Full Report
Although passkeys remain an evolving ecosystem, we'd be wise to embrace tomorrow's authentication standard today. Here are ZDNET's 10 recommendations for reaching passkey paradise.
Analysis Summary
# Best Practices: Transitioning to Passkeys and Modern Credential Management
## Overview
These practices address the impending shift from traditional passwords to FIDO-based passkeys for authentication. They focus on preparing users and organizations by selecting robust credential management solutions, securing recovery methods, and understanding the technical implications of adopting passkeys, which are designed to eliminate phishing risks associated with passwords.
## Key Recommendations
### Immediate Actions
1. **Select a Bring-Your-Own (BYO) Credential Manager:** Immediately research and choose a dedicated BYO credential manager (e.g., 1Password, Bitwarden, LastPass, NordPass) over relying solely on built-in solutions for greater control and feature parity across platforms.
2. **Generate and Secure Recovery Codes:** For critical accounts that already support passkeys or multi-factor authentication (MFA), immediately generate and securely store recovery codes offline. Treat these codes as the absolute last line of defense for account access.
3. **Avoid Disabling BYO Manager Syncing:** Ensure that your chosen BYO credential manager has syncing enabled across all necessary devices to maintain a consistent and up-to-date credential vault.
### Short-term Improvements (1-3 months)
1. **Establish a Credential Management Standard:** Based on your chosen BYO manager, define internal team standards for where credentials (including passkeys) are stored and how they are shared or managed across employees or personal devices.
2. **Audit Existing Multi-Factor Authentication (MFA):** Review accounts where MFA is active and verify the associated methods (especially backup codes or secondary devices) in preparation for replacing password-based MFA with native passkey support.
3. **Prioritize Phishable Credential Migration:** Begin the process of migrating high-value, frequently targeted accounts (e.g., email, banking, primary social media) to use passkeys as they become available.
### Long-term Strategy (3+ months)
1. **Develop a Structured Passkey Adoption Roadmap:** Create a phased plan to migrate all enterprise and personal applications to passkey authentication, starting with internal services and progressing to external vendors based on vendor support and security posture.
2. **Document Account Recovery Procedures:** Formalize organizational or personal documentation detailing the exact steps required to recover access should primary devices or credential managers become inaccessible, relying heavily on pre-stored recovery codes.
3. **Evaluate Profile Segmentation Strategy:** Determine if separate, policy-enforced browser profiles (e.g., for personal vs. work) are required. If so, plan to install and configure compatible credential manager extensions separately within each profile, even if they connect to the same underlying account (where permitted by policy).
## Implementation Guidance
### For Small Organizations
- **Focus on BYO Simplicity:** Select a single, highly-rated BYO credential manager that offers robust, easy-to-manage features across all necessary operating systems (Windows, macOS, Android, iOS). Limit reliance on built-in managers due to their lack of user control.
- **Centralized Recovery Code Repository:** Designate one trusted individual or use a secure, encrypted service to hold the master set of recovery codes for critical organizational accounts.
### For Medium Organizations
- **Implement BYO Manager via Deployment:** Evaluate options for deploying the chosen BYO credential manager across employee devices via existing Mobile Device Management (MDM) solutions or group policy objects (GPOs).
- **Policy Definition for Profile Use:** Create official IT policy regarding the use of separate browser profiles (personal vs. work). If usage is allowed, explicitly outline the requirement for installing corresponding credential manager extensions in each profile.
### For Large Enterprises
- **Vendor Vetting for Passkey Integration:** Begin technical assessments of vendor support for FIDO standards and passkey APIs within mission-critical business applications.
- **Zero-Trust Recovery Framework:** Build standardized recovery procedures into the Identity and Access Management (IAM) framework, assuming that system compromises (e.g., lost device, corrupted OS) are plausible and require immediate, strictly verified steps using recovery codes, which must be audited.
- **Segregation of Duties:** If using browser profiles, ensure IT enforces separation by potentially requiring different credential managers (one BYO for personal, one enterprise-approved solution for work) that align with corporate security mandates.
## Configuration Examples
*(Note: Specific configuration commands are highly dependent on external vendor software, but the principles are derived from the need for separation and redundancy.)*
**Principle: Utilizing Multiple Browser Profiles with a Single Credential Manager Account (If Permitted)**
1. **Install Browser:** Install Chrome (or preferred browser) for Personal Use and a second instance (or profile) for Work Use.
2. **Install Extension (Personal Profile):** In the Personal Profile, install the BYO Credential Manager extension. Log in and sync credentials.
3. **Install Extension (Work Profile):** In the Work Profile, install the *same* BYO Credential Manager extension. Log in using the *same* account credentials.
4. **Validation:** Verify that both extensions function independently within their respective profiles, capable of autofilling credentials relevant only to activities conducted within that profile's context.
5. **Policy Check:** Confirm with organizational security/compliance that tying personal and work browsing contexts via the same credential manager account is not a policy violation.
## Compliance Alignment
- **NIST SP 800-63B:** The shift to passkeys directly supports digital identity guidelines concerning Authenticator Assurance Levels (AALs), particularly AAL3, by providing phishing-resistant factors.
- **ISO/IEC 27002 (A.5.15/A.8.5):** Supports requirements for managing access rights and secure authentication mechanisms by replacing vulnerable secrets (passwords) with public-key cryptography.
- **CIS Critical Security Controls (Control 5: Account and Access Control):** Enhances control effectiveness by moving authentication decisions away from user-held shared secrets toward platform/cryptographically bound authenticators.
## Common Pitfalls to Avoid
- **Over-reliance on Built-in Managers:** Do not solely trust operating system or browser-native credential managers as they often offer less control, features, or cross-platform reach than dedicated BYO solutions.
- **Ignoring Recovery Codes:** Treating recovery codes as an optional backup. In a passkey world, recovery codes become the *primary* attested method for recovering access when cryptographic keys are lost (e.g., device failure).
- **Assuming Passkeys are Infallible:** While passkeys stop phishing, they do not protect against physical device theft or poor physical security. They still require strong management and device protection.
- **Inconsistent Syncing:** Failing to verify that the chosen credential manager is actively syncing secrets across all user devices, leading to credential asymmetry and potential lockout.
## Resources
- FIDO Alliance Documentation on Passkeys (Search for "FIDO Alliance Passkeys")
- **BYO Credential Manager Documentation:** Review current offerings from providers such as 1Password, Bitwarden, LastPass, and NordPass for feature comparisons and cross-platform support.
- **Operating System Credential Manager Documentation:** Review support documentation for Apple Passwords, Google Password Manager, and Microsoft's built-in credential handling mechanisms.