introducing passkeys large scale overviewPasskeys Strategy

Enterprise Guide: Passkeys for Existing Large-Scale Consumer Deployments

Learn how to implement passkeys as phishing-resistant MFA for large-scale consumer deployments and boost security as well as user convenience.

Blog-Post-Author

Vincent

Created: September 26, 2024

Updated: December 9, 2024


Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to keep you up to date on the latest developments in the industry.

Overview: Enterprise Guide#

1. Introduction: Passkeys at Large-Scale#

For years, organizations had to choose between security and user experience (UX) when it came to building their authentication solution. Traditionally, enhancing one meant compromising the other. Most of today’s consumer MFA systems rely on passwords/PINs combined with SMS one-time passcodes (OTPs), but they fall short in providing both top-tier security and user convenience. Passkeys offer a phishing-resistant, user-friendly authentication method that transforms how consumers interact with digital services. While still emerging, passkeys are rapidly gaining traction, especially among:

  • regulated industries (e.g. healthcare, finance, insurance),
  • governmental functions, and
  • large consumer services

aiming to offer secure MFA options to consumers.

Introducing passkeys into existing systems is not without its challenges. It's one of the most complex setups for integrating a new authentication factor, requiring careful planning and execution. In this article, we aim to address several critical questions:

  • What are the problems of large-scale consumer deployments?
  • How do passkeys address those problems and solve them?
  • How to introduce passkeys into an existing large-scale consumer deployment?
  • What is the decisive factor for long-term benefits and ROI when introducing passkeys?

We'll begin by exploring in which industries typical large-scale deployment can be found, what characteristics they have and then continue to address the issues plaguing large-scale consumer MFA deployments.

2. Industries With a Large-Scale Consumer Base Requiring MFA#

There are various types of consumer-facing companies with large user bases, and the need for security varies depending on the nature and sensitivity of the information they store. Companies dealing with more critical data tend to offer MFA more frequently, though it's not always mandated by regulations. These industries are at the forefront of adopting passkeys as an MFA solution to enhance user experience, using passkeys to offer a more seamless authentication process. We will focus on those in this article.

2.1 Industries Focusing Early on Passkeys#

These deployments are special because they are in industries where security, regulatory and compliance are very critical, while at the same time consumers are used to incredible UX. Examples include:

  • Government Services: E-government platforms, tax filing, social services, further government to citizen functionality.
  • Financial Institutions: Banks, credit unions, superannuation funds and fintech companies offering online banking, investment platforms, crypto platforms and payment services.
  • Insurance Companies: Providing policy management and claims processing through online portals.
  • Healthcare Providers: Patient portals for accessing medical records, scheduling appointments, and telehealth services.
  • Large Consumer Platforms: Operating system clouds (e.g. iCloud, Google account), ecommerce giants (e.g. Amazon), social media networks (Meta), and cloud service providers with extensive user bases that need to protect important consumer data.
Substack Icon

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe

2.2 Characteristics of Large-Scale Deployments#

Large-scale consumer MFA deployments possess certain characteristics that distinguish them from smaller implementations. Understanding these features is crucial for addressing the unique challenges they present.

2.2.1 Massive User Base and Long Operational Histories#

Organizations with large-scale deployments often serve millions of users across various regions. This extensive user base introduces unique complexities:

  • Massive User Base: Serving a vast number of users means that any security vulnerability can have widespread consequences. Attackers are more likely to target these organizations because the potential payoff is significant. For example:
    • Simplified Targeting of Individuals: Due to their large market share, attackers can assume that many individuals are customers of the large-scale service, making phishing and credential stuffing attacks more efficient.
    • Higher Likelihood of Attack Success: With more users, there's a greater chance that stolen credentials from other older and more recent breaches will match active accounts on these platforms.
  • Long Operational Histories: Many of these organizations have been operating for decades, accumulating a significant number of legacy user accounts. These older user accounts may present additional risks:
    • Outdated Cyber Security Practices: Legacy accounts might use weak passwords or lack modern security measures like MFA, making them easier targets for attackers.
    • Higher Vulnerability to Credential Stuffing: Users may have reused passwords that have been compromised in other data breaches over the years, increasing vulnerability to credential stuffing attacks.
    • Inactive or Dormant Accounts: Accounts that haven't been accessed in a long time may not be closely monitored by users, providing an opportunity for unauthorized access without immediate detection.

