• Part 1: Initial Assessment and Planning
• Part 2: Stakeholder Management
• Part 3: Product, Design & Strategy Development
• Part 4: Integrating Passkeys Into an Enterprise Stack

For years, organizations had to choose between security and user experience (UX) when it came to building their authentication solution. Traditionally, enhancing one meant compromising the other. Most of today’s consumer MFA systems rely on passwords/PINs combined with SMS one-time passcodes (OTPs), but they fall short in providing both top-tier security and user convenience. Passkeys offer a phishing-resistant, user-friendly authentication method that transforms how consumers interact with digital services. While still emerging, passkeys are rapidly gaining traction, especially among:

• regulated industries (e.g. healthcare, finance, insurance),
• governmental functions, and
• large consumer services

aiming to offer secure MFA options to consumers.

Introducing passkeys into existing systems is not without its challenges. It's one of the most complex setups for integrating a new authentication factor, requiring careful planning and execution. In this article, we aim to address several critical questions:

• What are the problems of large-scale consumer deployments?
• How do passkeys address those problems and solve them?
• How to introduce passkeys into an existing large-scale consumer deployment?
• What is the decisive factor for long-term benefits and ROI when introducing passkeys?

We'll begin by exploring in which industries typical large-scale deployment can be found, what characteristics they have and then continue to address the issues plaguing large-scale consumer MFA deployments.

There are various types of consumer-facing companies with large user bases, and the need for security varies depending on the nature and sensitivity of the information they store. Companies dealing with more critical data tend to offer MFA more frequently, though it's not always mandated by regulations. These industries are at the forefront of adopting passkeys as an MFA solution to enhance user experience, using passkeys to offer a more seamless authentication process. We will focus on those in this article.

These deployments are special because they are in industries where security, regulatory and compliance are very critical, while at the same time consumers are used to incredible UX. Examples include:

• Government Services: E-government platforms, tax filing, social services, further government to citizen functionality.
• Financial Institutions: Banks, credit unions, superannuation funds and fintech companies offering online banking, investment platforms, crypto platforms and payment services.
• Insurance Companies: Providing policy management and claims processing through online portals.
• Healthcare Providers: Patient portals for accessing medical records, scheduling appointments, and telehealth services.
• Large Consumer Platforms: Operating system clouds (e.g. iCloud, Google account), ecommerce giants (e.g. Amazon), social media networks (Meta), and cloud service providers with extensive user bases that need to protect important consumer data.

Large-scale consumer MFA deployments possess certain characteristics that distinguish them from smaller implementations. Understanding these features is crucial for addressing the unique challenges they present.

Organizations with large-scale deployments often serve millions of users across various regions. This extensive user base introduces unique complexities:

• Massive User Base: Serving a vast number of users means that any security vulnerability can have widespread consequences. Attackers are more likely to target these organizations because the potential payoff is significant. For example:
  • Simplified Targeting of Individuals: Due to their large market share, attackers can assume that many individuals are customers of the large-scale service, making phishing and credential stuffing attacks more efficient.
  • Higher Likelihood of Attack Success: With more users, there's a greater chance that stolen credentials from other older and more recent breaches will match active accounts on these platforms.
• Long Operational Histories: Many of these organizations have been operating for decades, accumulating a significant number of legacy user accounts. These older user accounts may present additional risks:
  • Outdated Cyber Security Practices: Legacy accounts might use weak passwords or lack modern security measures like MFA, making them easier targets for attackers.
  • Higher Vulnerability to Credential Stuffing: Users may have reused passwords that have been compromised in other data breaches over the years, increasing vulnerability to credential stuffing attacks.
  • Inactive or Dormant Accounts: Accounts that haven't been accessed in a long time may not be closely monitored by users, providing an opportunity for unauthorized access without immediate detection.

The combination of a massive user base and long operational histories makes large-scale deployments particularly attractive to cybercriminals. Attackers can exploit these factors by:

• Large-Scale Phishing Campaigns: With a higher probability that recipients of phishing messages are actual customers of service, phishing attempts become more effective.
• Automated Credential Stuffing Attacks: Using automated tools to test large volumes of stolen credentials, attackers can gain unauthorized access to user accounts, especially when password reuse is prevalent.

