Learn how to implement passkeys as phishing-resistant MFA for large-scale consumer deployments and boost security as well as user convenience.
Vincent
Created: September 26, 2024
Updated: December 9, 2024
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to keep you up to date on the latest developments in the industry.
For years, organizations had to choose between security and user experience (UX) when it came to building their authentication solution. Traditionally, enhancing one meant compromising the other. Most of today’s consumer MFA systems rely on passwords/PINs combined with SMS one-time passcodes (OTPs), but they fall short in providing both top-tier security and user convenience. Passkeys offer a phishing-resistant, user-friendly authentication method that transforms how consumers interact with digital services. While still emerging, passkeys are rapidly gaining traction, especially among:
aiming to offer secure MFA options to consumers.
Introducing passkeys into existing systems is not without its challenges. It's one of the most complex setups for integrating a new authentication factor, requiring careful planning and execution. In this article, we aim to address several critical questions:
We'll begin by exploring in which industries typical large-scale deployment can be found, what characteristics they have and then continue to address the issues plaguing large-scale consumer MFA deployments.
Recent Articles
♟️
Enterprise Passkeys: Apple, Google & Microsoft's Offerings
♟️
Passkey Revolution: Google Syncs Passkeys to Apple & Windows Devices
📖
WebAuthn Cross-Device-Authentication: Passkeys via Mobile-First Strategy
📖
WebAuthn Conditional UI (Passkeys Autofill) Technical Explanation
♟️
Enterprise Passkeys Guide: Part 4 – Integrating Passkeys Into an Enterprise Stack
There are various types of consumer-facing companies with large user bases, and the need for security varies depending on the nature and sensitivity of the information they store. Companies dealing with more critical data tend to offer MFA more frequently, though it's not always mandated by regulations. These industries are at the forefront of adopting passkeys as an MFA solution to enhance user experience, using passkeys to offer a more seamless authentication process. We will focus on those in this article.
These deployments are special because they are in industries where security, regulatory and compliance are very critical, while at the same time consumers are used to incredible UX. Examples include:
Subscribe to our Passkeys Substack for the latest news, insights and strategies.
SubscribeLarge-scale consumer MFA deployments possess certain characteristics that distinguish them from smaller implementations. Understanding these features is crucial for addressing the unique challenges they present.
Organizations with large-scale deployments often serve millions of users across various regions. This extensive user base introduces unique complexities:
The combination of a massive user base and long operational histories makes large-scale deployments particularly attractive to cybercriminals. Attackers can exploit these factors by:
In large-scale consumer deployments, meeting user experience (UX) expectations is as critical as ensuring security. Users today have high standards for digital interactions influenced by big tech companies like Apple, Google, Meta or Microsoft:
By recognizing the importance of UX, organizations can implement MFA solutions that users are willing to adopt. Prioritizing UX in the deployment strategy leads to higher satisfaction, better security practices among users, and ultimately, a more secure environment. Just remember, if the UX does not meet consumer expectations, they will find workarounds, negating all security benefits.
Become part of our Passkeys Community for updates and support.
JoinWhile MFA is enhancing security for consumer services, large-scale deployments face significant hurdles as we have seen in the characteristics above. Traditional MFA methods, typically combining passwords or PINs with SMS OTPs, struggle to provide both robust security and a seamless UX. Below are the key challenges inherent in these systems:
A primary reason for implementing MFA is to mitigate account takeover risks. However, phishing remains a threat even with MFA in place. Attackers create counterfeit websites resembling legitimate services to trick users into entering their credentials and OTPs. Since traditional MFA methods like SMS OTPs are not phishing-resistant, attackers can intercept both the password and the OTP in real-time. This MFA vulnerability has persisted for years and has been technically challenging to eliminate – until phishing-resistant passkeys emerged.
When offered MFA options, consumers overwhelmingly choose and want SMS-based OTPs due to their simplicity and familiarity (usually more than 90% of users opt for SMS MFA). However, this preference results in substantial SMS costs for organizations. Each SMS sent incurs a fee, and with millions of users, these costs can escalate quickly especially in an international customer base.
Alternatives like authenticator apps using Time-based One-Time Passcodes (TOTP), such as Authy or Google Authenticator, are available but are often impractical for the average consumer due to usability issues. Especially, non-digital-native people often struggle with the time-constraint.
Developing a proprietary iOS or Android app to deliver push notifications is another option, but introduces additional complexities in development, maintenance, and user adoption – not even talking about the associated costs.
When using SMS OTP as authentication factor, recovery becomes complicated: Consumers frequently change their mobile phone numbers for various reasons, such as switching service providers or relocating to another country. Losing access to the phone number linked to their MFA means they are effectively locked out of their accounts. This scenario leads to increased customer support calls and necessitates stringent identity verification processes for account recovery. Not only does this create a frustrating experience for users, but it also results in significant operational costs for organizations due to the resources required for recovery procedures.
