Full Report
The UK government has announced that it will be replace its current SMS verification system with passkeys by the end of 2025
Analysis Summary
# Best Practices: Migrating to Passkeys for Enhanced Account Security
## Overview
These practices focus on adopting Passkeys—cryptographically secure credentials leveraging public-key cryptography and device-based biometrics—to replace less secure, phishable authentication methods like SMS-based Two-Factor Authentication (2FA) across digital services, significantly reducing the risk of account compromise via phishing and man-in-the-middle (MITM) attacks.
## Key Recommendations
### Immediate Actions
1. **Assess Current Authentication Vulnerabilities:** Identify all critical digital services currently relying on SMS or email-based 2FA, prioritizing those handling sensitive data (e.g., tax, benefits, financial information).
2. **Establish Passkey Rollout Mandate:** Formally mandate the transition away from SMS 2FA to phishing-resistant methods (specifically Passkeys) as the primary authentication mechanism for high-value accounts, setting a firm decommissioning deadline (e.g., 9-12 months).
3. **Pilot Program Initiation:** Select a small, non-critical user group or internal system to pilot the implementation, testing the end-to-end functionality of Passkey registration, usage, and recovery processes.
### Short-term Improvements (1-3 months)
1. **Integrate Passkey API Support:** Begin development or integration work to add support for the WebAuthn standard (which underlies Passkeys) into authentication services.
2. **Develop User Onboarding Flows:** Create clear, concise, and accessible user guides and in-app tutorials specifically detailing how users can register and use their device's biometric sensors for Passkey authentication. Address recovery mechanisms immediately.
3. **Secure Recovery Strategy Implementation:** Design and implement a secure offline or out-of-band account recovery process for users who lose access to their registered devices, ensuring this mechanism does not reintroduce SMS vulnerability.
### Long-term Strategy (3+ months)
1. **Full Deprecation Timeline Enforcement:** Execute a phased rollout, moving user groups to mandatory Passkey usage, and formally decommission the ability for new users to register using SMS 2FA.
2. **Cross-Platform Compatibility Check:** Ensure that Passkey implementation supports credential synchronization across major operating systems and browsers (e.g., FIDO standard compliance) to facilitate a consistent user experience regardless of the device used.
3. **Establish Continuous Monitoring:** Implement monitoring to track the adoption rate of Passkeys and the rate of authentication failures/support requests post-migration, allowing for iterative improvements to the onboarding process.
## Implementation Guidance
### For Small Organizations
- **Leverage Existing Platform Support:** If using SaaS services, immediately check if the provider supports Passkeys (WebAuthn). Enable this feature first before modifying custom applications.
- **Standardized Device Policy:** Mandate the use of devices (mobile/laptops) that support native biometric authentication (e.g., Windows Hello, Apple Touch ID/Face ID) for organizational access.
### For Medium Organizations
- **Phased Migration Plan:** Develop a centralized migration plan targeting internal business functions step-by-step instead of a "big bang" approach. Start with administrative or IT access first.
- **Invest in Developer Training:** Ensure development teams are trained on the WebAuthn API specifications to correctly implement client-side registration and server-side verification logic, focusing heavily on robust credential attestation and validation.
### For Large Enterprises
- **Centralized Credential Management:** Integrate Passkey infrastructure directly into existing Identity and Access Management (IAM) solutions, treating Passkeys as a privileged factor.
- **Adversary Simulation Testing:** Conduct targeted phishing simulations specifically designed to trick users into providing SMS codes *before* the full migration, ensuring controls are robust against existing adversary tactics (like MITM phishing kits) that target older MFA methods.
- **Policy Enforcement:** Use Mobile Device Management (MDM) solutions to enforce baseline security requirements (e.g., required device biometrics) before allowing Passkey enrollment for corporate resources.
## Configuration Examples
*No specific configuration code or settings were provided in the context; however, the reliance on the **WebAuthn API** standard is the critical technical component.*
**General Technical Requirement:**
The authentication service must implement server-side validation relying on the FIDO Alliance's protocols to verify the cryptographic signature provided by the user's device, comparing the **Public Key** stored against the assertion signature received.
## Compliance Alignment
- **NIST SP 800-63B (Digital Identity Guidelines):** Passkeys align well with the highest assurance levels (AAL3) as they are inherently phishing-resistant, mitigating credential phishing risks that challenge lower assurance levels relying on knowledge factors (passwords) or possession factors (SMS tokens).
- **CIS Controls (v8):** Directly supports **Inventory and Control of Enterprise Assets (Control 1)** and **Account Management (Control 5)** by establishing strong identity proofing mechanisms that bind users to their devices.
- **ISO/IEC 27001 (A.9 Identity and Access Management):** Enhances the control objective by providing evidence of strong authentication mechanisms replacing weaker ones prone to interception.
## Common Pitfalls to Avoid
1. **Treating Passkeys Like Passwords:** Do not store the cryptographic material server-side; Passkeys must rely on the secure element of the user's private device.
2. **Neglecting Account Recovery:** Failing to implement a multi-step, secure recovery method (e.g., using registered recovery codes or security questions checked via a separate, secure channel) will lead to massive user lockout frustration and support burden.
3. **Assuming SMS Deprecation is Instantaneous:** Do not immediately disable SMS MFA for all users simultaneously. Execute the migration in measured phases to allow all user segments time to successfully register their Passkeys.
4. **Ignoring Browser/OS Compatibility:** Deploying Passkeys without confirming support across the organization’s required browser mix will fragment the user base and hinder adoption.
## Resources
- **FIDO Alliance Documentation:** Essential technical reading for understanding multi-device cryptography and WebAuthn standards compliance.
- **NIST SP 800-63B:** Review authentication assurance level requirements to benchmark the security gains of moving from SMS to Passkeys.
- **Browser Vendor Documentation (e.g., Chrome, Firefox):** Consult official guides for the latest security updates and best practices regarding Passkey implementation within their respective platforms.