Passkeys in Consulting: How to Enhance Authentication

• Consultants Handle Highly Sensitive Data: Their privileged access to client information makes them prime phishing targets, demanding robust login security.
• Complex Security Measures Affect Productivity: Multiple MFA prompts, password resets and disk encryption add friction and cost consultants valuable time
• Multiple Domains Compound Challenges: Switching between the firm’s and clients’ environments requires repeated logins, further straining busy schedules
• Passkeys Reduce Phishing Risks and Streamline MFA: Public-key cryptography eliminates shared secrets, domain-binding prevents phishing and convenience of passkeys simplifies user authentication
• Passkey Adoption Can Increase Efficiency: In a fully passkey-enabled environment, consultancies could seamlessly handle multiple accounts with minimal repeated authentication, balancing strong security with improved workflow

Looking for expert passkey consulting services to integrate passkeys into your existing authentication stack? Our passkey advisory services provide in-depth guidance on passkey implementation consulting, ensuring a smooth transition to modern authentication.

With extensive expertise in IAM consulting and passkey strategy consulting, we help organizations deploy secure, phishing-resistant authentication while minimizing disruption to existing workflows.

Our passkey expertise consulting covers:

• Passkey integration advice tailored to your infrastructure
• End-to-end passkey project consulting for seamless rollout
• Best practices in passkey implementation to enhance security & UX
• Troubleshooting and optimization of passkey adoption

Whether you're evaluating passkey strategy consulting or need hands-on passkey deployment support, we can help. Contact us today for expert passkey advice and transform your authentication experience.

In strategy consulting, securing digital information is not only a formality but rather a fundamental necessity. Consultants are entrusted with highly sensitive data, from M&A plans and competitive strategies to intellectual property and financial forecasts that can make or break a client’s market position. A single security breach can cause severe legal repercussions, brand damage and a loss of trust that can take years to rebuild. For both consultancies and their clients, the stakes couldn’t be higher.

Let’s take an example. In 2024 Deloitte Consulting LLP failed to protect the sensitive information of Rhode Island individuals applying for or receiving government benefits, leading to a December cyberattack that exposed the personal data of thousands, a proposed class action said. In relation to revenue, this is not a large sum, but the damage to the image of potential clients can be all the greater, especially in low-margin Big Four consulting business.

Because of this risk, consultants are prime targets for phishing attempts. Cyber criminals reason that if they can compromise a consultant’s account, they gain valuable data - often across multiple client engagements. From carefully crafted emails pretending to be internal IT requests to malicious files disguised as routine documents, phishing attacks exploit the high-pressure environment consultants operate in, hoping that even the most diligent professionals might slip up when juggling complex deliverables.

The natural response from consultancies is a “better safe than sorry” posture: disk encryption (e.g. BitLocker), VPN connections, endpoint monitoring tools, password rotation every 60 or 90 days, multi-factor authentication (MFA) and even device-locking mechanisms that trigger after a brief period of inactivity. These measures are important for protecting data. However, they also create friction for end-users. Consider a typical consultant’s day:

• Frequent system lockouts: If you step away from your laptop for coffee or to take a phone call, you’ll need to re-enter long passwords or go through a second biometric check.
• Slow performance: Continuous monitoring and encryption services can sap your device’s speed, particularly if you’re analyzing massive Excel files or running sophisticated data analytics.
• Missed deadlines or awkward meetings: If a session times out at an inopportune moment - like a client workshop - productivity grinds to a halt and you risk appearing unprepared.

In strategy consulting, time literally is money. Every additional minute spent fiddling with authentication or waiting for antivirus checks is a minute not spent delivering insights for your client. Over months and years, these micro-delays accumulate into significant productivity losses. At times, extreme security can also hamper user experience so severely that crucial tasks - such as retrieving a large file quickly for a stakeholder meeting - are delayed or obstructed, hurting the consultant’s effectiveness on the job.

Let’s explore the following:

• The three main login scenarios that consultants deal with
• Highlight why they can be so disruptive
• Examine how passkey solutions might offer a more seamless alternative

Let’s start with a situation everyone in consulting faces daily: turning on a company-issued Windows laptop to kick off the workday. Typically, you’ll encounter:

1. BitLocker PIN: An 8-digit numeric code required to decrypt the hard drive before Windows boots up.
2. Windows Login: A password, PIN or biometric check (e.g. fingerprint or face recognition via Windows Hello).
3. Security Software Checks: Company policies often demand real-time monitoring agents or VPN validation, which can take extra time and resources to load.

While this setup is understandable for high-stakes data protection, it also creates friction - particularly when you’re busy switching between tasks. Consultants might lock and unlock their laptops dozens of times a day as they move between meeting rooms, take calls, or manage sensitive emails. Each step, from the BitLocker PIN to Windows login, adds a few more seconds or clicks.