The combination of a massive user base and long operational histories makes large-scale deployments particularly attractive to cybercriminals. Attackers can exploit these factors by:

  • Large-Scale Phishing Campaigns: With a higher probability that recipients of phishing messages are actual customers of service, phishing attempts become more effective.
  • Automated Credential Stuffing Attacks: Using automated tools to test large volumes of stolen credentials, attackers can gain unauthorized access to user accounts, especially when password reuse is prevalent.

2.2.2 User Experience Demands Are Top-Notch#

In large-scale consumer deployments, meeting user experience (UX) expectations is as critical as ensuring security. Users today have high standards for digital interactions influenced by big tech companies like Apple, Google, Meta or Microsoft:

  • Diverse User Base Needs: The vast user base includes individuals with varying levels of technical proficiency, device preferences, and accessibility requirements. Authentication processes must be intuitive and accommodating for all users, not only tech-savvy ones.
  • High Expectations for Convenience: Users expect quick and seamless access to services. Complex or time-consuming authentication steps can lead to frustration, abandonment of the login process, or decreased overall satisfaction.
  • Consistent Experience Across Devices: Enhancing security should not compromise the user experience. Users may access services from multiple devices. That’s why ensuring a consistent authentication experience on all devices, browser and apps (native and web) is essential and expected.
  • Competitive Advantage Through UX: A superior user experience can differentiate an organization in a crowded market. Companies that provide secure yet effortless access are more likely to retain users and attract new ones. A good example are modern neo-banks trying to disrupt legacy banks.
  • User Education and Support: Introducing new authentication methods requires clear communication and assistance to help users adapt (e.g. via chatbots, FAQ, videos). Providing resources and responsive support enhances the overall experience.

By recognizing the importance of UX, organizations can implement MFA solutions that users are willing to adopt. Prioritizing UX in the deployment strategy leads to higher satisfaction, better security practices among users, and ultimately, a more secure environment. Just remember, if the UX does not meet consumer expectations, they will find workarounds, negating all security benefits.

Slack Icon

Become part of our Passkeys Community for updates and support.

Join

3. Key Problems of Existing Large-Scale Consumer MFA Deployments#

While MFA is enhancing security for consumer services, large-scale deployments face significant hurdles as we have seen in the characteristics above. Traditional MFA methods, typically combining passwords or PINs with SMS OTPs, struggle to provide both robust security and a seamless UX. Below are the key challenges inherent in these systems:

3.1 Account Takeover via Phishing#

A primary reason for implementing MFA is to mitigate account takeover risks. However, phishing remains a threat even with MFA in place. Attackers create counterfeit websites resembling legitimate services to trick users into entering their credentials and OTPs. Since traditional MFA methods like SMS OTPs are not phishing-resistant, attackers can intercept both the password and the OTP in real-time. This MFA vulnerability has persisted for years and has been technically challenging to eliminate – until phishing-resistant passkeys emerged.

3.2 SMS OTP Costs#

When offered MFA options, consumers overwhelmingly choose and want SMS-based OTPs due to their simplicity and familiarity (usually more than 90% of users opt for SMS MFA). However, this preference results in substantial SMS costs for organizations. Each SMS sent incurs a fee, and with millions of users, these costs can escalate quickly especially in an international customer base.

Alternatives like authenticator apps using Time-based One-Time Passcodes (TOTP), such as Authy or Google Authenticator, are available but are often impractical for the average consumer due to usability issues. Especially, non-digital-native people often struggle with the time-constraint.

Developing a proprietary iOS or Android app to deliver push notifications is another option, but introduces additional complexities in development, maintenance, and user adoption – not even talking about the associated costs.