In large-scale consumer deployments, meeting user experience (UX) expectations is as critical as ensuring security. Users today have high standards for digital interactions influenced by big tech companies like Apple, Google, Meta or Microsoft:

• Diverse User Base Needs: The vast user base includes individuals with varying levels of technical proficiency, device preferences, and accessibility requirements. Authentication processes must be intuitive and accommodating for all users, not only tech-savvy ones.
• High Expectations for Convenience: Users expect quick and seamless access to services. Complex or time-consuming authentication steps can lead to frustration, abandonment of the login process, or decreased overall satisfaction.
• Consistent Experience Across Devices: Enhancing security should not compromise the user experience. Users may access services from multiple devices. That’s why ensuring a consistent authentication experience on all devices, browser and apps (native and web) is essential and expected.
• Competitive Advantage Through UX: A superior user experience can differentiate an organization in a crowded market. Companies that provide secure yet effortless access are more likely to retain users and attract new ones. A good example are modern neo-banks trying to disrupt legacy banks.
• User Education and Support: Introducing new authentication methods requires clear communication and assistance to help users adapt (e.g. via chatbots, FAQ, videos). Providing resources and responsive support enhances the overall experience.

By recognizing the importance of UX, organizations can implement MFA solutions that users are willing to adopt. Prioritizing UX in the deployment strategy leads to higher satisfaction, better security practices among users, and ultimately, a more secure environment. Just remember, if the UX does not meet consumer expectations, they will find workarounds, negating all security benefits.

While MFA is enhancing security for consumer services, large-scale deployments face significant hurdles as we have seen in the characteristics above. Traditional MFA methods, typically combining passwords or PINs with SMS OTPs, struggle to provide both robust security and a seamless UX. Below are the key challenges inherent in these systems:

A primary reason for implementing MFA is to mitigate account takeover risks. However, phishing remains a threat even with MFA in place. Attackers create counterfeit websites resembling legitimate services to trick users into entering their credentials and OTPs. Since traditional MFA methods like SMS OTPs are not phishing-resistant, attackers can intercept both the password and the OTP in real-time. This MFA vulnerability has persisted for years and has been technically challenging to eliminate – until phishing-resistant passkeys emerged.

When offered MFA options, consumers overwhelmingly choose and want SMS-based OTPs due to their simplicity and familiarity (usually more than 90% of users opt for SMS MFA). However, this preference results in substantial SMS costs for organizations. Each SMS sent incurs a fee, and with millions of users, these costs can escalate quickly especially in an international customer base.

Alternatives like authenticator apps using Time-based One-Time Passcodes (TOTP), such as Authy or Google Authenticator, are available but are often impractical for the average consumer due to usability issues. Especially, non-digital-native people often struggle with the time-constraint.

Developing a proprietary iOS or Android app to deliver push notifications is another option, but introduces additional complexities in development, maintenance, and user adoption – not even talking about the associated costs.

When using SMS OTP as authentication factor, recovery becomes complicated: Consumers frequently change their mobile phone numbers for various reasons, such as switching service providers or relocating to another country. Losing access to the phone number linked to their MFA means they are effectively locked out of their accounts. This scenario leads to increased customer support calls and necessitates stringent identity verification processes for account recovery. Not only does this create a frustrating experience for users, but it also results in significant operational costs for organizations due to the resources required for recovery procedures.

In the following section, we will take a look at how passkeys can help to solves these problems.

Passkeys represent a significant change in authentication methods, combining security with user-friendly experience learned from mobile phones. Built on the WebAuthn standard and utilizing public-key cryptography, passkeys eliminate many of the vulnerabilities associated with traditional MFA systems. Below, we explore how passkeys address the challenges outlined in the previous section.

