• Introduction
• Part 2: Stakeholder Management
• Part 3: Product, Design & Strategy Development
• Part 4: Integrating Passkeys Into an Enterprise Stack
• Part 5: Testing Passkey Implementations

Implementing passkeys into a large-scale consumer deployment is complicated but a great step towards enhancing security, user experience and reducing existing SMS OTP costs. This multi-part series will guide you through the process, starting with the initial assessment that prepares the most important facts to decide implementing passkeys. In this first installment, we will cover:

• Device Landscape: How to utilize data analytics to understand device compatibility and user behavior to be confident that passkeys are widely supported in your specific user audience?
• Application Landscape: What are important considerations before starting the planning, what application characteristics need to be gathered before introducing passkeys?
• MFA Landscape: How does the current functionality of your MFA system affect and influence the planning of your passkey project?

By laying a solid foundation in these areas, you'll be well-prepared to engage into the next steps. It's crucial to conduct a thorough assessment and planning phase—an integral part of our enterprise assessment strategy recommendations for deploying passkeys for enterprise use.

Global passkey-readiness for representative B2C data is at a very high level about 95% due to the widespread support among common operating systems (iOS, Android, Windows, macOS). Still for large enterprises internally it is a big concern to actually confirm those data first. Also based on the type of service there might be a different set of devices. Therefore, the first objective is to ensure that a significant portion of your user base can use passkeys, maximizing possible adoption rates and ROI.

Leverage your existing tracking platforms like Google Analytics, Matomo, or your internal analytics systems to collect detailed data about devices, operating systems, and browsers your users employ. Focus on gathering the following information at least:

• Web Users (Desktop + Mobile):
  • Operating Systems (OS): Identify the OS distribution (e.g., iOS, Android, Windows, macOS, Linux).
  • OS Versions: Determine the specific versions in use (e.g., iOS 18, Windows 10, macOS Big Sur).
  • Browsers: Find out which browsers are most commonly used (e.g., Chrome, Safari, Firefox, Edge).
  • Support: Check the versions to ensure they support WebAuthn / passkeys and determine the passkey-readiness.
• App Users via Native App (e.g. Flutter/Swift/Kotlin):
  • Operating Systems: Assess whether users are on iOS or Android.
  • OS Versions: Identify the versions (e.g., iOS 18, Android 14) to confirm compatibility with WebAuthn / passkeys.
  • App Support: Ensure that a majority of your apps run on versions that support passkey functionalities.
• App Users via WebViews in Native Apps:
  • WebView usage: Determine if users access your authentication services via WebViews within other apps.
  • WebView types: Identify the types of WebViews used (e.g., WKWebView for iOS, WebView for Android) in your apps.
  • WebView Support: In case your passkey creation, login or account settings are loaded via WebView, you have to keep in mind that not all WebViews support passkey operations.

If specific user data isn't available, use global device and browser usage statistics from sources like StatCounter or NetMarketShare to estimate compatibility rates.

After collecting detailed data on your users' devices, operating systems, and browsers, the next step is to analyze this information to determine the passkey-readiness of your user base. This involves assessing the compatibility of various device and software combinations with passkeys, considering both technical support and the likelihood that users have the necessary features activated on their devices.

How to Achieve This:

1. Assess Operating System and Browser Compatibility:
   • Consult Reliable Sources: Use up-to-date resources like passkeys.dev and State of Passkeys to understand which operating systems and browsers support passkeys.
   • Identify Support Levels: For each OS and browser combination, determine if passkeys are supported, partially supported, or not supported.
2. Consider Device-Specific Factors and Activation:
   • Activation on Apple and Android Devices:
     • On Apple (iOS and macOS) and Android devices, platform authenticators (biometrics like Touch ID, Face ID, or fingerprint scanners) are almost always activated by default.
     • If not activated, users are typically guided to enable these features during the passkey creation process, ensuring high passkey readiness.
     • This results in a passkey-readiness that is very close to 100%.
   • Activation on Windows Devices:
     • On Windows, passkey functionality relies on Windows Hello, which may not be activated by default.
     • If Windows Hello is deactivated, passkey functionality cannot be used, and users are not always prompted to activate it during the authentication process.
     • Consequently, Windows devices tend to have lower passkey-readiness compared to Apple and Android devices.
     • However, with the increasing popularity of passkeys, more users are enabling Windows Hello, gradually improving passkey readiness on Windows platforms.
   • Hardware Limitations:
     • Some older devices may lack the necessary hardware (e.g., Hardware Security Modules) even if the OS supports passkeys.
     • This is less common on mobile devices but can affect some desktop and laptop users.
3. Calculate Passkey-Readiness Percentages:
   • Apply Compatibility and Activation Rates: For each category (e.g., Windows 10, iOS 16), assign a passkey-readiness percentage based on both technical compatibility and the likelihood of activation.
   • Weighted Averages: Multiply the total share of each category by its passkey readiness percentage to calculate the overall readiness.