3.3 Recovery Process Costs#

When using SMS OTP as authentication factor, recovery becomes complicated: Consumers frequently change their mobile phone numbers for various reasons, such as switching service providers or relocating to another country. Losing access to the phone number linked to their MFA means they are effectively locked out of their accounts. This scenario leads to increased customer support calls and necessitates stringent identity verification processes for account recovery. Not only does this create a frustrating experience for users, but it also results in significant operational costs for organizations due to the resources required for recovery procedures.

In the following section, we will take a look at how passkeys can help to solves these problems.

Why Are Passkeys Important For Enterprises?

Passkeys for Enterprises

Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.

Passkeys for Enterprises

Download the whitepaper

If you have questions, feel free to  

contact us

4. How Passkeys Address Key Problems of Large-Scale Consumer MFA Deployments#

Passkeys represent a significant change in authentication methods, combining security with user-friendly experience learned from mobile phones. Built on the WebAuthn standard and utilizing public-key cryptography, passkeys eliminate many of the vulnerabilities associated with traditional MFA systems. Below, we explore how passkeys address the challenges outlined in the previous section.

StateOfPasskeys Icon

Want to find out how many people can use passkeys?

View Adoption Data

4.1 Non-Phishability: The End of Account-Takeovers#

Passkeys are inherently resistant to phishing attacks. Unlike passwords and SMS OTPs, passkeys do not rely on shared secrets that can be intercepted or tricked out of users. Here's how they enhance security:

  • Passkeys are Bound to the Original Domain: Passkeys are bound to a specific domain of the service. This means they will not authenticate on fake websites, rendering phishing attempts ineffective. Passkeys simply cannot be used on phishing websites.
  • Public-Key Cryptography Prevents Credential Theft: When a user registers a passkey, their device generates a unique key pair – one public and one private key. The public key is stored on the server, while the private key never leaves the user's device. Since the private key isn't transmitted during authentication, there's nothing for attackers to steal or intercept.
  • Passkeys Comply with Modern Regulations: The mentioned factors help expanding security measures to protect customers from phishing, addressing the regulatory trend to phishing-resistance into more and more legislation (e.g. Essential Eight, NIST).

By eliminating the possibility of credential interception, passkeys effectively neutralize phishing as an account-takeover vector.

4.2 Reduce SMS Costs & Resolve Bad SMS UX#

Passkeys operate entirely over secure internet connections (https://) without relying on telecommunication networks for OTPs. This shift offers several cost-saving and user experience benefits:

  • Reduced SMS Costs: With passkeys, the need for sending SMS OTPs diminishes significantly. This reduction not only cuts down on per-message fees but also helps avoid SMS pumping fraud, where attackers generate many fake OTP requests to maliciously inflate SMS costs (also known as artificial inflated traffic – AIT). Organizations can save up to 90% in SMS-related expenses, depending on user adoption rates.
  • Passkeys are Better Accessible and Can’t Be Lost: Passkeys overcome limitations associated with SMS delivery, especially in regions with unreliable mobile networks or where users have limited access to SMS services. Often cross-border delivery of SMS OTP fails and leads so problems. By utilizing internet connectivity, passkeys ensure a consistent authentication experience for users worldwide, regardless of their mobile carrier or geographic location.
  • Passkey Logins are Quicker: Passkeys streamline the authentication process by eliminating the need to wait for SMS codes. Users can authenticate quickly and securely using biometric verification or device PINs, leading to faster and more seamless logins.

By reducing dependence on SMS, passkeys not only lower operational costs but also enhance the overall user experience and accessibility of your services.

4.3 Declining Account Recoveries Over Time#

Passkeys also address the issue of costly account recoveries due to lost or changed phone numbers:

  • Digital Ecosystems are Less Frequently Changed: Users change their operating systems or ecosystems less frequently than they change phone numbers or carriers (e.g. the number of people leaving the Apple ecosystem is considerably low). This stability reduces the likelihood of losing access to authentication credentials.
  • Login Identifiers Can’t Be Forgotten: Passkeys are stored securely on the user's device and, in many cases, synchronized across devices through cloud services or password managers. Together with the private key, the identifier (username or email) is stored allowing automatically prefilling of credentials. Consumers therefore cannot forget their username, customer number or email associated with the service, which is often the case for less frequently used services.
  • Passkey Recovery is Transferred to the Operating System: Even if a user loses a device, restoring passkeys on a new device is often simpler and secured by the operating system clouds (e.g. iCloud Keychain, Google Password Manager), which require MFA with three factors to restore passkeys. This means large-scale consumer deployments basically shift the recovery aspect to the operating system cloud provider.

