of security. You need to define scenarios and identify use cases:
- Internal access to office applications
- Securing external access to cloud/external apps
- Device access needs (mobile vs desktop)
- Device types used: company-owned (COPE) vs personal (BYOD)
Step 2: Analyze the Current Authentication Landscape
Clarify the following:
- What authentication methods are currently in use?
- What platforms and systems need to be integrated?
- What does the current user login journey look like?
Step 3: Choose the Right Passkey Strategy
- Synced passkeys: User-friendly, ideal for mobile devices & cloud infrastructures
- Device-bound passkeys (e.g., using security tokens from Yubico, Swissbit, Feitian, etc.): Highest level of security, especially for critical applications
Step 4: Prepare the Infrastructure
- Do the systems/applications support FIDO2/WebAuthn?
- Can the rollout be centrally managed?
- Should passkeys be deployed via security keys or OS functions?
- What authentication platforms are already in place, and can they meet the requirements? Or is a new, centralized platform more suitable?
Platforms like OpenText Authentication, HID DigitalPersona, Veridium, or Authlite offer flexible integrations and diverse methods. For pure cloud environments, Entra ID or Google mechanisms may be more appropriate.
Step 5: Training & Awareness
The introduction of new authentication technology is also a communication topic. Employees need to understand:
- Why passkeys are more secure and user-friendly
- How to use them
- What to do if a device is lost or replaced
Step 6: Pilot & Scale
- Start with tech-savvy teams
- Collect feedback and make adjustments
- Roll out to broader user groups with accompanying communication
Conclusion
The shift to passkeys is not just a technical change—it’s a strategic project. Companies that begin this transformation now will not only enhance their security posture but also improve user experience across the board. Choosing an open and flexible authentication platform that supports a range of methods—from passkeys to OTP—enables phased implementations and broader adaptability.
MTRIX GmbH has helped many clients plan and implement such projects in recent years. Our extensive experience allows us to quickly identify your needs and enable efficient implementation.
A practical example is the distribution of security tokens. Buying thousands of tokens only to distribute them manually from headquarters is inefficient. MTRIX has developed a solution to not only streamline the technical rollout but also equip users effectively—without overwhelming internal IT with micro-tasks.
Get Expert Advice
Have questions or want to find the best solution for your organization? Our experts are here to help.