Below is a realistic example of a B2C platform's user base distribution and the derived passkey-readiness percentages. In this scenario, the platform's native apps have moderate adoption rates, and the user base is distributed across various devices and operating systems.

User Base Distribution and Passkey-Readiness:

If you are interested in detailed data regarding the passkey-readiness and activation rate of passkeys on corresponding operating systems, feel free to reach out for more information.

Explanation:

• Web Users (Desktop + Mobile):
  • Android (23% of users):
    • Modern Android devices running recent versions of Chrome support passkeys.
    • Platform authenticators are generally activated, or users are guided to activate them during the passkey setup process.
    • Passkey-Readiness: 94%
  • iOS (26% of users):
    • Devices running iOS 15 and above support passkeys in Safari and other browsers.
    • Biometric authentication is typically enabled, or users are prompted to enable it.
    • Passkey-Readiness: 95%
  • Windows 10 (10% of users):
    • Windows 10 supports passkeys in browsers like Edge and Chrome, but relies on Windows Hello.
    • Many users may have Windows Hello deactivated, and they are not always prompted to activate it during authentication.
    • Passkey Readiness: 85%, accounting for users with Windows Hello disabled.
  • Windows 11 (24% of users):
    • Windows 11 has improved support for passkeys and encourages the use of Windows Hello.
    • Passkey-readiness is higher due to increased activation rates.
    • Passkey-Readiness: 92%
  • macOS & Others (5% of users):
    • Recent versions of macOS support passkeys well.
    • Biometric authentication is typically enabled, with users guided to activate it if necessary.
    • Passkey-Readiness: 95%
• App Users via Native App:
  • Android and iOS Apps (12% combined):
    • Assuming the apps are updated to support passkeys and users are on compatible OS versions.
    • Platform authenticators are generally active or activated during setup.
    • Passkey-Readiness: 95%
• App Users via WebViews:
  • iOS and Android WebViews (0%):
    • In this example, there are no users accessing through WebViews.
    • Passkey-Readiness: 0%

Calculations:

To determine the total passkey-readiness:

1. Multiply the total share of each category by its passkey readiness percentage:
   • Android Web Users: 23% * 94% = 21.62%
   • iOS Web Users: 26% * 95% = 24.70%
   • Windows 10 Users: 10% * 85% = 8.50%
   • Windows 11 Users: 24% * 92% = 22.08%
   • macOS Users: 5% * 95% = 4.75%
   • Android App Users: 6% * 95% = 5.70%
   • iOS App Users: 6% * 95% = 5.70%
   • Webview Users: 0% * 0% = 0%
2. Sum the results:
   • Total Passkey Ready Users = 21.62% + 24.70% + 8.50% + 22.08% + 4.75% + 5.70% + 5.70% + 0% = 93.05%

Interpretation of Total Passkey-Readiness:

Approximately 93% of the user base is ready to use passkeys. This high percentage indicates a strong potential for successful passkey adoption and high SMS cost savings.

Conducting a thorough analysis of passkey-readiness, including considerations of device activation status, allows you to make informed decisions about implementing passkeys in your large-scale consumer deployment. For enterprises aiming to deploy enterprise passkeys, following a well-defined passkeys guide and detailed enterprise assessments can significantly streamline the adoption and rollout process.

Analyzing passkey-readiness across your user base can be a complex and resource-intensive task, especially when considering the nuances of device compatibility and activation statuses. Corbado offers tools and services designed to simplify this process, providing you with accurate and actionable insights to inform your passkey implementation strategy.