Over a period of 6 to 36 months after passkey introduction, as more users adopt passkeys, organizations can expect a noticeable decline in account recovery incidents, leading to lower support costs and improved user satisfaction.

4.4 Summary: How Passkeys Address Key Issues#

Passkeys eliminate phishing risks, reduce SMS costs, and decrease account recovery incidents by providing secure, user-friendly authentication. They effectively address the challenges of account-takeovers, high SMS expenses, and recovery complexities in large-scale consumer MFA deployments. The following table shows a summary of the most important aspects.

introducing passkeys table

Passkeys benefit security, UX, and at the same time reduce operating costs. They have been largely accepted as the only phishing-resistant MFA option for consumers. While these points seem plausible, the introduction of passkeys is a challenge for large-scale consumer deployments. This is exactly where our Corbado Connect Enterprise Solution comes into play.

Demo Icon

Want to try passkeys yourself? Check our Passkeys Demo.

Try Passkeys

5. How To Introduce Passkeys Into Large-Scale Consumer Deployments#

Implementing passkeys in a large-scale consumer environment is a complex process that requires meticulous planning and execution. Each organization has unique needs, and project plans will vary based on specific requirements. At Corbado, we specialize in assisting large enterprises through this transition.

We want to cover all the steps involved in introducing passkeys in a dedicated, multi-part blog series. This series will explain each phase, providing guidance on recommendations, but also be showcasing how Corbado Connect can facilitate a seamless integration tailored to your organization's needs.

5.1 Implementation Steps Overview#

Below is an outline of the key steps involved in introducing passkeys into a large-scale consumer deployment:

