Industry momentum behind passkeys is accelerating. The FIDO Alliance reports that more than 15 billion online accounts can now use passkeys. Enterprise adoption is following, as FIDO’s research found 87% of surveyed US and UK companies have deployed or are in the process of rolling out passkeys for employee sign-ins. For technology leaders, the question is no longer whether passkeys have value; it’s whether your organization can implement them without introducing new risks. When deployed well, passkeys can materially improve sign-in outcomes and reduce password friction. The hard part is execution. Real-world rollouts must work across diverse devices, browsers, and vendor ecosystems, introducing complexity around portability, device loss and lockout, recovery pathways, and inconsistent platform behavior. This article focuses on rollout realities so CIOs, CISOs, and IAM leaders can adopt passkeys, deliberately capturing the benefits without being surprised by the tradeoffs.
What passkeys are and why they matter
Passkeys are based on W3C WebAuthn and FIDO standards and use public-key cryptography to authenticate users without shared secrets. During enrollment, the device creates a unique key pair for the service: the private key stays on the device (or synced store) and the public key is registered with the service. At sign-in, the device signs a server challenge, so the service never stores a reusable secret, reducing breach impact. This architecture is phishing-resistant because credentials are domain-bound and not reusable across sites, removing a major class of social-engineering attacks that target passwords. Operationally, passkeys reduce password friction and can lower avoidable support load. Industry measurement also suggests materially better outcomes. The FIDO Alliance’s Passkey Index reports 93% sign-in success and 73% faster sign-ins compared to other authentication methods.
Passkey Limitations
- Cross-platform portability limitations: Cross-platform portability is still uneven. Many passkeys are effectively tied to vendor ecosystems (iCloud Keychain, Google Password Manager, Windows Hello). Users with mixed-device setups may need to register multiple passkeys for the same account. Although the FIDO Alliance is developing a Credential Exchange Protocol to improve portability, it remains a draft standard, leaving fragmentation an active concern for implementers today.
- Device-specific dependency and lockout risk: Because access depends on a device (or synced credential store), loss of devices or access to the ecosystem account can trigger lockout. This creates an availability failure mode similar to traditional MFA, sometimes more severe if users have only one registered device and recovery falls back to weaker methods. Implementers should plan for device loss by supporting multiple passkeys, clear recovery journeys, and secure fallbacks.
- Account recovery as a weak link: In practice, many deployments still fall back to legacy recovery methods, such as email-based resets or SMS verification, to allow users to register a new passkey. Attackers will target recovery flows—especially if they rely on email/SMS OTP—because that’s where phishing and SIM-swap tactics still work. Treat recovery as part of the authentication system: require stronger verification for passkey reset, rate-limit and monitor recovery attempts, and minimize reliance on phishable channels.
- Endpoint compromise and session abuse: Passkeys reduce phishing risk, but they don’t eliminate endpoint risk. Malware, or an attacker with access to an unlocked device, may be able to approve sign-ins or abuse an existing session. Mitigation is mostly environmental: enforce device hygiene (patching, screen-lock, strong PIN/biometrics), apply Mobile Device Management/Endpoint Detection and Response (MDM/EDR) controls. Implementers should also raise user awareness because simple behaviors (locking screens, not sharing devices, promptly reporting lost devices) materially reduce residual risk.
- Implementation and configuration errors: Risks can arise from how WebAuthn is implemented, incorrect origin validation, weak authenticator policy, flawed ceremony handling, or inconsistent enforcement across platforms. Mitigate this by using well-maintained WebAuthn libraries, following FIDO/W3C guidance, and running conformance plus regression tests across your supported browsers and devices.
Recommendations
- Adopt passkeys gradually, starting with low-risk, high-friction workflows. Once stable, expand to more critical systems. This would provide experience, painpoints and early visibility into edge cases before you expand to privileged or regulated workflows.
- Design recovery before broad rollout. Require users to register multiple passkeys, provide backup codes where appropriate, and harden reset with stronger verification, rate limiting, and monitoring.
- Instrument and monitor passkey events. Log registration, authentication, recovery attempts, device changes, and step-up challenges into IAM/SIEM; alert on anomalies (velocity, geo changes, repeated recovery failures).
- Harden the surrounding environment. Strengthen endpoint posture (MDM/EDR), browser governance, and app hardening, because endpoint compromise and session abuse remain meaningful risks even in passwordless programs.
Bottomline
Passkeys can materially reduce phishing and password friction, but the safest path for CIOs, CISOs, and IAM leaders is a phased rollout, prove reliability in lower-risk apps first, while hardening endpoints, sessions, and recovery so the remaining attack surface doesn’t become your new weak link.
References
- Passkeys: they're not perfect but they're getting better, Ollie Whitehouse, et al, National Cyber Security Centre (NCSC), January 2025
- Passkeys: 7 Possible Downsides for SMBs, Pivot Point Security, November 2025
- Passkeys: Are They Ready for Enterprise Use?, Ingo Schubert, RSA, December 2024
- Passkeys: Benefits, limitations, and will they replace passwords?, Marcus White, SPECOPS, April 2025
- Forging Passkeys: Exploring the FIDO2/WebAuthn Attack Surface, Narendar Battula, July 2025
- Passkeys: Are They Ready for Enterprise Use?, Arielle Waldman, DarkReading, May 2025