Leveraging Passkeys Analyzer Tool:

• Passkeys Analyzer: Corbado's Passkeys Analyzer is a powerful tool that can quickly assess the passkey readiness of your users. By integrating a small, non-invasive JavaScript snippet into your website or application, you can collect data on device compatibility and platform authenticator activation without impacting user experience (fully GDPR-compliant and anonymous). In addition to operating system-based detection the Passkey Analyzer directly detects passkey readiness which includes also users with activated Password Manager. A JavaScript based detection is the most accurate way to detect passkey-readiness.
• Accurate Data Collection: Within a short period, the Passkeys Analyzer gathers detailed information on operating systems, browsers, and whether platform authenticators (like biometrics) are activated on users' devices.

Enterprise Solutions and Private Deployments:

• Private Deployment Options: For enterprises with strict data security and privacy requirements, Corbado offers private deployment of the Passkeys Analyzer. This ensures that all data collection and analysis occur within your secure environment, adhering to your organization's compliance standards.
• Data Ownership and Control: By opting for a private deployment, you maintain full control over the data collected. This can alleviate concerns from internal stakeholders about third-party data handling and align with internal policies and regulatory obligations.

Expert Analysis and Reporting:

• Raw Analytics Processing: Corbado can receive raw analytics data directly from your existing tracking systems. We will perform the necessary calculations and assessments to determine passkey readiness, factoring in device compatibility and activation statuses.
• Comprehensive Reports: We provide detailed reports that present verified data in an accessible format. These reports include breakdowns by device type, operating system, browser, and activation rates, giving you a clear picture of your user base's readiness for passkeys.

Streamlining the Assessment Process:

• Time and Resource Efficiency: By partnering with Corbado, you save time and resources that would otherwise be spent on developing in-house analysis tools and methodologies.
• Expertise and Experience: Corbado's team has extensive experience in passkey implementation and analysis. Our enterprise assessment strategy recommendations can help you evaluate your environment and seamlessly integrate passkeys for the enterprise.

Corbado simplifies the initial assessment phase of passkey implementation by providing the tools and expertise needed to accurately confirm your user base's readiness and identify where to start the passkey deployment. By leveraging our Passkeys Analyzer and analysis services, you can confidently proceed with your passkey integration, backed by verified data and tailored insights.

Understanding your application landscape is essential for integrating passkeys into your existing systems. This process involves assessing all applications connected to your authentication system to ensure that changes are backward compatible and won’t disrupt the user experience.

To effectively integrate passkeys, you first need a clear picture of how your applications interact with your authentication system. Here’s how to approach it:

1. Identify All Connected Applications:
   • Web Applications: Web-based logins tend to be easier to update and deploy since changes are centralized and users do not need to take action. Once updates are applied, older versions of the system no longer need to be maintained.
   • Mobile Applications (Native Apps): Managing updates for native mobile apps is more complex. Users aren’t forced to update immediately, which can result in multiple versions being in use simultaneously. It’s important to check whether your organization can enforce mandatory updates or deactivate older app versions when significant changes like passkey integration are introduced or if your apps only use authentication via WebViews.
2. Assess Application Update Strategies:
   • Mandatory Updates: Determine if your organization can enforce mandatory updates through app policies or in-app mechanisms that prompt users to update their apps.
   • Deactivating Older Versions: Assess whether you have the capability to deactivate older, incompatible app versions to ensure all users can support new passkey features. While this strategy can help ease the transition, it should be done with caution to avoid negatively impacting user experience.
3. Understand How Applications Access the Authentication System:
   • API Integration: Some applications interact with your authentication system via APIs, offering flexibility but requiring careful management of compatibility during the integration process.
   • Dedicated Authentication Pages: Other applications redirect users to dedicated authentication pages, such as OAuth login flows. You’ll need to ensure that changes to the authentication process are compatible with this setup to avoid login failures.
4. Evaluate the Current Authentication System Embedded in Applications:
   • Completely Self-Developed: Custom-built authentication systems offer the most control but require more development effort to integrate new features like passkeys.
   • Customized Open-Source Solutions: These provide a balance between control and development effort, but often customizations do not allow to upgrade to the newest released version of the open-source solution.
   • External Authentication Provider (Backend with Custom Implementation): You can retain some flexibility if only the backend is handled by an external provider and the frontend is customized by your team (e.g. many Amazon Cognito, Keycloak or Supabase deployments work this way). As passkeys have a large frontend component, you can implement passkeys freely.
   • External Authentication Provider (Complete Frontend & Backend): This option limits your ability to customize the system, and if passkeys aren’t supported, you may need to advocate for their inclusion or even migrate to another provider.
5. Determine Compatibility and Integration Effort:
   • If your system is self-developed or customizable, it will be easier to integrate passkeys since you can modify authentication flows and user interfaces.
   • For external providers that control both the frontend and backend, your ability to integrate passkeys will depend on their offerings, and if passkeys are unsupported, you may need to push for their inclusion or migrate systems.