In the following section, we will take a look at how passkeys can help to solves these problems.
Why Are Passkeys Important For Enterprises?
Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.
If you have questions, feel free to
contact usPasskeys represent a significant change in authentication methods, combining security with user-friendly experience learned from mobile phones. Built on the WebAuthn standard and utilizing public-key cryptography, passkeys eliminate many of the vulnerabilities associated with traditional MFA systems. Below, we explore how passkeys address the challenges outlined in the previous section.
Want to find out how many people can use passkeys?
View Adoption DataPasskeys are inherently resistant to phishing attacks. Unlike passwords and SMS OTPs, passkeys do not rely on shared secrets that can be intercepted or tricked out of users. Here's how they enhance security:
By eliminating the possibility of credential interception, passkeys effectively neutralize phishing as an account-takeover vector.
Passkeys operate entirely over secure internet connections (https://) without relying on telecommunication networks for OTPs. This shift offers several cost-saving and user experience benefits:
By reducing dependence on SMS, passkeys not only lower operational costs but also enhance the overall user experience and accessibility of your services.
Passkeys also address the issue of costly account recoveries due to lost or changed phone numbers:
Over a period of 6 to 36 months after passkey introduction, as more users adopt passkeys, organizations can expect a noticeable decline in account recovery incidents, leading to lower support costs and improved user satisfaction.
Passkeys eliminate phishing risks, reduce SMS costs, and decrease account recovery incidents by providing secure, user-friendly authentication. They effectively address the challenges of account-takeovers, high SMS expenses, and recovery complexities in large-scale consumer MFA deployments. The following table shows a summary of the most important aspects.
Passkeys benefit security, UX, and at the same time reduce operating costs. They have been largely accepted as the only phishing-resistant MFA option for consumers. While these points seem plausible, the introduction of passkeys is a challenge for large-scale consumer deployments. This is exactly where our Corbado Connect Enterprise Solution comes into play.
Want to try passkeys yourself? Check our Passkeys Demo.
Try PasskeysImplementing passkeys in a large-scale consumer environment is a complex process that requires meticulous planning and execution. Each organization has unique needs, and project plans will vary based on specific requirements. At Corbado, we specialize in assisting large enterprises through this transition.
We want to cover all the steps involved in introducing passkeys in a dedicated, multi-part blog series. This series will explain each phase, providing guidance on recommendations, but also be showcasing how Corbado Connect can facilitate a seamless integration tailored to your organization's needs.
Below is an outline of the key steps involved in introducing passkeys into a large-scale consumer deployment:
Project plan as image to share or use in internal boards
Step | Sub-Step | Objective | Corbado's Solution |
---|---|---|---|
1. Initial Assessment and Planning | 1.1 Device Support Analysis | Ensure device compatibility among users. | - Passkey Analyzer: Assess user device readiness (over 90% compatibility). - Data Utilization: Use external analytics like Google Analytics to plan rollout strategy. - Core Activities: Conduct passkey readiness analysis, assess feasibility |
1.2 Stakeholder Engagement | Align internal teams across departments. | - Cross-Department Workshops: Align Compliance, Security, Tech, Product, and Support teams. - Address Concerns: Provide insights on compliance, UX, and operational impacts. - Core Activities: Assess infrastructure, scalability, and security aspects; perform integration evaluations with Stakeholders. | |
2. Design and Strategy Development | 2.1 Technical Risk Mitigation | Anticipate and address technical challenges. | - Edge Case Coverage: Handle all edge cases. - Future-Proofing: Incorporate WebAuthn updates. - Core Activities: Develop fallback strategies, design user flows and use cases and WebAuthn functionality. |
2.2 Compliance and Security Considerations | Ensure regulatory compliance and data security. | - Data Privacy Assurance: No personal data stored. - Regional Deployment: Compliant installations in any AWS Region. - Core Activities: Define release strategies, security compliance, data protection, and auditing systems. | |
2.3 User Experience Design | Create an intuitive authentication experience. | - UX Consultation: Design consumer friendly flows. - Core Activities: Help designing user-friendly interface based on best demonstrated practises incorporated into existing UI. | |
3. Integration with Existing Systems | 3.1 Compatibility with Authentication Systems | Integrate passkeys without overhauling infrastructure. | - Broad Compatibility: Works with custom solutions or backend authentication systems like AWS Cognito. - API Integration: Smooth integration with existing systems. - Core Activities: Customize & help implementing existing Components into existing authentication solution on Web & Apps. |
3.2 Connecting Support Systems | Equip support teams with necessary tools. | - Backend API & Event Log API: Integrate with support and monitoring systems. - Real-Time Data Access: For prompt issue resolution. - Core Activities: Set up infrastructure and manage API-based support systems. | |
4. Development and Customization | 4.1 Automatic Passkey Login | Enhance login experience with automatic passkey login | - Identifier-First Approach: Simplify login process. - Edge Case Handling: Supports multiple accounts/devices. - CorbadoConnectLogin Component: Seamless cross-device authentication. |