passkeys project plan large scale

Project plan as image to share or use in internal boards

Download image here

StepSub-StepObjectiveCorbado's Solution
1. Initial Assessment and Planning1.1 Device Support AnalysisEnsure device compatibility among users.- Passkey Analyzer: Assess user device readiness (over 90% compatibility).
- Data Utilization: Use external analytics like Google Analytics to plan rollout strategy.
- Core Activities: Conduct passkey readiness analysis, assess feasibility
1.2 Stakeholder EngagementAlign internal teams across departments.- Cross-Department Workshops: Align Compliance, Security, Tech, Product, and Support teams.
- Address Concerns: Provide insights on compliance, UX, and operational impacts.
- Core Activities: Assess infrastructure, scalability, and security aspects; perform integration evaluations with Stakeholders.
2. Design and Strategy Development2.1 Technical Risk MitigationAnticipate and address technical challenges.- Edge Case Coverage: Handle all edge cases.
- Future-Proofing: Incorporate WebAuthn updates.
- Core Activities: Develop fallback strategies, design user flows and use cases and WebAuthn functionality.
2.2 Compliance and Security ConsiderationsEnsure regulatory compliance and data security.- Data Privacy Assurance: No personal data stored.
- Regional Deployment: Compliant installations in any AWS Region.
- Core Activities: Define release strategies, security compliance, data protection, and auditing systems.
2.3 User Experience DesignCreate an intuitive authentication experience.- UX Consultation: Design consumer friendly flows.
- Core Activities: Help designing user-friendly interface based on best demonstrated practises incorporated into existing UI.
3. Integration with Existing Systems3.1 Compatibility with Authentication SystemsIntegrate passkeys without overhauling infrastructure.- Broad Compatibility: Works with custom solutions or backend authentication systems like AWS Cognito.
- API Integration: Smooth integration with existing systems.
- Core Activities: Customize & help implementing existing Components into existing authentication solution on Web & Apps.
3.2 Connecting Support SystemsEquip support teams with necessary tools.- Backend API & Event Log API: Integrate with support and monitoring systems.
- Real-Time Data Access: For prompt issue resolution.
- Core Activities: Set up infrastructure and manage API-based support systems.
4. Development and Customization4.1 Automatic Passkey LoginEnhance login experience with automatic passkey login- Identifier-First Approach: Simplify login process.
- Edge Case Handling: Supports multiple accounts/devices.
- CorbadoConnectLogin Component: Seamless cross-device authentication.
4.2 Automatic Passkey AppendDrive passkey creation and adoption- Automatic-Enrollment: Automatic passkey creation and Append-Popups onboarding users into passkeys.
- Edge Case Handling: Evaluate if the device supports passkeys.
- CorbadoConnectAppend Component: Seamless onboarding of consumers into passkeys.
4.3 Passkey ManagementEmpower users to manage authentication methods.- User Autonomy: Add or remove passkeys user-friendly.
- CorbadoConnectPasskeyList Component brings passkey management features for users.
5. Internal Preparation5.1 Training Customer Support TeamsPrepare support staff for user inquiries.- Training Sessions: Comprehensive materials and sessions.
- Support Resources: FAQs and troubleshooting guides.
- Core Activities: Train customer support, prepare help materials for recovery and troubleshooting.
5.2 Creating User DocumentationInform and educate users.- Communication Strategy: Craft messaging for various channels.
- Educational Content: User guides, videos, tutorials.
- Core Activities: Create user-friendly documentation, educate users on self-managing passkeys and fallback options.
6. Testing and Quality Assurance6.1 Edge Case TestingEnsure system reliability.- Comprehensive Testing: Simulate various scenarios.
- Feedback Loops: Refine system before deployment.
- Core Activities: Perform end-to-end testing, penetration testing, ensure UX meets expectations.
6.2 Process Debugging ToolsQuickly resolve issues.- Process Debugger: Insight into authentication flows.
- Developer Support: Assist with technical challenges.
- Core Activities: Run vulnerability tests, collect feedback for adjustments.
7. Release and Partial Rollout Execution7.1 Managed Partial Rollout StrategyIntroduce passkeys gradually, starting with newer devices.- Partial Rollout Capability: Select rollout waves from newer to older devices.
- Rollout Waves: Target up-to-date devices first.
- Flexible Configuration: Adjust segments in real-time.
- Core Activities: Implement gradual rollout strategy, start with high passkey-ready devices first.
7.2 Launching PasskeysOfficially release to targeted device groups.- Scalable Infrastructure: Ensure stability.
- Launch Support: Real-time assistance during rollout.
- Core Activities: Promote passkeys and adjust strategy based on real-time data and KPIs.
7.3 Monitoring and AdjustingContinuously track progress and adjust plans.- Analytics Dashboard: Track adoption and engagement.
- Adaptive Strategy: Data-driven decisions for rollout phases.
- User Feedback Integration: Refine user experience.
- Core Activities: Adjust rollout based on KPIs, scale infrastructure based on usage, and update performance metrics.
8. Driving User Adoption8.1 Encouraging Passkey AdoptionMotivate users to adopt passkeys.- Incentivization Programs: Rewards tailored to device groups.
- User Engagement Analytics: Track interactions.
- Core Activities: Promote passkey usage with messaging, user engagement campaigns, and metrics tracking.
8.2 Ongoing CommunicationKeep users informed and engaged.- Regular Updates: Inform about features and benefits.
- Success Stories: Share positive experiences.
- Core Activities: Maintain continuous communication through popups, email notifications, and updates about passkey benefits.
9. Support and Feedback9.1 Connecting Support SystemsMaintain high-quality user support.- Seamless Integration: APIs segmented by device group.
- Knowledge Base Updates: Update materials based on feedback.
- Core Activities: Enable admin panel support for passkey recovery, log events to trace user actions.
9.2 Collecting User FeedbackGather insights for improvement.- Feedback Mechanisms: In-app prompts, surveys.
- Data Analysis: Actionable improvements.
- Core Activities: Collect ongoing feedback and fine-tune product through testing results.
10. Continuous Monitoring and Improvement10.1 Reporting and AnalyticsMonitor performance and engagement.- Reporting Dashboard: View metrics by device type.
- Customizable Reports: Focus on key areas.
- Core Activities: Monitor user engagement and performance metrics regularly, report on success KPIs.
10.2 Adjusting StrategiesRefine strategies based on data.- A/B Testing Support: Experiment within device groups.
- Real-Time Updates: Implement changes quickly.
- Core Activities: Continuously optimize strategies based on analytics and reporting.
11. Future Planning11.1 Expanding to Older DevicesInclude users with older devices.- Technical Adaptations: Ensure compatibility.
- User Communication: Provide device-specific guidance.
- Core Activities: Expand support to older devices after initial phase, test user experience on older systems.
11.2 Digitalizing Recovery ProcessesStreamline account recovery.- Recovery Solutions: Implement digital recovery options secured by multi-factor authentication.
- User Education: Inform users about new recovery methods, reducing support requests.
- Core Activities: Develop digitalized backup strategies and ensure compliance with ongoing user data protection.
11.3 Planning for Password DecommissioningTransition to a passwordless future.- Strategic Roadmapping: Phase out passwords.
- Compliance Assurance: Meet regulatory requirements.
- Core Activities: Plan for long-term decommissioning of passwords and ensure compliance with security standards.
11.4 Long-Term Benefits and ROIRealize full advantages of passkeys.- Reduced Account Takeovers: Enhance security.
- Operational Cost Savings: Lower SMS and recovery costs.
- Improved User Satisfaction: Boost trust and engagement.
- Core Activities: Measure ROI and success based on reduction of account takeover