When integrating passkeys, it is essential to ensure backward compatibility, particularly to prevent any disruptions in existing authentication methods. This is especially important for users who may still be using older versions of your app. A key part of the process is to plan for a transition period where both the old and new authentication systems coexist with seamless fallback to existing MFA, ensuring a smooth changeover.

Integrating passkeys into your existing application landscape can be a complex process, especially if you have multiple applications and connections to authentication systems. Corbado offers solutions to simplify this process:

• Expert Analysis of Your Application Landscape: Corbado can assist in mapping your application landscape, helping you identify all applications that interact with your authentication system and understand how each one accesses it (whether via APIs or dedicated authentication pages).
• Compatibility Assessment: We can help evaluate the compatibility of your applications with passkey integration, identifying obstacles related to application update strategies or older app versions.

Integration with Existing Systems:

• Corbado’s solutions are component-based and can fit into all types of applications – whether web-based or native mobile apps. We provide UI JavaScript components and native SDKs that can easily be embedded into your applications.
• There’s no need for a data migration. Your current authentication system remains the primary source of information, and Corbado’s solutions integrate seamlessly without disruption.
• Corbado’s backend can connect to any authentication system via API, offering flexibility for custom-built systems, customized open-source solutions, or most external providers (e.g. Cognito or Keycloak).

Benefits of Using Corbado:

• Simplified Integration: Corbado’s solutions are designed to work with your existing infrastructure, reducing the complexity of integration. Our team handles the technical aspects, allowing your internal team to focus on other priorities.
• Enhanced Security and User Experience: Integrating passkeys improves both security and user experience by providing a passwordless authentication method that’s easy to use and highly secure.
• Ongoing Support: Corbado offers continued support throughout the integration process. Our team is experienced in working with large enterprises and understands the specific challenges they face when deploying enterprise passkeys.

Corbado simplifies the integration of passkeys into your existing application landscape by providing flexible, component-based solutions that work with your current authentication systems. With no need for data migration and seamless compatibility across applications, our solutions enable you to enhance security and user experience efficiently and effectively.

Understanding your Multi-Factor Authentication (MFA) landscape is crucial when integrating passkeys into your authentication system. This involves a comprehensive analysis of how users sign up, when they are required to add a second factor, and the various states users may be in throughout the authentication process.

A clear understanding of your current MFA deployment is essential for maintaining the security and integrity of your system during the transition to passkeys. Different organizations have varying approaches to MFA – some make it optional, while others mandate it for all users. Recognizing these differences is critical when planning to replace existing methods like SMS One-Time Passcodes (OTPs) with passkeys.

User Sign-Up and MFA Enrollment:

• Optional MFA: If MFA is optional in your current system, users may or may not have added a second factor. Identifying which users have enabled MFA helps in planning the passkey rollout.
• Mandatory MFA: In systems where MFA is mandatory, all users are required to add a second factor during sign-up or at first login. Understanding this flow ensures that passkeys can be integrated without disrupting the user experience.

Replacing Existing MFA Methods:

When aiming to replace SMS OTPs with passkeys, it's important to recognize that this transition affects the two-factor authentication process (typically, a password plus SMS OTP). Implementing passkeys should occur after the user has successfully authenticated using the existing 2FA method. This ensures:

• Security Maintenance: The user is properly verified before new credentials (passkeys) are issued, maintaining the security level of the system.
• User Trust: Users are more likely to trust and adopt the new authentication method if it's introduced within a familiar security framework.

