Full Report
FIDO Alliance found an uptick in awareness and takeup of passkeys as an alternative method to passwords
Analysis Summary
# Best Practices: Account Security and Password Alternatives
## Overview
These practices are designed to mitigate the significant risk posed by weak or compromised traditional passwords, which result in account hacks for a large percentage of online users. The key focus is on migrating users toward modern, phishing-resistant authentication methods like passkeys.
## Key Recommendations
### Immediate Actions
1. **Assess Current Password Strength Policies:** Immediately review and enforce minimum complexity, length (e.g., minimum 12 characters), and uniqueness rules for all organizational accounts where passkeys are not yet deployed.
2. **Block Credential Stuffing Lists:** Implement controls to immediately block authentication attempts using credentials known to be compromised in public breaches.
3. **Communicate Password Hygiene:** Launch an immediate internal campaign emphasizing the danger of reusing passwords across different services.
### Short-term Improvements (1-3 months)
1. **Promote Multi-Factor Authentication (MFA) Adoption:** For all existing systems not supporting passkeys, mandate and enforce MFA for all user accounts, prioritizing methods resistant to SMS interception (e.g., TOTP apps, hardware tokens).
2. **Initiate Passkey Integration Planning:** Identify the top 10 externally facing and critical internal applications used by your organization and create a project plan to enable FIDO-compliant passkey support within 90 days.
3. **User Awareness Campaign on Passkeys:** Deploy targeted training sessions explaining what passkeys are, how they work (biometrics securely tied to cryptographic keys), and highlighting their superior security and convenience over traditional methods.
### Long-term Strategy (3+ months)
1. **Phased Password Decommissioning:** Develop a long-term roadmap to transition all eligible accounts (internal and external services) away from traditional password authentication entirely, prioritizing services with the highest threat exposure.
2. **Monitor Industry Adoption:** Continuously track the adoption rate of passkeys among critical third-party vendors and service providers you rely on, and incorporate this into vendor risk management processes.
3. **Implement Device Health Checks:** Require strong device health attestation for passkey usage, ensuring that the device used for authentication meets minimum security standards (e.g., running up-to-date OS, functioning biometric sensor).
## Implementation Guidance
### For Small Organizations
- **Adopt Services with Native Passkeys:** When selecting new SaaS tools, prioritize those that already support FIDO/passkeys out-of-the-box to avoid immediate implementation overhead.
- **Mandate Single Authenticator App:** Require all staff to use one standardized authenticator application (e.g., Authy, Microsoft Authenticator) for TOTP redundancy while passkeys are rolled out.
### For Medium Organizations
- **Pilot Passkey Rollout:** Select a non-critical department or application for an initial passkey pilot group to gather feedback on user experience and troubleshoot integration issues before a wider rollout.
- **Inventory Authentication Methods:** Conduct a full audit of all applications utilizing passwords and rank them based on criticality and the ease of integrating passkey support.
### For Large Enterprises
- **Centralized IAM Integration:** Integrate passkey enrollment and management directly into the existing Identity and Access Management (IAM) infrastructure to ensure centralized policy enforcement and reporting.
- **Develop Fallback and Recovery Procedures:** Establish secure, tested procedures for user account recovery (entropy source proof) when users lose access to their primary authenticating devices (where passkeys are stored locally).
## Configuration Examples
*The provided text mentions that passkeys use cryptographic credentials where a private key is stored on the user's device (enabled by biometrics) and verified against a public key stored on the server. Specific configuration command lines were not provided; however, the implementation strategy centers around enabling FIDO standards within the organization's authentication servers or IdPs.*
**Key Configuration Concept (Conceptual):**
Ensure that deployed authentication servers or Identity Providers (IdPs) are configured to adhere strictly to the **WebAuthn API** specifications, which underpin FIDO and passkey technology, utilizing Elliptic Curve Cryptography.
## Compliance Alignment
- **NIST SP 800-63B (Digital Identity Guidelines):** Migrating away from shared secrets (passwords) toward cryptographic methods (passkeys) directly aligns with increasing the strength requirements for Authenticator Assurance Levels (AALs), specifically AAL2 or AAL3 where appropriate.
- **CIS Controls (Critical Security Controls):** Directly addresses **Control 5 (Account Management)** and **Control 6 (Access Control Management)** by strengthening the verification method used for access.
- **GDPR/CCPA:** Enhancing authentication via passkeys improves Data Protection by Design by making unauthorized data access significantly harder.
## Common Pitfalls to Avoid
- **Forgetting Password Abandonment Cost:** Do not neglect the "forgot password" scenario for users, as 48% reported abandoning purchases due to this—ensure passkey recovery mechanisms are as smooth as possible.
- **Treating Passkeys Merely as Biometrics:** Understand that passkeys are **cryptographic credentials** secured by biometrics, not just replacements for traditional MFA tokens. The security comes from the binding of the private key to the device, not just the fingerprint scan itself.
- **Inconsistent Rollout:** Avoid allowing users to remain on weak password-only authentication for critical systems while newer systems utilize passkeys, as this creates security asymmetry.
## Resources
- **FIDO Alliance Documentation:** Review official documentation regarding WebAuthn implementation standards. (Link to FIDO Alliance guidance on implementation, defanged).
- **MFA Implementation Guidance:** Reference guides on enforcing strong MFA for legacy systems while preparing the shift to passkeys. (General guidance on NIST SP 800-63B).