This table provides an overview of the critical steps for a successful passkey integration. While project specifics will vary, these phases are fundamental in large-scale consumer deployments. Our upcoming multi-part series will explore each step in detail, offering in-depth guidance and insights. Having outlined the integration process, let's briefly consider the next steps after implementing passkeys.

5.2 Next Step: Digitalizing Recovery Processes#

With passkeys integrated, the next crucial focus is on streamlining and securing account recovery processes, especially for users who may lose access to their passkeys and fallback methods. Traditional recovery methods particularly in large-scale consumer deployments tend to be manual processes.

One of the most effective digital methods is selfie identification with liveness checks. This process involves users taking photos of their government-issued ID along with a live selfie. Advanced technology verifies the authenticity of the ID and ensures the selfie is captured in real-time, confirming that the user is physically present and matches the ID. This prevents fraud attempts using static images or stolen IDs.

This method is particularly beneficial when traditional recovery channels like email or SMS are unavailable or outdated. By leveraging biometric verification and AI-driven checks, organizations can offer a secure and user-friendly way for users to regain access to their accounts without manual intervention.

Implementing smart recovery processes offers several advantages:

  • Ensure Strong Security Levels: Provides a high level of assurance that the person attempting recovery is the legitimate account owner.
  • Make Users Happy: Offers a quick and convenient recovery option, reducing user frustration and downtime.
  • Reduced Operational Costs for Manual Recovery: Minimizes the need for support staff involvement in account recovery, lowering associated costs.

Our platform can integrate seamlessly with leading identity verification providers, ensuring compliance with data protection regulations. By automating recovery workflows and providing intuitive user guidance, Corbado Connect helps organizations improve their security levels while enhancing overall user satisfaction.

5.3 Next Step: Planning for Password Decommissioning#

With a secure and user-friendly authentication system (based on passkeys) in place, organizations can consider transitioning towards a passwordless future. Decommissioning passwords is the logical next step and offers several benefits:

  • Eliminate Password Vulnerabilities Entirely: Remove risks associated with weak or compromised passwords.
  • Simplify Authentication by Reducing Number of Login Options: Streamline the login process to prevent user confusion about which login method was used on each device.
  • Stay Ahead of Regulations: Align with emerging security standards and regulatory requirements favoring passwordless authentication (e.g. NIST, Essential Eight, CISA).

