Explore our comprehensive guide to assess passkey-readiness in enterprise systems, improving security, user experience, and reducing SMS OTP costs.
Our mission is to make the Internet a safer place and passkeys provide a superior solution to achieve that. That's why we want to keep you updated with the latest industry insights here.
Overview: Enterprise Guide#
1. Introduction#
Implementing passkeys into a
large-scale
consumer deployment is complicated but
a great step towards enhancing security, user experience and reducing existing
SMS OTP costs.
This multi-part series will guide you through the process, starting with the initial
assessment that prepares the most important facts to decide implementing passkeys. In this
first installment, we will cover:
- Device Landscape: How to utilize data analytics to understand device compatibility
and
user behavior
to be confident that passkeys are widely supported in your specific user audience?
- Application Landscape: What are important considerations before starting the
planning, what application characteristics need to be gathered before introducing
passkeys?
- MFA Landscape: How does the current functionality of your MFA system affect and
influence the planning of your passkey project?
By laying a solid foundation in these areas, you'll be well-prepared to engage into the
next steps. It's crucial to conduct a thorough assessment and planning phase—an integral
part of our enterprise assessment strategy recommendations for deploying passkeys for
enterprise use.
2. Device Landscape Analysis#
Global passkey-readiness for representative B2C data is at a very high level about 95% due
to the widespread support among common operating systems (iOS, Android, Windows, macOS).
Still for large enterprises internally it is a big concern to actually confirm those data
first. Also based on the type of service there might be a different set of devices.
Therefore, the first objective is to ensure that a significant portion of your user base
can use passkeys, maximizing possible adoption rates and ROI.
Subscribe to our Passkeys Substack for the latest news.
Subscribe
Leverage your existing tracking platforms like Google Analytics, Matomo, or your
internal analytics systems to collect detailed data about devices, operating systems, and
browsers your users employ. Focus on gathering the following information at least:
- Web Users (Desktop + Mobile):
- Operating Systems (OS): Identify the OS distribution (e.g., iOS, Android,
Windows, macOS, Linux).
- OS Versions: Determine the specific versions in use (e.g.,
iOS 18, Windows 10, macOS Big Sur).
- Browsers: Find out which browsers are most commonly used (e.g., Chrome, Safari,
Firefox, Edge).
- Support: Check the versions to ensure they support WebAuthn / passkeys and
determine the passkey-readiness.
- App Users via Native App (e.g. Flutter/Swift/Kotlin):
- Operating Systems: Assess whether users are on iOS or Android.
- OS Versions: Identify the versions (e.g.,
iOS 18,
Android 14) to confirm compatibility with
WebAuthn / passkeys.
- App Support: Ensure that a majority of your apps run on versions that support
passkey functionalities.
- App Users via WebViews in Native Apps:
If specific user data isn't available, use global device and browser usage statistics from
sources like StatCounter or NetMarketShare to estimate compatibility rates.
After collecting detailed data on your users' devices, operating systems, and browsers,
the next step is to analyze this information to determine the passkey-readiness of your
user base. This involves assessing the compatibility of various device and software
combinations with passkeys, considering both technical support and the likelihood that
users have the necessary features activated on their devices.
How to Achieve This:
- Assess Operating System and Browser Compatibility:
- Consult Reliable Sources: Use up-to-date resources like
passkeys.dev and
State of Passkeys to understand which operating
systems and browsers support passkeys.
- Identify Support Levels: For each OS and browser combination, determine if
passkeys are supported, partially supported, or not supported.
- Consider Device-Specific Factors and Activation:
- Activation on Apple and Android Devices:
- On Apple (iOS and macOS) and Android devices, platform
authenticators (biometrics like Touch ID, Face ID, or
fingerprint scanners) are almost always activated by default.
- If not activated, users are typically guided to enable these features during the
passkey creation process, ensuring high
passkey readiness.
- This results in a passkey-readiness that is very close to 100%.
- Activation on Windows Devices:
- On Windows, passkey functionality relies on Windows Hello, which may not
be activated by default.
- If Windows Hello is deactivated, passkey
functionality cannot be used, and users are not always prompted to activate it
during the authentication process.
- Consequently, Windows devices tend to have lower passkey-readiness compared
to Apple and Android devices.
- However, with the increasing popularity of passkeys, more users are enabling
Windows Hello, gradually improving passkey readiness on Windows platforms.
- Hardware Limitations:
- Some older devices may lack the necessary hardware (e.g., Hardware Security
Modules) even if the OS supports passkeys.
- This is less common on mobile devices but can affect some desktop and laptop
users.