Passkeys are inherently resistant to phishing attacks. Unlike passwords and SMS OTPs, passkeys do not rely on shared secrets that can be intercepted or tricked out of users. Here's how they enhance security:

• Passkeys are Bound to the Original Domain: Passkeys are bound to a specific domain of the service. This means they will not authenticate on fake websites, rendering phishing attempts ineffective. Passkeys simply cannot be used on phishing websites.
• Public-Key Cryptography Prevents Credential Theft: When a user registers a passkey, their device generates a unique key pair – one public and one private key. The public key is stored on the server, while the private key never leaves the user's device. Since the private key isn't transmitted during authentication, there's nothing for attackers to steal or intercept.
• Passkeys Comply with Modern Regulations: The mentioned factors help expanding security measures to protect customers from phishing, addressing the regulatory trend to phishing-resistance into more and more legislation (e.g. Essential Eight, NIST).

By eliminating the possibility of credential interception, passkeys effectively neutralize phishing as an account-takeover vector.

Passkeys operate entirely over secure internet connections (https://) without relying on telecommunication networks for OTPs. This shift offers several cost-saving and user experience benefits:

• Reduced SMS Costs: With passkeys, the need for sending SMS OTPs diminishes significantly. This reduction not only cuts down on per-message fees but also helps avoid SMS pumping fraud, where attackers generate many fake OTP requests to maliciously inflate SMS costs (also known as artificial inflated traffic – AIT). Organizations can save up to 90% in SMS-related expenses, depending on user adoption rates.
• Passkeys are Better Accessible and Can’t Be Lost: Passkeys overcome limitations associated with SMS delivery, especially in regions with unreliable mobile networks or where users have limited access to SMS services. Often cross-border delivery of SMS OTP fails and leads so problems. By utilizing internet connectivity, passkeys ensure a consistent authentication experience for users worldwide, regardless of their mobile carrier or geographic location.
• Passkey Logins are Quicker: Passkeys streamline the authentication process by eliminating the need to wait for SMS codes. Users can authenticate quickly and securely using biometric verification or device PINs, leading to faster and more seamless logins.

By reducing dependence on SMS, passkeys not only lower operational costs but also enhance the overall user experience and accessibility of your services.

Passkeys also address the issue of costly account recoveries due to lost or changed phone numbers:

• Digital Ecosystems are Less Frequently Changed: Users change their operating systems or ecosystems less frequently than they change phone numbers or carriers (e.g. the number of people leaving the Apple ecosystem is considerably low). This stability reduces the likelihood of losing access to authentication credentials.
• Login Identifiers Can’t Be Forgotten: Passkeys are stored securely on the user's device and, in many cases, synchronized across devices through cloud services or password managers. Together with the private key, the identifier (username or email) is stored allowing automatically prefilling of credentials. Consumers therefore cannot forget their username, customer number or email associated with the service, which is often the case for less frequently used services.
• Passkey Recovery is Transferred to the Operating System: Even if a user loses a device, restoring passkeys on a new device is often simpler and secured by the operating system clouds (e.g. iCloud Keychain, Google Password Manager), which require MFA with three factors to restore passkeys. This means large-scale consumer deployments basically shift the recovery aspect to the operating system cloud provider.

Over a period of 6 to 36 months after passkey introduction, as more users adopt passkeys, organizations can expect a noticeable decline in account recovery incidents, leading to lower support costs and improved user satisfaction.

Passkeys eliminate phishing risks, reduce SMS costs, and decrease account recovery incidents by providing secure, user-friendly authentication. They effectively address the challenges of account-takeovers, high SMS expenses, and recovery complexities in large-scale consumer MFA deployments. The following table shows a summary of the most important aspects.

Passkeys benefit security, UX, and at the same time reduce operating costs. They have been largely accepted as the only phishing-resistant MFA option for consumers. While these points seem plausible, the introduction of passkeys is a challenge for large-scale consumer deployments. This is exactly where our Corbado Connect Enterprise Solution comes into play.

Implementing passkeys in a large-scale consumer environment is a complex process that requires meticulous planning and execution. Each organization has unique needs, and project plans will vary based on specific requirements. At Corbado, we specialize in assisting large enterprises through this transition.