Transitioning to a truly passwordless system requires strategic planning, including stakeholder engagement, user education, and compliance checks. Corbado Connect provides the expertise and tools necessary to navigate this transformation smoothly in the future.

Why Are Passkeys Important For Enterprises?

Passkeys for Enterprises

Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.

Passkeys for Enterprises

Download the whitepaper

If you have questions, feel free to  

contact us

6. Long-Term Benefits and Return on Investment of Passkeys#

Implementing passkeys and moving towards a passwordless future offers substantial long-term benefits and a compelling return on investment (ROI). Key advantages include:

6.1 Maximize Your Security Posture#

  • Reduced Account-Takeovers: By eliminating passwords and introducing phishing-resistant authentication via passkeys, organizations can significantly lower the risk of account-takeovers.
  • Comply to Regulation: Strengthen compliance with security regulations (e.g. Essential Eight, NIST, CISA), reducing the risk of penalties.

6.2 Cut Costs#

  • SMS OTP Cost Reduction: With fewer users relying on SMS-based OTPs, organizations can save significantly on messaging costs. Depending on the size of the user base, SMS cost savings can range from $1 million to $25 million per year, even when not every user has turned on SMS MFA yet.
  • Lower Account Recovery Costs: Streamlined digital recovery processes reduce customer support demands, leading to operational cost savings.

6.3 Improved User Experience and Engagement#

  • Quick Authentication: Users enjoy faster, more convenient logins without the hassle of passwords or waiting for OTPs.
  • Increased User Satisfaction: A smooth authentication experience enhances customer loyalty and engagement with the entire product and brand.

6.4 Competitive Advantage#

  • Become a Digital & Market Leader: Adopting cutting-edge security measures positions your organization as an industry leader.
  • Attracting Security-Conscious Consumers: Appeal to users who prioritize security and user experience.

6.5 Make vs. Buy: The Corbado Advantage#

While developing a passkey integration solution in-house is possible, it entails a significant initial software development effort and requires extensive expertise especially in the large-scale context. Building such a solution involves several challenges:

On the other hand, opting to "buy" by partnering with Corbado offers significant advantages:

  • Expertise in Managed and Gradual Rollouts: We specialize in deploying passkeys effectively, ensuring high adoption rates through tailored strategies that encourage widespread user engagement. Our rollouts happen in stages, where we enable passkeys for certain devices, user cohorts or randomized shares of users.
  • Optimized Passkey User Experience: Our UI design as well as user flows are inspired by large consumer platform implementations (e.g. Google’s own passkey implementation which is one of the most user-friendly ones and has one of the strongest passkey adoption numbers), and promotes seamless interactions across all devices. We have conducted extensive device testing to ensure compatibility and a consistent user experience on all devices for all users.
  • Continuous Passkey Updates and Maintenance: Corbado stays ahead of technological advancements, continuously integrating new passkey features like Google Password Manager’s support to sync passkeys across platforms, the WebAuthn Signal API to change passkey metadata and delete passkeys client-side, and Automatic Passkey Creation. This relieves you of the maintenance burden and ensures your authentication system remains cutting-edge.
  • Dedicated Integration, Rollout and Maintenance Support: We provide deep integration support into all common web technologies and can help your teams on-site with implementing our solution. Besides, we provide ongoing assistance to adapt and refine your authentication system as technologies and user needs evolve, ensuring sustained performance and security.

By partnering with Corbado, organizations can leverage our expertise to effectively realize all the savings and benefits associated with passkeys. Our proven approach not only enhances security and UX but also delivers a strong ROI without the overhead of developing and maintaining a complex system in-house.