- Calculate Passkey-Readiness Percentages:
- Apply Compatibility and Activation Rates: For each category (e.g., Windows 10,
iOS 16), assign a passkey-readiness percentage
based on both technical compatibility and the likelihood of activation.
- Weighted Averages: Multiply the total share of each category by its passkey
readiness percentage to calculate the overall readiness.
2.3 Example Analysis: B2C Service with Native Apps#
Below is a realistic example of a B2C platform's user base distribution and the derived
passkey-readiness percentages. In this scenario, the platform's native apps have moderate
adoption rates, and the user base is distributed across various devices and operating
systems.
User Base Distribution and Passkey-Readiness:
Devices | Total Share | Passkey-Ready |
---|
| | |
Web Users (Desktop + Mobile) | | |
Android | 23% | 94% |
iOS | 26% | 95% |
Windows 10 | 10% | 85% |
Windows 11 Share | 24% | 92% |
macOS & others | 5% | 95% |
| | |
App Users via Native App | | |
Android | 6% | 95% |
iOS | 6% | 95% |
| | |
App Users via WebViews | | |
iOS | 0% | 0% |
Android | 0% | 0% |
| | |
Total / Average | 100.00% | 93.05% |
If you are interested in detailed data regarding the passkey-readiness and activation rate
of passkeys on corresponding operating systems, feel free to reach out for
more information.
Explanation:
- Web Users (Desktop + Mobile):
- Android (23% of users):
- Modern Android devices running recent
versions of Chrome support passkeys.
- Platform authenticators are generally activated, or
users are guided to activate them during the passkey setup process.
- Passkey-Readiness: 94%
- iOS (26% of users):
- Devices running iOS 15 and above support passkeys in
Safari and other browsers.
- Biometric authentication is typically
enabled, or users are prompted to enable it.
- Passkey-Readiness: 95%
- Windows 10 (10% of users):
- Windows 10 supports passkeys in browsers like Edge and Chrome, but relies on
Windows Hello.
- Many users may have Windows Hello deactivated, and
they are not always prompted to activate it during authentication.
- Passkey Readiness: 85%, accounting for users with
Windows Hello disabled.
- Windows 11 (24% of users):
- Windows 11 has improved support for passkeys and
encourages the use of Windows Hello.
- Passkey-readiness is higher due to increased activation rates.
- Passkey-Readiness: 92%
- macOS & Others (5% of users):
- Recent versions of macOS support passkeys well.
- Biometric authentication is typically
enabled, with users guided to activate it if necessary.
- Passkey-Readiness: 95%
- App Users via Native App:
- Android and iOS Apps (12% combined):
- Assuming the apps are updated to support passkeys and users are on compatible OS
versions.
- Platform authenticators are generally active or
activated during setup.
- Passkey-Readiness: 95%
- App Users via WebViews:
- iOS and Android WebViews (0%):
- In this example, there are no users accessing through
WebViews.
- Passkey-Readiness: 0%
Calculations:
To determine the total passkey-readiness:
- Multiply the total share of each category by its passkey readiness percentage:
- Android Web Users: 23% * 94% = 21.62%
- iOS Web Users: 26% * 95% = 24.70%
- Windows 10 Users: 10% * 85% = 8.50%
- Windows 11 Users: 24% * 92% = 22.08%
- macOS Users: 5% * 95% = 4.75%
- Android App Users: 6% * 95% = 5.70%
- iOS App Users: 6% * 95% = 5.70%
- Webview Users: 0% * 0% = 0%
- Sum the results:
- Total Passkey Ready Users = 21.62% + 24.70% + 8.50% + 22.08% + 4.75% + 5.70% +
5.70% + 0% = 93.05%

Igor Gjorgjioski
Head of Digital Channels & Platform Enablement, VicRoads
Corbado proved to be a trusted partner. Their hands-on, 24/7 support and on-site assistance enabled a seamless integration into VicRoads' complex systems, offering passkeys to 5 million users.
Enterprises trust Corbado to protect their users and make logins more seamless with passkeys. Get your free passkey consultation now.
Get free consultation
Interpretation of Total Passkey-Readiness:
Approximately 93% of the user base is ready to use passkeys. This high percentage
indicates a strong potential for successful
passkey adoption and high
SMS cost savings.
Conducting a thorough analysis of passkey-readiness, including considerations of device
activation status, allows you to make informed decisions about implementing passkeys in
your large-scale
consumer deployment. For enterprises
aiming to deploy enterprise passkeys, following a
well-defined passkeys guide and detailed enterprise assessments can significantly
streamline the adoption and rollout process.
Why are Passkeys important?