We want to cover all the steps involved in introducing passkeys in a dedicated, multi-part blog series. This series will explain each phase, providing guidance on recommendations, but also be showcasing how Corbado Connect can facilitate a seamless integration tailored to your organization's needs.

Below is an outline of the key steps involved in introducing passkeys into a large-scale consumer deployment:

Project plan as image to share or use in internal boards

Download image here

This table provides an overview of the critical steps for a successful passkey integration. While project specifics will vary, these phases are fundamental in large-scale consumer deployments. Our upcoming multi-part series will explore each step in detail, offering in-depth guidance and insights. Having outlined the integration process, let's briefly consider the next steps after implementing passkeys.

With passkeys integrated, the next crucial focus is on streamlining and securing account recovery processes, especially for users who may lose access to their passkeys and fallback methods. Traditional recovery methods particularly in large-scale consumer deployments tend to be manual processes.

One of the most effective digital methods is selfie identification with liveness checks. This process involves users taking photos of their government-issued ID along with a live selfie. Advanced technology verifies the authenticity of the ID and ensures the selfie is captured in real-time, confirming that the user is physically present and matches the ID. This prevents fraud attempts using static images or stolen IDs.

This method is particularly beneficial when traditional recovery channels like email or SMS are unavailable or outdated. By leveraging biometric verification and AI-driven checks, organizations can offer a secure and user-friendly way for users to regain access to their accounts without manual intervention.

Implementing smart recovery processes offers several advantages:

• Ensure Strong Security Levels: Provides a high level of assurance that the person attempting recovery is the legitimate account owner.
• Make Users Happy: Offers a quick and convenient recovery option, reducing user frustration and downtime.
• Reduced Operational Costs for Manual Recovery: Minimizes the need for support staff involvement in account recovery, lowering associated costs.

Our platform can integrate seamlessly with leading identity verification providers, ensuring compliance with data protection regulations. By automating recovery workflows and providing intuitive user guidance, Corbado Connect helps organizations improve their security levels while enhancing overall user satisfaction.

With a secure and user-friendly authentication system (based on passkeys) in place, organizations can consider transitioning towards a passwordless future. Decommissioning passwords is the logical next step and offers several benefits:

• Eliminate Password Vulnerabilities Entirely: Remove risks associated with weak or compromised passwords.
• Simplify Authentication by Reducing Number of Login Options: Streamline the login process to prevent user confusion about which login method was used on each device.
• Stay Ahead of Regulations: Align with emerging security standards and regulatory requirements favoring passwordless authentication (e.g. NIST, Essential Eight, CISA).

Transitioning to a truly passwordless system requires strategic planning, including stakeholder engagement, user education, and compliance checks. Corbado Connect provides the expertise and tools necessary to navigate this transformation smoothly in the future.

Implementing passkeys and moving towards a passwordless future offers substantial long-term benefits and a compelling return on investment (ROI). Key advantages include:

• Reduced Account-Takeovers: By eliminating passwords and introducing phishing-resistant authentication via passkeys, organizations can significantly lower the risk of account-takeovers.
• Comply to Regulation: Strengthen compliance with security regulations (e.g. Essential Eight, NIST, CISA), reducing the risk of penalties.

• SMS OTP Cost Reduction: With fewer users relying on SMS-based OTPs, organizations can save significantly on messaging costs. Depending on the size of the user base, SMS cost savings can range from $1 million to $25 million per year, even when not every user has turned on SMS MFA yet.
• Lower Account Recovery Costs: Streamlined digital recovery processes reduce customer support demands, leading to operational cost savings.

• Quick Authentication: Users enjoy faster, more convenient logins without the hassle of passwords or waiting for OTPs.
• Increased User Satisfaction: A smooth authentication experience enhances customer loyalty and engagement with the entire product and brand.

• Become a Digital & Market Leader: Adopting cutting-edge security measures positions your organization as an industry leader.
• Attracting Security-Conscious Consumers: Appeal to users who prioritize security and user experience.