Maintaining MFA Fallbacks During Transition:

It's strongly encouraged to maintain your current MFA fallback methods, like SMS OTPs, during the initial phase of passkey deployment. This approach allows for:

• Seamless Migration: Users who are not immediately ready or able to use passkeys can continue authenticating securely with existing methods.
• Maximized Adoption Rates: Gradual transition helps in accommodating users with varying levels of technological readiness, thereby increasing overall adoption rates of passkeys.
• Risk Mitigation: Keeping the existing MFA methods in place reduces the risk of authentication failures or security breaches during the transition period.

Understanding User States and Security Implications:

A comprehensive understanding of the different states users can be in is extremely important to maintain the security of the system. Consider the following:

• MFA Enrolled vs. Not Enrolled: Identifying which users have enrolled in MFA helps in tailoring communication and support during the passkey rollout.
• Type of MFA Used: Knowing whether users are utilizing SMS OTPs, authenticator apps, or hardware tokens allows for targeted strategies in replacing these methods with passkeys.
• Device Compatibility: Understanding which devices users are on informs how and when they can transition to passkeys.

By thoroughly mapping out these aspects, you ensure that all possible scenarios are accounted for, and that the integrity and security of your authentication system remain robust throughout the integration of passkeys.

Corbado brings extensive experience in integrating passkeys and managing MFA deployments across a wide range of authentication systems. Our expertise is built on implementing numerous authentication projects, giving us deep insights into the complexities and edge cases that organizations may encounter.

Expertise in Diverse Authentication Systems:

• Broad Experience: Having worked with various authentication systems – custom-built, open-source, and third-party providers – we understand the unique challenges each one presents.
• Edge Case Identification: Our team is skilled at uncovering potential edge cases that could affect security or user experience during the transition to passkeys.

Detailed Flow Chart Mapping:

• Comprehensive Analysis: We assist you in creating detailed flow charts that map out every possible user journey and authentication state within your MFA landscape.
• State Identification: By visualizing the entire authentication process, we help you identify critical points where passkeys can be integrated and where existing methods should be maintained.
• Security Assurance: This detailed mapping ensures that all security considerations are addressed, and no aspect of the authentication process is overlooked.

Seamless Integration with Your Authentication System:

• Component-Based Solutions: Our components are designed to integrate seamlessly with your existing infrastructure, whether it's entirely self-developed or involves external providers.
• MFA Status Updates: We enable real-time updates to the MFA status of users within your system, ensuring that any changes – like the adoption of passkeys – are accurately reflected in your core system.
• Minimal Disruption: Our integration approach is aimed at minimizing disruption to both your system and your users, facilitating a smooth transition to passkeys.
• Customized Solutions: Recognizing that every organization is different, we tailor our services to meet your specific needs and challenges.

By partnering with Corbado, you leverage a wealth of knowledge and experience that simplifies the complex task of MFA landscape mapping. Our enterprise assessment process—incorporating a comprehensive passkeys guide and detailed enterprise assessments—ensures you receive actionable enterprise assessment strategy recommendations, streamlining the transition to enterprise passkeys.

Integrating passkeys into a large-scale consumer deployment requires careful initial assessment and planning. By thoroughly analyzing device support, mapping your application landscape, and understanding your MFA deployment, you establish a strong foundation for enhancing security and user experience while minimizing disruptions. The key insights from this initial phase include:

• Device Landscape Analysis: Leveraging data analytics to assess device compatibility and user behavior confirms that passkeys are widely supported within your specific user base, maximizing potential adoption rates and return on investment.
• Application Landscape Mapping: Identifying critical application characteristics and understanding how your applications interact with your authentication system ensures that passkeys can be introduced smoothly, without disrupting existing functionalities or user experience.
• MFA Landscape Mapping: Evaluating the current functionality of your MFA system and its influence on the passkey project allows for strategic planning, ensuring that security is maintained and that users can transition seamlessly to the new authentication method.

Armed with this comprehensive information and a reliable passkeys guide for enterprise integration, you are now well-prepared to engage internal stakeholders and proceed confidently to the next steps of implementing passkeys within your organization—ensuring robust, enterprise-grade security without the need for a user migration.