Passwords & phishing put enterprises at risk. Passkeys offer the only MFA solution balancing security and UX. Our whitepaper covers implementation and business impact.
2.4 How Corbado Helps You at This Stage#
Analyzing passkey-readiness across your user base can be a complex and resource-intensive
task, especially when considering the nuances of device compatibility and activation
statuses. Corbado offers tools and services designed to simplify this process, providing
you with accurate and actionable insights to inform your passkey implementation strategy.
Leveraging Passkeys Analyzer Tool:
- Passkeys Analyzer: Corbado's Passkeys Analyzer
is a powerful tool that can quickly assess the passkey readiness of your users. By
integrating a small, non-invasive JavaScript snippet into your website or application,
you can collect data on device compatibility and
platform authenticator activation without impacting
user experience (fully GDPR-compliant and anonymous). In addition to operating
system-based detection the Passkey Analyzer directly detects passkey readiness which
includes also users with activated
Password Manager. A JavaScript based detection is
the most accurate way to detect passkey-readiness.
- Accurate Data Collection: Within a short period, the Passkeys Analyzer gathers
detailed information on operating systems, browsers, and whether platform authenticators
(like biometrics) are activated on users' devices.
Enterprise Solutions and Private Deployments:
- Private Deployment Options: For enterprises with strict data security and privacy
requirements, Corbado offers private deployment of the Passkeys Analyzer. This ensures
that all data collection and analysis occur within your secure environment, adhering to
your organization's compliance standards.
- Data Ownership and Control: By opting for a private deployment, you maintain full
control over the data collected. This can alleviate concerns from internal
stakeholders about third-party data handling and align
with internal policies and regulatory obligations.
Expert Analysis and Reporting:
- Raw Analytics Processing: Corbado can receive raw analytics data directly from your
existing tracking systems. We will perform the necessary calculations and assessments to
determine passkey readiness, factoring in device compatibility and activation statuses.
- Comprehensive Reports: We provide detailed reports that present verified data in an
accessible format. These reports include breakdowns by device type, operating system,
browser, and activation rates, giving you a clear picture of your user base's readiness
for passkeys.
Streamlining the Assessment Process:
- Time and Resource Efficiency: By partnering with Corbado, you save time and
resources that would otherwise be spent on developing in-house analysis tools and
methodologies.
- Expertise and Experience: Corbado's team has extensive experience in passkey
implementation and analysis. Our enterprise assessment strategy recommendations can help
you evaluate your environment and seamlessly integrate passkeys for the enterprise.
Corbado simplifies the initial assessment phase of passkey implementation by providing the
tools and expertise needed to accurately confirm your user base's readiness and identify
where to start the passkey deployment. By leveraging our Passkeys Analyzer and analysis
services, you can confidently proceed with your passkey integration, backed by verified
data and tailored insights.
Become part of our Passkeys Community for updates & support.
Join
3. Application Landscape Mapping#
Understanding your application landscape is essential for integrating passkeys into your
existing systems. This process involves assessing all applications connected to your
authentication system to ensure that changes are backward compatible and won’t disrupt the
user experience.
3.1 Understanding Your Application Landscape#
To effectively integrate passkeys, you first need a clear picture of how your applications
interact with your authentication system. Here’s how to approach it:
- Identify All Connected Applications:
- Web Applications: Web-based logins tend to be easier to update and deploy since
changes are centralized and users do not need to take action. Once updates are
applied, older versions of the system no longer need to be maintained.
- Mobile Applications (Native Apps): Managing updates for native mobile apps is
more complex. Users aren’t forced to update immediately, which can result in
multiple versions being in use simultaneously. It’s important to check whether your
organization can enforce mandatory updates or deactivate older app versions when
significant changes like passkey integration are introduced or if your apps only use
authentication via WebViews.
- Assess Application Update Strategies:
- Mandatory Updates: Determine if your organization can enforce mandatory updates
through app policies or in-app mechanisms that prompt users to update their apps.
- Deactivating Older Versions: Assess whether you have the capability to
deactivate older, incompatible app versions to ensure all users can support new
passkey features. While
this strategy can help ease the transition, it should be done with caution to avoid
negatively impacting user experience.
- Understand How Applications Access the Authentication System:
- API Integration: Some applications interact with your authentication system via
APIs, offering flexibility but requiring careful management of compatibility during
the integration process.
- Dedicated Authentication Pages: Other applications redirect users to dedicated
authentication pages, such as OAuth login flows. You’ll need to ensure that changes
to the authentication process are compatible with this setup to avoid login
failures.