While developing a passkey integration solution in-house is possible, it entails a significant initial software development effort and requires extensive expertise especially in the large-scale context. Building such a solution involves several challenges:

• Extensive Passkey, WebAuthn and CIAM Know-How: Implementing passkeys demands deep understanding of complex authentication protocols, security standards, and the continuously evolving WebAuthn specifications. A good starting point to understanding WebAuthn and handling its complexity are the following blog posts:
  • WebAuthn pubKeyCredParams & credentialPublicKey
  • WebAuthn Cross-Device Authentication
  • WebAuthn User ID, User Handle, User Name, Display User Name and Credential ID
  • WebAuthn Conditional UI
  • WebAuthn Discoverable Credentials
  • WebAuthn Relying Party ID
  • WebAuthn Native Apps
  • WebAuthn User Verification & User Presence
• Comprehensive Device, Operating System and Browser Testing: Ensuring compatibility across a vast array of devices, operating systems and browsers (+ versions) is a big task. Achieving a great user experience requires exhaustive testing on different platforms to address inconsistencies and edge cases at the same time automated testing is difficult with platform authentication. To read more about testing, we recommend to take a look at these blog posts:
  • Multi-Device Testing with ngrok
  • Passkeys and PlayWright E2E Testing
  • Passkeys and Selenium E2E Testing
  • Parallels Passkeys
  • Safari WebAuthn User Gesture Not Detected
  • iOS 15 Passkeys
  • Passkeys & Incognito Mode
  • Passkeys & iframes
• Continuous Maintenance and Addition of new WebAuthn Features: The authentication landscape, and especially the passkeys / WebAuthn area is quickly evolving. An internally developed solution would require ongoing maintenance to integrate new features and adapt to client changes. See our blog posts for further details (to just name a few from the past three months):
  • New authenticator capabilities like cross-platform syncing of passkeys via Google Password Manager
  • WebAuthn Signal API
  • Automatic Passkey Creation
• Resource Intensiveness of Building an In-House Passkey Solution: Allocating substantial internal resources for development and maintenance can divert focus from your core business activities. This not only impacts productivity but also increases operational costs without guaranteeing optimal outcomes. A few things you need to take care of are:
  • Passkey Fallback & Recovery
  • Use Client Hints & User-Agents for Device Detection
  • Check for Bluetooth Availability for Cross-Device Authentication
  • Prepare Database for Passkeys
  • Passkeys Developer Cheat Sheet

On the other hand, opting to "buy" by partnering with Corbado offers significant advantages:

• Expertise in Managed and Gradual Rollouts: We specialize in deploying passkeys effectively, ensuring high adoption rates through tailored strategies that encourage widespread user engagement. Our rollouts happen in stages, where we enable passkeys for certain devices, user cohorts or randomized shares of users.
• Optimized Passkey User Experience: Our UI design as well as user flows are inspired by large consumer platform implementations (e.g. Google’s own passkey implementation which is one of the most user-friendly ones and has one of the strongest passkey adoption numbers), and promotes seamless interactions across all devices. We have conducted extensive device testing to ensure compatibility and a consistent user experience on all devices for all users.
• Continuous Passkey Updates and Maintenance: Corbado stays ahead of technological advancements, continuously integrating new passkey features like Google Password Manager’s support to sync passkeys across platforms, the WebAuthn Signal API to change passkey metadata and delete passkeys client-side, and Automatic Passkey Creation. This relieves you of the maintenance burden and ensures your authentication system remains cutting-edge.
• Dedicated Integration, Rollout and Maintenance Support: We provide deep integration support into all common web technologies and can help your teams on-site with implementing our solution. Besides, we provide ongoing assistance to adapt and refine your authentication system as technologies and user needs evolve, ensuring sustained performance and security.

By partnering with Corbado, organizations can leverage our expertise to effectively realize all the savings and benefits associated with passkeys. Our proven approach not only enhances security and UX but also delivers a strong ROI without the overhead of developing and maintaining a complex system in-house.

