- Passwords are the root cause of over 80 percent of all data breaches. They are reused, stolen, guessed, or intercepted through phishing. Passwordless authentication eliminates this attack surface entirely.
- FIDO2 is based on asymmetric cryptography: a private key remains on the user's device, while a public key is stored with the service. Even in the event of a data breach at the provider, the credentials are worthless.
- Passkeys are the user-friendly evolution of FIDO2. They synchronize via the cloud (Apple iCloud Keychain, Google Password Manager, Microsoft Hello) and work across devices without hardware tokens.
- The transition happens in phases: FIDO2 as an MFA factor alongside the password, then password-optional (Passkey preferred, password as fallback), then passwordless (no password at all). Most organizations are currently in phase 1 or 2.
- Hardware keys (YubiKey, SoloKeys) offer the highest security for privileged accounts and high-security environments. Passkeys on smartphones and laptops offer the best balance of security and convenience for all employees.
The Problem with Passwords
For over 50 years, passwords have been the primary means of digital authentication — and for almost as long, they have been the primary problem. The weaknesses of passwords are so fundamental that no password policy, no matter how sophisticated, can eliminate them.
People choose weak passwords. Despite all requirements for minimum length, complexity, and uniqueness, studies consistently show that the most popular passwords remain "123456," "password," and "qwerty." Even with enforced complexity, most passwords follow predictable patterns: a word with a capital first letter, followed by a number and a special character. Attackers know these patterns and exploit them in targeted dictionary attacks. Even a well-designed password policy can only mitigate these fundamental weaknesses, not eliminate them.
People reuse passwords. An average employee uses the same password or slight variations of it across multiple services. When one of these services is hacked and the password database is leaked, all other accounts are compromised as well. Credential stuffing — the automated testing of leaked credentials against other services — is one of the most common attack vectors.
Passwords can be stolen through phishing. A convincingly authentic email, a copied login page, and a moment of inattention are all it takes to intercept a password. Even trained employees fall for well-crafted phishing attacks, especially when under time pressure.
Passwords can be stolen from databases. When a service is breached, stored password hashes can be extracted and cracked offline. Modern graphics cards can perform billions of hash calculations per second, making even moderately complex passwords crackable within a reasonable timeframe.
Multi-factor authentication significantly reduces these risks, but it does not eliminate the password. The password remains as the first factor, with all its weaknesses. Passwordless authentication takes the decisive step further: it removes the password entirely from the equation.
FIDO2: The Technology Behind Passwordless Authentication
FIDO2 is an open standard from the FIDO Alliance (Fast Identity Online), jointly developed by the major technology companies: Google, Microsoft, Apple, Intel, Yubico, and many others. The standard consists of two components: WebAuthn (the browser API) and CTAP2 (the protocol for communication with the authenticator).
How FIDO2 Works
FIDO2 is based on asymmetric cryptography, the same principle that underlies TLS/HTTPS. During the registration of a new account, the following happens:
The user opens the service and initiates registration. The service sends a challenge — a random string — to the browser. The browser forwards the challenge to the authenticator, which can be a hardware key, a fingerprint sensor, or a smartphone. The authenticator generates a key pair: a private key that remains on the device and is never transmitted, and a public key that is sent back to the service. The service stores the public key.
During login, the process is similar: the service sends a new challenge. The authenticator signs the challenge with the private key. The service verifies the signature with the stored public key. If the signature is valid, the user is authenticated.
This process has several fundamental security advantages. First, no secret is transmitted: the private key never leaves the user's device. Even if the communication is intercepted, the attacker only obtains the signed challenge, which is worthless to them. Second, the service stores only the public key: even in a complete data leak at the provider, the attacker cannot do anything with the public keys. Third, phishing is technically impossible: the authenticator binds the key to the service's domain (origin binding). If an attacker operates a phishing page under a different domain, the authenticator refuses to sign because the domain does not match.
Authenticator Types
FIDO2 supports various types of authenticators that differ in security, usability, and cost.
Roaming Authenticators (Hardware Keys) are physical devices like the YubiKey that connect to the endpoint via USB, NFC, or Bluetooth. The private key is stored in a secure chip on the key and cannot be extracted. Hardware keys offer the highest security because the private key never leaves the physical device and physical interaction (touching the sensor) is required for each authentication. Costs range from 25 to 80 euros per key, and each user should have at least two keys (one primary and one backup key).
Platform Authenticators are integrated into the endpoint device. Windows Hello uses the laptop's TPM chip and authenticates via fingerprint, facial recognition, or PIN. Touch ID and Face ID on Apple devices use the Secure Enclave. Android devices use the fingerprint sensor or facial recognition. Platform authenticators are convenient because the user does not need to carry an additional device, but they offer lower security than hardware keys because the private key is bound to the endpoint and is potentially at risk if the device is compromised.