6.6 Importance of High Passkey Adoption Rates#

Achieving high passkey adoption rates is critical for realizing the long-term benefits and return on investment of implementing passkeys. The full spectrum of security enhancements and cost savings materializes only when a significant majority of users uses the new authentication method. However, driving this adoption internally presents several challenges:

  • User Resistance to Change: Encouraging users to shift from familiar authentication methods (e.g. passwords) to passkeys requires strategic communication and regular reminders. Without tailored communication, passkey adoption rates may remain low, limiting the effectiveness of your investment.
  • Complexity of User Education and Support: Educating a large user base about the benefits and usage of passkeys demands a well-planned approach. This includes creating educational materials, training support staff, and handling user inquiries – all of which require additional resources and expertise.
  • Embed New Passkey Features Continuously: Keeping up with client changes and technological passkey advancements—requires continuous effort. An internal team must be dedicated to integrating these updates to maintain compatibility and optimal functionality.

Corbado Connect excels in managing these complexities through:

  • Maximize Passkey Adoption Rate: We provide comprehensive educational resources and personalized communication strategies to make users aware of the ease and benefits of passkeys, encouraging a smoother transition. We ensure a high adoption rate by regularly reminding the customer to create (e.g. after successful login with conventional authentication methods) and asking to add local passkeys after a hybrid QR-code based login. All while making sure that this user, device, operating system, and browser are passkey-ready.
  • Maximize Passkey Login Rate: By utilizing an "Identifier-First" approach, our system intelligently determines whether a passkey login should be initiated or if a hybrid login process is needed (or if no passkey login should be initiated at all). In cases where passkey login is not feasible, a fallback option is automatically provided, ensuring a seamless login UX while maintaining security. Depending on the use case, other factors can be used like One-Tap Login or Conditional UI to further improve the login rate with passkeys to avoid costly fallbacks to SMS OTP.
  • Best Personalized Passkey Experience: Our solution continuously learns from user behavior and KPIs to improve the overall passkey experience (we call this passkey intelligence). Each account receives tailored login options, ensuring a user-centric, optimized interaction that enhances satisfaction and security.
  • Adaptability to Technological Passkey Changes: Our team constantly integrates new features and evolves alongside the latest developments in authentication technology, including support for new authenticators or automatic passkey creation. This adaptability ensures that your system remains cutting-edge without burdening your internal resources.

Choosing Corbado means leveraging our expertise to maximize passkey adoption and effectively manage ongoing maintenance and technological advancements. This approach ensures that your organization fully benefits from the transition to passkeys, achieving a strong ROI through enhanced security, reduced costs, and improved user satisfaction.

7. Conclusion#

In conclusion, passkeys are a unique solution to the longstanding challenges faced by large-scale consumer deployments in authentication. We have answered the questions we had set in the introduction with the following key insights:

  • What are the problems of large-scale consumer deployments?
    Large-scale deployments have to deal with issues like account-takeovers via phishing, very high SMS OTP costs, and cumbersome account recovery processes. These problems compromise both security and user experience, making it difficult to balance the two effectively.
  • How do passkeys address those problems and solve them?
    Passkeys mitigate these issues by being inherently phishing-resistant through domain binding and public-key cryptography. They significantly reduce reliance on SMS OTPs, thereby cutting costs and improving user experience. Additionally, passkeys streamline account recovery processes by leveraging device / ecosystem stability and cloud synchronization, reducing the frequency and complexity of account recoveries.
  • How to introduce passkeys into an existing large-scale consumer deployment?
    Implementing passkeys requires a comprehensive, multi-step approach that includes initial assessment and planning, design and strategy development, integration with existing systems, development and customization, internal preparation, testing and quality assurance, a managed rollout strategy, and ongoing support and monitoring. Each step is crucial to ensure a smooth transition and high user adoption.
  • What is the decisive factor for long-term benefits and ROI when introducing passkeys?
    High user adoption rates are the decisive factor for realizing long-term benefits and ROI. The full spectrum of security enhancements and cost savings from passkeys is only achieved when a majority of users embrace the new authentication method. Strategies to drive adoption, such as user education and incentivization, are essential.

As we progress, the subsequent parts of this series will go deeper into each phase of the implementation process, providing detailed guidance and best practices to ensure a successful transition to passkeys in large-scale consumer deployments and showcase how Corbado Connect can help you successfully introduce passkeys with the highest passkey adoption & passkey login rates in the industry.

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free