Achieving high passkey adoption rates is critical for realizing the long-term benefits and return on investment of implementing passkeys. The full spectrum of security enhancements and cost savings materializes only when a significant majority of users uses the new authentication method. However, driving this adoption internally presents several challenges:

• User Resistance to Change: Encouraging users to shift from familiar authentication methods (e.g. passwords) to passkeys requires strategic communication and regular reminders. Without tailored communication, passkey adoption rates may remain low, limiting the effectiveness of your investment.
• Complexity of User Education and Support: Educating a large user base about the benefits and usage of passkeys demands a well-planned approach. This includes creating educational materials, training support staff, and handling user inquiries – all of which require additional resources and expertise.
• Embed New Passkey Features Continuously: Keeping up with client changes and technological passkey advancements—requires continuous effort. An internal team must be dedicated to integrating these updates to maintain compatibility and optimal functionality.

Corbado Connect excels in managing these complexities through:

• Maximize Passkey Adoption Rate: We provide comprehensive educational resources and personalized communication strategies to make users aware of the ease and benefits of passkeys, encouraging a smoother transition. We ensure a high adoption rate by regularly reminding the customer to create (e.g. after successful login with conventional authentication methods) and asking to add local passkeys after a hybrid QR-code based login. All while making sure that this user, device, operating system, and browser are passkey-ready.
• Maximize Passkey Login Rate: By utilizing an "Identifier-First" approach, our system intelligently determines whether a passkey login should be initiated or if a hybrid login process is needed (or if no passkey login should be initiated at all). In cases where passkey login is not feasible, a fallback option is automatically provided, ensuring a seamless login UX while maintaining security. Depending on the use case, other factors can be used like One-Tap Login or Conditional UI to further improve the login rate with passkeys to avoid costly fallbacks to SMS OTP.
• Best Personalized Passkey Experience: Our solution continuously learns from user behavior and KPIs to improve the overall passkey experience (we call this passkey intelligence). Each account receives tailored login options, ensuring a user-centric, optimized interaction that enhances satisfaction and security.
• Adaptability to Technological Passkey Changes: Our team constantly integrates new features and evolves alongside the latest developments in authentication technology, including support for new authenticators or automatic passkey creation. This adaptability ensures that your system remains cutting-edge without burdening your internal resources.

Choosing Corbado means leveraging our expertise to maximize passkey adoption and effectively manage ongoing maintenance and technological advancements. This approach ensures that your organization fully benefits from the transition to passkeys, achieving a strong ROI through enhanced security, reduced costs, and improved user satisfaction.

In conclusion, passkeys are a unique solution to the longstanding challenges faced by large-scale consumer deployments in authentication. We have answered the questions we had set in the introduction with the following key insights:

• What are the problems of large-scale consumer deployments?
  Large-scale deployments have to deal with issues like account-takeovers via phishing, very high SMS OTP costs, and cumbersome account recovery processes. These problems compromise both security and user experience, making it difficult to balance the two effectively.
• How do passkeys address those problems and solve them?
  Passkeys mitigate these issues by being inherently phishing-resistant through domain binding and public-key cryptography. They significantly reduce reliance on SMS OTPs, thereby cutting costs and improving user experience. Additionally, passkeys streamline account recovery processes by leveraging device / ecosystem stability and cloud synchronization, reducing the frequency and complexity of account recoveries.
• How to introduce passkeys into an existing large-scale consumer deployment?
  Implementing passkeys requires a comprehensive, multi-step approach that includes initial assessment and planning, design and strategy development, integration with existing systems, development and customization, internal preparation, testing and quality assurance, a managed rollout strategy, and ongoing support and monitoring. Each step is crucial to ensure a smooth transition and high user adoption.
• What is the decisive factor for long-term benefits and ROI when introducing passkeys?
  High user adoption rates are the decisive factor for realizing long-term benefits and ROI. The full spectrum of security enhancements and cost savings from passkeys is only achieved when a majority of users embrace the new authentication method. Strategies to drive adoption, such as user education and incentivization, are essential.

As we progress, the subsequent parts of this series will go deeper into each phase of the implementation process, providing detailed guidance and best practices to ensure a successful transition to passkeys in large-scale consumer deployments and showcase how Corbado Connect can help you successfully introduce passkeys with the highest passkey adoption & passkey login rates in the industry.