Passkeys are the latest development and address the biggest usability problem of FIDO2: device binding. With classic FIDO2 credentials, the private key is bound to a specific device. If you buy a new smartphone, you have to re-register with all services. Passkeys solve this problem by synchronizing the private key via the cloud: Apple iCloud Keychain, Google Password Manager, or Microsoft Hello Cloud. This means you can automatically log in to all services on your new iPhone for which you created Passkeys on your old iPhone.
Passkeys in Detail
Passkeys have the potential to make passwordless authentication mainstream because they combine the usability of passwords with the security of FIDO2.
The User Experience
From the user's perspective, logging in with a Passkey is remarkably simple. You open the login page, enter your username (or select it from a suggested list), confirm with your fingerprint or facial recognition, and you are logged in. No password, no code, no token. The entire process takes just a few seconds.
Registering a Passkey is equally straightforward. The service offers the option "Create Passkey," you confirm with your biometric feature, and the Passkey is created and automatically saved in your keychain.
Cross-Device Authentication
A special feature of Passkeys is cross-device authentication. You are sitting at a colleague's computer and need to log in to a service. The computer does not have access to your Passkeys, but your smartphone does. You select the option "Sign in with another device," scan a QR code with your smartphone, confirm with your fingerprint, and you are logged in on the other computer. At no point did the private key leave your smartphone.
This feature uses the CTAP2 protocol over Bluetooth Low Energy to establish a secure connection between the smartphone and the computer. Bluetooth is used only for the proximity check (the attacker would need to be physically nearby); the actual data transmission occurs encrypted over the internet.
Synchronization and Ecosystem Lock-In
Passkey synchronization is currently tied to the ecosystems of the major platform providers. Apple Passkeys sync via iCloud Keychain, Google Passkeys via the Google Password Manager, and Microsoft Passkeys via Windows Hello. A Passkey created on an iPhone is not directly available on an Android device.
This is a real limitation, but it is gradually dissolving. Password managers like 1Password, Bitwarden, and Dashlane now support cross-platform Passkey storage and synchronization. In enterprise environments, this can be a sensible alternative because you can manage Passkeys centrally and decouple them from ecosystem lock-in.
Security Comparison: Password vs. MFA vs. FIDO2 vs. Passkey
To contextualize the security benefits, a comparison of the various authentication methods against the most common attack types is helpful.
Phishing: A password can be stolen via phishing. TOTP codes can be intercepted via real-time phishing proxies (such as Evilginx). FIDO2 and Passkeys are immune to phishing because the authenticator checks the domain and refuses to sign if the domain does not match.
Credential Stuffing: Passwords from data leaks are tested against other services. MFA protects as long as the second factor is not also compromised. FIDO2 and Passkeys are immune because a separate key pair exists for each service.
Man-in-the-Middle: An attacker positions themselves between the user and the service. Passwords and simple MFA codes can be intercepted. FIDO2 and Passkeys protect through channel binding: the signature includes information about the TLS connection, allowing a MITM attack to be detected.
Server-Side Data Leaks: When a service's database is stolen, the attacker obtains password hashes (which can be cracked) or MFA seeds (which can be abused). With FIDO2 and Passkeys, the server stores only public keys, which are useless to the attacker.
SIM Swapping: SMS-based MFA can be bypassed via SIM swapping, where the attacker takes over the phone number. FIDO2 and Passkeys are not affected because authentication does not rely on the phone number.
Introducing Passwordless Authentication in the Enterprise
The transition from password-based to passwordless authentication is a multi-year process that should proceed in clearly defined phases.
Phase 1: FIDO2 as an Additional MFA Factor
In the first phase, you introduce FIDO2 as an additional MFA option alongside existing methods (TOTP, push). The password remains as the first factor, but FIDO2 keys or Passkeys replace the previous second factor.
Start with privileged accounts. A well-designed Privileged Access Management approach is a prerequisite. All administrators receive hardware keys (YubiKey or equivalent) and register them with the most critical systems: Identity Provider (Entra ID, Okta), cloud consoles (Azure, AWS), remote access solutions. For these accounts, FIDO2 is configured as the only accepted MFA method because it is the only method that protects against phishing proxies like Evilginx.
In parallel, you enable all employees to create Passkeys for the Identity Provider and the most important SaaS applications. This is voluntary and supplementary but is intended to build experience and increase acceptance.
Phase 2: Password-Optional
In the second phase, the password becomes the fallback. The preferred login path is the Passkey or hardware key. The password still exists, but employees are actively encouraged not to use it. The login page prominently displays the Passkey login and hides the password login behind a link such as "Other sign-in method."
This phase requires that all business-critical applications support Passkeys or FIDO2. Applications that only offer password login are secured via the Identity Provider (SSO), so that the Passkey login at the IdP provides access to these applications.
Phase 3: Passwordless
In the third phase, the password is completely removed. Employees no longer have a password, and authentication is exclusively via Passkeys, hardware keys, or biometric features. The password field disappears from the login page.
For most organizations, this phase is still a future aspiration because it requires all applications, all devices, and all processes to be fully converted to passwordless authentication. But it is the logical goal, and every step in phases 1 and 2 brings you closer.