In a normal office job, these seconds may be negligible. However, in consulting, where days can stretch into late evenings and early mornings on tight client deadlines, micro-delays accumulate. Over weeks, the time spent repeatedly performing MFA or entering passwords can become substantial, reducing overall productivity and contributing to user fatigue.

When Laptop Login Becomes a Bottleneck

• Performance Overhead: Background security scans can slow your device, so you’re often waiting for your machine to “warm up” even after logging in.
• Frequent Lockouts: Sensitive data leads to stricter idle-time policies, meaning your device might lock itself far more quickly than a typical laptop would.
• Relogin Loops: A short coffee break or phone call can force another cycle of BitLocker PIN → Windows password → MFA.

These are not insurmountable hurdles, but they do sap mental energy. In high-pressure strategy consulting, every moment counts and these interruptions can disrupt the flow needed for deep analytical or creative work.

Next, consultants rely on a wide range of third-party apps to support their workflow:

• Project Management: Trello, Asana, or Jira.
• Collaborative Brainstorming: Miro or MURAL.
• Administrative Tools: HR platforms like Personio, time-tracking portals and travel expense tools.
• File Storage/Sharing: Often integrated with OneDrive, Box, or Google Drive, depending on client and firm preferences.

To streamline these services, most consultancies adopt Single Sign-On (SSO) solutions, such as Okta or Microsoft Azure AD. On paper, SSO lets you remember a single username and password to access multiple applications. In practice, SSO usually requires a second layer of MFA:

1. You navigate to the SSO portal and enter corporate credentials.
2. You might receive a push notification on your phone. You must confirm this via fingerprint or PIN.
3. The SSO portal confirms your identity and grants you temporary session tokens to access third-party apps.

This process can repeat multiple times a day whenever sessions expire. For instance, if your Trello session times out or you need to open the HR platform after a period of inactivity, you might have to repeat the entire MFA step. Coupled with the standard security software checks, all these steps can feel redundant.

Micro-stress: Thirty seconds here, two minutes there - it all adds up. When under a deadline to deliver a client deck, you might only need to glance at Trello for a quick task update; an extra MFA loop can feel disproportionately burdensome.

While it’s vastly more secure than the old days of reusing weak passwords across multiple applications, this approach often results in what we call “authentication fatigue.” When you’re juggling several tasks simultaneously - preparing slides, taking a call and retrieving data from an HR portal - these forced breaks in momentum can be exasperating.

This is where consulting truly differentiates itself from other corporate jobs. You’re not just dealing with your consultancy’s internal security protocols but also those of your clients. Over the course of a single year, many consultants rotate up to eight different projects, each with its own environment and authentication approach.

1. External Email Accounts: Often, you receive an external email address like firstname.lastname@client-external.com to sign into the client’s Office 365 or other services.
2. Two-Factor or More: Clients frequently have their own MFA methods, meaning you might have to manage separate authentication apps or hardware tokens.
3. File Sharing: Clients may block external sharing links altogether, forcing you to download large data sets only through their secure network or a dedicated folder.

A major friction point arises when you need to alternate between your consulting firm’s domain and the client’s domain within the same day - or even multiple times an hour. You might be working on client files in Microsoft Teams or SharePoint (logged in with your client-external.com account), then suddenly need to access your internal HR system or time-tracking portal. Each transition can involve:

• Logging out of the client account.
• Clearing cookies or switching to an incognito window.
• Logging back into your consultancy’s domain with your standard SSO and MFA.
• Then logging out again to re-access the client environment.

While some use a second browser profile or incognito windows, these are workarounds rather than solutions - and still require repeated logins. Microsoft Teams, for example, supports multiple accounts in theory, but wasn’t truly designed for frequent switching between them. Consultants often find that switching accounts within Microsoft Teams triggers additional authentication loops or partial logouts, forcing them to re-verify credentials over and over.

This back-and-forth is time-consuming and stressful, especially under tight project deadlines. The lack of smooth multi-account transitions adds friction exactly when you need quick, seamless access to data and collaboration tools.

Let’s analyze the potential of passkeys for these use cases.

Passkeys represent a modern approach to authentication, built on public-key cryptography standards like FIDO2 and WebAuthn. A passkey involves a public key stored with the service provider (e.g. your consultancy or client’s server) and a private key stored securely on your device (e.g., in a Trusted Platform Module or Secure Enclave). This arrangement confers several advantages:

• Phishing-Resistance: Attackers can’t trick you into revealing your private key because it never leaves your device. Even if you clicked on a fake login page, there’s no password to steal.
• Consolidated MFA: Biometric or PIN-based approval on your device can act as both “something you have” and “something you are/know,” effectively fulfilling multiple factors in one step.
• Speed and Simplicity: No more laborious password creation or rotation. You simply confirm your identity via a fingerprint scan or Face ID, and the passkey completes a secure cryptographic challenge in the background.