- Evaluate the Current Authentication System Embedded in Applications:
- Completely Self-Developed: Custom-built authentication systems offer the most
control but require more development effort to integrate new features like passkeys.
- Customized Open-Source Solutions: These provide a balance between control and
development effort, but often customizations do not allow to upgrade to the newest
released version of the open-source solution.
- External Authentication Provider (Backend with Custom Implementation): You can
retain some flexibility if only the backend is handled by an external provider and
the frontend is customized by your team (e.g. many
Amazon Cognito,
Keycloak or Supabase
deployments work this way). As passkeys have a large frontend component, you can
implement passkeys freely.
- External Authentication Provider (Complete Frontend & Backend): This option
limits your ability to customize the system, and if passkeys aren’t supported, you
may need to advocate for their inclusion or even migrate to another provider.
- Determine Compatibility and Integration Effort:
- If your system is self-developed or customizable, it will be easier to integrate
passkeys since you can modify authentication flows and user interfaces.
- For external providers that control both the frontend and backend, your ability to
integrate passkeys will depend on their offerings, and if passkeys are unsupported,
you may need to push for their inclusion or migrate systems.
When integrating passkeys, it is essential to ensure backward compatibility, particularly
to prevent any disruptions in existing authentication methods. This is especially
important for users who may still be using older versions of your app. A key part of the
process is to plan for a transition period where both the old and new authentication
systems coexist with seamless fallback to existing MFA, ensuring a smooth changeover.
3.2 How Corbado Helps You At That Stage#
Integrating passkeys into your existing application landscape can be a complex process,
especially if you have multiple applications and connections to authentication systems.
Corbado offers solutions to simplify this process:
- Expert Analysis of Your Application Landscape: Corbado can assist in mapping your
application landscape, helping you identify all applications that interact with your
authentication system and understand how each one accesses it (whether via APIs or
dedicated authentication pages).
- Compatibility Assessment: We can help evaluate the compatibility of your
applications with passkey integration, identifying obstacles related to application
update strategies or older app versions.
Integration with Existing Systems:
- Corbado’s solutions are component-based and can fit into all types of applications –
whether web-based or native mobile apps. We provide UI JavaScript components and native
SDKs that can easily be embedded into your applications.
- There’s no need for a data migration. Your current authentication system remains the
primary source of information, and Corbado’s solutions integrate seamlessly without
disruption.
- Corbado’s backend can connect to any authentication system via API, offering flexibility
for custom-built systems, customized open-source solutions, or most external providers
(e.g. Cognito or Keycloak).
Benefits of Using Corbado:
- Simplified Integration: Corbado’s solutions are designed to work with your existing
infrastructure, reducing the complexity of
integration. Our team handles the technical aspects, allowing your internal team to
focus on other priorities.
- Enhanced Security and User Experience: Integrating passkeys improves both security
and user experience by providing a
passwordless authentication method that’s easy
to use and highly secure.
- Ongoing Support: Corbado offers continued support throughout the integration
process. Our team is experienced in working with large enterprises and understands the
specific challenges they face when deploying
enterprise passkeys.
Corbado simplifies the integration of passkeys into your existing application landscape by
providing flexible, component-based solutions that work with your current authentication
systems. With no need for data migration and seamless compatibility across applications,
our solutions enable you to enhance security and user experience efficiently and
effectively.
4. MFA Landscape Mapping#
Understanding your Multi-Factor Authentication
(MFA) landscape is crucial when integrating passkeys into your authentication system. This
involves a comprehensive analysis of how users sign up, when they are required to add a
second factor, and the various states users may be in throughout the authentication
process.
4.1 Importance of Understanding MFA Deployment#
A clear understanding of your current MFA deployment is essential for maintaining the
security and integrity of your system during the
transition to passkeys. Different
organizations have varying approaches to MFA – some make it optional, while others mandate
it for all users. Recognizing these differences is critical when planning to replace
existing methods like SMS One-Time Passcodes (OTPs) with passkeys.
User Sign-Up and MFA Enrollment:
- Optional MFA: If MFA is optional in your current system, users may or may not have
added a second factor. Identifying which users have enabled MFA helps in planning the
passkey rollout.
- Mandatory MFA: In systems where MFA is mandatory, all users are required to add a
second factor during sign-up or at first login. Understanding this flow ensures that
passkeys can be integrated without disrupting the user experience.
Replacing Existing MFA Methods:
When aiming to replace SMS OTPs with passkeys, it's important to recognize that this
transition affects the two-factor authentication process
(typically, a password plus SMS OTP). Implementing passkeys should occur after the user
has successfully authenticated using the existing 2FA
method. This ensures:
- Security Maintenance: The user is properly verified before new credentials
(passkeys) are issued, maintaining the security level of the system.