4.2 Automatic Passkey Append | Drive passkey creation and adoption | - Automatic-Enrollment: Automatic passkey creation and Append-Popups onboarding users into passkeys. - Edge Case Handling: Evaluate if the device supports passkeys. - CorbadoConnectAppend Component: Seamless onboarding of consumers into passkeys. | |
4.3 Passkey Management | Empower users to manage authentication methods. | - User Autonomy: Add or remove passkeys user-friendly. - CorbadoConnectPasskeyList Component brings passkey management features for users. | |
5. Internal Preparation | 5.1 Training Customer Support Teams | Prepare support staff for user inquiries. | - Training Sessions: Comprehensive materials and sessions. - Support Resources: FAQs and troubleshooting guides. - Core Activities: Train customer support, prepare help materials for recovery and troubleshooting. |
5.2 Creating User Documentation | Inform and educate users. | - Communication Strategy: Craft messaging for various channels. - Educational Content: User guides, videos, tutorials. - Core Activities: Create user-friendly documentation, educate users on self-managing passkeys and fallback options. | |
6. Testing and Quality Assurance | 6.1 Edge Case Testing | Ensure system reliability. | - Comprehensive Testing: Simulate various scenarios. - Feedback Loops: Refine system before deployment. - Core Activities: Perform end-to-end testing, penetration testing, ensure UX meets expectations. |
6.2 Process Debugging Tools | Quickly resolve issues. | - Process Debugger: Insight into authentication flows. - Developer Support: Assist with technical challenges. - Core Activities: Run vulnerability tests, collect feedback for adjustments. | |
7. Release and Partial Rollout Execution | 7.1 Managed Partial Rollout Strategy | Introduce passkeys gradually, starting with newer devices. | - Partial Rollout Capability: Select rollout waves from newer to older devices. - Rollout Waves: Target up-to-date devices first. - Flexible Configuration: Adjust segments in real-time. - Core Activities: Implement gradual rollout strategy, start with high passkey-ready devices first. |
7.2 Launching Passkeys | Officially release to targeted device groups. | - Scalable Infrastructure: Ensure stability. - Launch Support: Real-time assistance during rollout. - Core Activities: Promote passkeys and adjust strategy based on real-time data and KPIs. | |
7.3 Monitoring and Adjusting | Continuously track progress and adjust plans. | - Analytics Dashboard: Track adoption and engagement. - Adaptive Strategy: Data-driven decisions for rollout phases. - User Feedback Integration: Refine user experience. - Core Activities: Adjust rollout based on KPIs, scale infrastructure based on usage, and update performance metrics. | |
8. Driving User Adoption | 8.1 Encouraging Passkey Adoption | Motivate users to adopt passkeys. | - Incentivization Programs: Rewards tailored to device groups. - User Engagement Analytics: Track interactions. - Core Activities: Promote passkey usage with messaging, user engagement campaigns, and metrics tracking. |
8.2 Ongoing Communication | Keep users informed and engaged. | - Regular Updates: Inform about features and benefits. - Success Stories: Share positive experiences. - Core Activities: Maintain continuous communication through popups, email notifications, and updates about passkey benefits. | |
9. Support and Feedback | 9.1 Connecting Support Systems | Maintain high-quality user support. | - Seamless Integration: APIs segmented by device group. - Knowledge Base Updates: Update materials based on feedback. - Core Activities: Enable admin panel support for passkey recovery, log events to trace user actions. |
9.2 Collecting User Feedback | Gather insights for improvement. | - Feedback Mechanisms: In-app prompts, surveys. - Data Analysis: Actionable improvements. - Core Activities: Collect ongoing feedback and fine-tune product through testing results. | |
10. Continuous Monitoring and Improvement | 10.1 Reporting and Analytics | Monitor performance and engagement. | - Reporting Dashboard: View metrics by device type. - Customizable Reports: Focus on key areas. - Core Activities: Monitor user engagement and performance metrics regularly, report on success KPIs. |
10.2 Adjusting Strategies | Refine strategies based on data. | - A/B Testing Support: Experiment within device groups. - Real-Time Updates: Implement changes quickly. - Core Activities: Continuously optimize strategies based on analytics and reporting. | |
11. Future Planning | 11.1 Expanding to Older Devices | Include users with older devices. | - Technical Adaptations: Ensure compatibility. - User Communication: Provide device-specific guidance. - Core Activities: Expand support to older devices after initial phase, test user experience on older systems. |
11.2 Digitalizing Recovery Processes | Streamline account recovery. | - Recovery Solutions: Implement digital recovery options secured by multi-factor authentication. - User Education: Inform users about new recovery methods, reducing support requests. - Core Activities: Develop digitalized backup strategies and ensure compliance with ongoing user data protection. | |
11.3 Planning for Password Decommissioning | Transition to a passwordless future. | - Strategic Roadmapping: Phase out passwords. - Compliance Assurance: Meet regulatory requirements. - Core Activities: Plan for long-term decommissioning of passwords and ensure compliance with security standards. | |
11.4 Long-Term Benefits and ROI | Realize full advantages of passkeys. | - Reduced Account Takeovers: Enhance security. - Operational Cost Savings: Lower SMS and recovery costs. - Improved User Satisfaction: Boost trust and engagement. - Core Activities: Measure ROI and success based on reduction of account takeover |
This table provides an overview of the critical steps for a successful passkey integration. While project specifics will vary, these phases are fundamental in large-scale consumer deployments. Our upcoming multi-part series will explore each step in detail, offering in-depth guidance and insights. Having outlined the integration process, let's briefly consider the next steps after implementing passkeys.