• Passwords + Password Managers: While password managers help generate strong credentials, they still rely on a shared secret. By contrast, a passkey exchange never reveals your private key to the server.
• SSO + MFA: SSO remains valuable, but passkeys can simplify how often you’re prompted to prove your identity. Instead of receiving a smartphone push for every app you open, you could rely on a single passkey-based authentication per session.

Potential Data Point: According to early enterprise trials, large firms adopting passkeys saw a 50% decrease in password-related support tickets - ranging from resets to account lockouts - and a substantial drop in phishing incidents.

1. Company Laptop: With passkeys, disk encryption and user login could merge into a single, biometric-driven step. While secure boot processes like BitLocker will still need a key, future hardware and OS integrations could tie this neatly into a device’s onboard secure element.
2. 3rd Party Apps: A passkey-based SSO workflow would allow near-instant verification whenever you log into Trello, Miro, or HR portals. Instead of re-entering a password or waiting for an MFA push, you’d confirm with your local device biometrics.
3. Client Environments: The holy grail would be a passkey federation where multiple domains trust your single cryptographic credential. Switching between your consultancy and various client domains would be more like selecting the appropriate identity from your passkey manager, significantly reducing the repetitive logouts and re-logins.

It’s important to acknowledge that passkeys aren’t a cure-all. Especially in consulting, where multiple organizations, regulations, and IT ecosystems intersect, there are hurdles:

Clients in regulated industries (e.g. banking, healthcare) may still require legacy authentication methods for compliance.

Some regulators have not yet formally recognized synced passkey-based logins as a compliant authentication method. However, this is likely going to change in the very near future.

Consultants can’t force a client’s IT department to overhaul their infrastructure. If the client environment relies on legacy systems, passkeys might not be an option.

Rolling out passkey support often requires server-side updates or new protocols. Older or proprietary platforms can be slow to adapt.

Many consultants switch between a company laptop, personal tablet and smartphone. Passkeys typically sync via cloud services (e.g. iCloud Keychain, Google Password Manager), and cross-platform compatibility is still evolving.

While consultants are often tech-savvy, widespread adoption requires training and a shift in habits. Even a simpler method can feel foreign at first.

However, given consultants’ reputation for agility, this shouldn’t be a major stumbling block once the technology is well-introduced.

If you work with multiple clients, some may have partially implemented passkeys, others might be purely password-based, and still others rely on proprietary tokens. This patchwork can reduce the overall benefits passkeys provide, since friction remains in certain domains.

Despite these constraints, passkeys tackle many of the most irritating problems associated with the current reliance on passwords, tokens, and frequent MFA prompts - particularly in complex, multi-domain environments.

In this blog post, we tried to answer the following question:

Does it make sense for consultancies to employ passkeys wherever possible?

Given the complexity of Login @ Consulting - layered security protocols, multiple third-party tools, and frequent client-domain switching - passkeys offer a compelling vision. They significantly improve phishing-resistance, slash login friction,and could unify the user experience across multiple environments.

Yet full adoption won’t happen overnight. Legacy systems, regulatory hesitations, and varying client readiness mean the transition will be incremental. Despite these challenges, the passwordless login revolution is gaining momentum - driven by major players like Apple, Google and Microsoft pushing for broader FIDO2/WebAuthn adoption.

For consultants, passkeys represent a great potential: A more secure consulting environment that requires fewer hoops to jump through when switching tasks, significantly reducing the daily frustration of repeated logins and persistent MFA prompts. Over time, as more clients align with these standards, we could see an authentication landscape that’s both more user-friendly and more robust against modern cyber threats.

Looking Ahead: Passkeys can be a major UX uplift in Consulting

Imagine powering on your laptop and being instantly recognized via a biometric check, unlocking both your disk encryption and your corporate session without needing separate PIN codes. Switching between your firm’s Office 365 domain and a client’s Teams environment might be as simple as selecting the relevant passkey in a single sign-on dashboard - no cookie clearing, no repeated incognito sessions. If you momentarily lose internet connection or your phone battery dies, your device still has a locally stored private key to authenticate you securely.

For strategy consultants who often log in dozens of times a day, that’s an immense relief - and a direct enabler of better client service.

No single technology solves every pain point, but as consultancies grapple with the perfect blend of efficiency and security, adopting passkeys wherever feasible is a logical, forward-looking step.

For a field that thrives on maximizing efficiency, strategy consulting can benefit greatly from modernizing its authentication methods. By addressing both security needs and user experience, passkeys stand to transform the way consultants juggle multiple logins across various environments. While legacy constraints remain, the momentum towards passwordless login is growing. Consultants - who already navigate some of the tightest timelines and highest client expectations - stand to gain significantly by championing and adopting passkey solutions where possible.

Leonhard spent four years at BCG TDA, where he focused on digital transformation and data-centric consulting engagements. He then moved to a private equity firm, where he encountered similar challenges during due diligence phases and while improving operations at portfolio companies. Drawing on these experiences, Leonhard advocates for practical, secure solutions like passkeys that minimize friction and guard sensitive data in both consulting and investment environments.