- User Trust: Users are more likely to trust and adopt the new authentication method
if it's introduced within a familiar security framework.
Maintaining MFA Fallbacks During Transition:
It's strongly encouraged to maintain your current
MFA fallback
methods, like SMS OTPs, during the initial phase of passkey deployment. This approach
allows for:
- Seamless Migration: Users who are not immediately ready or able to use passkeys can
continue authenticating securely with existing methods.
- Maximized Adoption Rates: Gradual transition helps in accommodating users with
varying levels of technological readiness, thereby increasing overall adoption rates of
passkeys.
- Risk Mitigation: Keeping the existing MFA methods in place reduces the risk of
authentication failures or security breaches during the transition period.
Understanding User States and Security Implications:
A comprehensive understanding of the different states users can be in is extremely
important to maintain the security of the system. Consider the following:
- MFA Enrolled vs. Not Enrolled: Identifying which users have enrolled in MFA helps in
tailoring communication and support during the passkey rollout.
- Type of MFA Used: Knowing whether users are utilizing SMS OTPs,
authenticator apps, or hardware tokens allows for targeted
strategies in replacing these methods with passkeys.
- Device Compatibility: Understanding which devices users are on informs how and when
they can transition to passkeys.
By thoroughly mapping out these aspects, you ensure that all possible scenarios are
accounted for, and that the integrity and security of your authentication system remain
robust throughout the integration of passkeys.
4.2 How Corbado Helps You at That Stage#
Corbado brings extensive experience in integrating passkeys and managing MFA deployments
across a wide range of authentication systems. Our expertise is built on implementing
numerous authentication projects, giving us deep insights into the complexities and edge
cases that organizations may encounter.
Expertise in Diverse Authentication Systems:
- Broad Experience: Having worked with various authentication systems – custom-built,
open-source, and third-party providers – we understand the unique challenges each one
presents.
- Edge Case Identification: Our team is skilled at uncovering potential edge cases
that could affect security or user experience during the
transition to passkeys.
Detailed Flow Chart Mapping:
- Comprehensive Analysis: We assist you in creating detailed flow charts that map out
every possible user journey and authentication state within your MFA landscape.
- State Identification: By visualizing the entire authentication process, we help you
identify critical points where passkeys can be integrated and where existing methods
should be maintained.
- Security Assurance: This detailed mapping ensures that all security considerations
are addressed, and no aspect of the authentication process is overlooked.
Seamless Integration with Your Authentication System:
- Component-Based Solutions: Our components are designed to integrate seamlessly with
your existing infrastructure, whether it's
entirely self-developed or involves external providers.
- MFA Status Updates: We enable real-time updates to the MFA status of users within
your system, ensuring that any changes – like the adoption of passkeys – are accurately
reflected in your core system.
- Minimal Disruption: Our integration approach is aimed at minimizing disruption to
both your system and your users, facilitating a smooth transition to passkeys.
- Customized Solutions: Recognizing that every organization is different, we tailor
our services to meet your specific needs and challenges.
By partnering with Corbado, you leverage a wealth of knowledge and experience that
simplifies the complex task of MFA landscape mapping. Our enterprise assessment
process—incorporating a comprehensive passkeys guide and detailed enterprise
assessments—ensures you receive actionable enterprise assessment strategy recommendations,
streamlining the transition to enterprise passkeys.
5. Conclusion#
Integrating passkeys into a large-scale
consumer deployment requires careful
initial assessment and planning. By thoroughly analyzing device support, mapping your
application landscape, and understanding your MFA deployment, you establish a strong
foundation for enhancing security and user experience while minimizing disruptions. The
key insights from this initial phase include:
- Device Landscape Analysis: Leveraging data analytics to assess device compatibility
and
user behavior
confirms that passkeys are widely supported within your specific user base, maximizing
potential adoption rates and return on investment.
- Application Landscape Mapping: Identifying critical application characteristics and
understanding how your applications interact with your authentication system ensures
that passkeys can be introduced smoothly, without disrupting existing functionalities or
user experience.
- MFA Landscape Mapping: Evaluating the current functionality of your MFA system and
its influence on the passkey project allows for strategic planning, ensuring that
security is maintained and that users can transition seamlessly to the new
authentication method.

Armed with this comprehensive information and a reliable passkeys guide for enterprise
integration, you are now well-prepared to engage internal
stakeholders and proceed confidently to the next steps of
implementing passkeys within your organization—ensuring robust, enterprise-grade security
without the need for a user migration.