With passkeys integrated, the next crucial focus is on streamlining and securing account recovery processes, especially for users who may lose access to their passkeys and fallback methods. Traditional recovery methods particularly in large-scale consumer deployments tend to be manual processes.
One of the most effective digital methods is selfie identification with liveness checks. This process involves users taking photos of their government-issued ID along with a live selfie. Advanced technology verifies the authenticity of the ID and ensures the selfie is captured in real-time, confirming that the user is physically present and matches the ID. This prevents fraud attempts using static images or stolen IDs.
This method is particularly beneficial when traditional recovery channels like email or SMS are unavailable or outdated. By leveraging biometric verification and AI-driven checks, organizations can offer a secure and user-friendly way for users to regain access to their accounts without manual intervention.
Implementing smart recovery processes offers several advantages:
Our platform can integrate seamlessly with leading identity verification providers, ensuring compliance with data protection regulations. By automating recovery workflows and providing intuitive user guidance, Corbado Connect helps organizations improve their security levels while enhancing overall user satisfaction.
With a secure and user-friendly authentication system (based on passkeys) in place, organizations can consider transitioning towards a passwordless future. Decommissioning passwords is the logical next step and offers several benefits:
Transitioning to a truly passwordless system requires strategic planning, including stakeholder engagement, user education, and compliance checks. Corbado Connect provides the expertise and tools necessary to navigate this transformation smoothly in the future.
Why Are Passkeys Important For Enterprises?
Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.
If you have questions, feel free to
contact usImplementing passkeys and moving towards a passwordless future offers substantial long-term benefits and a compelling return on investment (ROI). Key advantages include:
While developing a passkey integration solution in-house is possible, it entails a significant initial software development effort and requires extensive expertise especially in the large-scale context. Building such a solution involves several challenges:
On the other hand, opting to "buy" by partnering with Corbado offers significant advantages:
By partnering with Corbado, organizations can leverage our expertise to effectively realize all the savings and benefits associated with passkeys. Our proven approach not only enhances security and UX but also delivers a strong ROI without the overhead of developing and maintaining a complex system in-house.
Achieving high passkey adoption rates is critical for realizing the long-term benefits and return on investment of implementing passkeys. The full spectrum of security enhancements and cost savings materializes only when a significant majority of users uses the new authentication method. However, driving this adoption internally presents several challenges:
Corbado Connect excels in managing these complexities through:
Choosing Corbado means leveraging our expertise to maximize passkey adoption and effectively manage ongoing maintenance and technological advancements. This approach ensures that your organization fully benefits from the transition to passkeys, achieving a strong ROI through enhanced security, reduced costs, and improved user satisfaction.
In conclusion, passkeys are a unique solution to the longstanding challenges faced by large-scale consumer deployments in authentication. We have answered the questions we had set in the introduction with the following key insights:
As we progress, the subsequent parts of this series will go deeper into each phase of the implementation process, providing detailed guidance and best practices to ensure a successful transition to passkeys in large-scale consumer deployments and showcase how Corbado Connect can help you successfully introduce passkeys with the highest passkey adoption & passkey login rates in the industry.
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
Recent Articles
Enterprise Passkeys: Apple, Google & Microsoft's Offerings
Lukas R. - November 9, 2023
Passkeys E2E Playwright Testing via WebAuthn Virtual Authenticator
Anders - March 30, 2024