Recovery and Backup
One of the biggest challenges of passwordless authentication is the recovery question: what happens when a user loses their hardware key, their smartphone is broken, or they have no access to their Passkeys?
For hardware keys, the solution is a second backup key that is securely stored. During initial setup, each user registers two keys: a primary key for daily use and a backup key kept at home or in a safe.
For Passkeys, cloud synchronization provides a natural backup mechanism: as long as the user has access to their cloud account (Apple ID, Google Account), they can restore their Passkeys on a new device.
Additionally, an administrative recovery process should be defined: an IT administrator can temporarily unlock the user's account and enable the registration of a new authenticator. This process must be secured against social engineering — the user's identity must be unambiguously confirmed before recovery.
FIDO2 and Passkeys on Common Platforms
Support for FIDO2 and Passkeys is growing rapidly. Here is an overview of the most important platforms.
Microsoft Entra ID supports FIDO2 hardware keys and Windows Hello as authentication methods. Passkeys have been fully supported since 2024. Configuration is done through the Authentication Methods Policy, and Conditional Access Policies can enforce FIDO2 as a requirement for specific applications or user groups.
Google Workspace has supported FIDO2 hardware keys since 2018 and Passkeys since 2023. Google has migrated all employees internally to FIDO2 keys and reports that the number of successful phishing attacks has dropped to zero.
Okta supports FIDO2 and Passkeys as authenticator types in its Universal Directory platform. The integration is straightforward and well-documented.
Common SaaS applications such as GitHub, Salesforce, AWS, Cloudflare, Shopify, and many others support FIDO2 as an MFA method. Passkey support as a primary login method is growing but not yet universal.
Cost and ROI
The costs of passwordless authentication consist of hardware, licenses, and implementation effort.
Hardware keys cost 25 to 80 euros per unit, depending on the model and supported interfaces (USB-A, USB-C, NFC, Lightning). With two keys per employee (primary and backup) and 200 employees, that amounts to 10,000 to 32,000 euros one-time. The keys last several years; ongoing costs are limited to replacing lost or defective keys.
Passkeys incur no direct hardware costs because they run on existing devices (smartphones, laptops). The prerequisite is that devices have current operating systems and biometric sensors, which is the case for most modern devices.
Licenses depend on the Identity Provider. FIDO2 support in Entra ID is included in most Microsoft 365 licenses. With Okta, it is available in standard licenses. Additional costs may arise for Conditional Access Policies (Entra ID P1/P2).
On the savings side, there are reduced helpdesk costs. According to studies, password resets account for 20 to 50 percent of all helpdesk requests, and each reset costs an average of 20 to 70 euros in labor. With 200 employees and an average of two password resets per employee per year, that amounts to 8,000 to 28,000 euros annually that are eliminated by passwordless authentication.
Additionally, there are the avoided costs of a security incident. A single successful phishing attack leading to a ransomware incident causes average costs of 200,000 to 500,000 euros for mid-market companies. FIDO2 and Passkeys completely eliminate this attack vector.
Challenges and Limitations
Passwordless authentication is not a silver bullet, and you should be aware of the limitations before planning the transition.
Legacy applications support neither FIDO2 nor Passkeys. Older on-premise applications, terminal servers, and some industry-specific software still require password-based authentication. For these applications, you need a transitional strategy, such as connecting them via SSO or using an enterprise password manager.
Shared accounts are difficult to handle with passwordless authentication because Passkeys and FIDO2 keys are bound to individual users. For jointly used accounts (e.g., social media accounts, shared mailboxes), you need alternative solutions.
Device dependency can become a problem when employees forget or lose their devices. A robust recovery process is essential.
Ecosystem fragmentation complicates cross-platform use of Passkeys. A Passkey stored in Apple iCloud Keychain does not work directly on an Android device. Third-party password managers can bridge this gap but represent an additional system that must be managed.
The Right Time Is Now
The technology for passwordless authentication is mature. All major platforms support FIDO2 and Passkeys, the hardware is affordable, and usability is better than any password-based solution. In the context of Zero Trust, passwordless authentication also plays a central role. The question is not whether your organization will switch to passwordless authentication, but when.
The best entry point is Phase 1: FIDO2 hardware keys for all administrators and Passkeys as an option for all employees. The investment is manageable, the security gain is immediately measurable, and you gain the experience needed for subsequent phases.
Document your authentication strategy in your ISMS — tools like ISMS Lite help you centrally manage your authentication policy and track rollout progress. Define which authentication methods are permitted for which application categories and create a roadmap for the transition to passwordless authentication. This roadmap is not just a technical document but also evidence for auditors that you are actively advancing authentication in your organization and aligning it with the state of the art.
Further Reading
- Multi-Factor Authentication (MFA) Implementation: Strategy, Rollout, and Adoption
- Single Sign-On (SSO) Implementation: SAML, OIDC, and Practical Deployment
- Creating a Password Policy: Requirements, Length, and Passphrases
- Privileged Access Management (PAM): Keeping Admin Accounts Under Control
- Zero Trust for SMEs: Principles, Quick Wins, and Pitfalls
