Mandating MFA & moving toward Passkeys: Best Practices

Multi-Factor Authentication (MFA) has decisively shifted from a security feature for proactive users to a non-negotiable, mandated reality for organizations worldwide. This transformation is not driven by choice but by necessity, fueled by relentless credential-based cyberattacks and mounting regulatory pressure. Industries from financial services to the public sector now operate under frameworks that make MFA a baseline for compliance. This new era, where MFA is enforced rather than offered, introduces a cascade of complex challenges that extend far beyond the initial technical implementation.

When every user must use MFA, a new set of critical questions emerges that every organization must answer. This article will explore these challenges in depth, providing a clear path forward. We will address:

1. What are the hidden operational costs and user experience pitfalls of enforcing MFA at scale?

2. When given a choice, which MFA methods do users actually adopt, and what security risks does this create?

3. How does account recovery become the new primary challenge in a mandated environment, and what are the trade-offs in solving it?

4. Why are passkeys the strategic solution to the very problems created by MFA mandates, not just another option?

5. What is a practical, step-by-step blueprint for successfully transitioning from mandated legacy MFA to the superior security and user experience of passkeys?

This analysis will provide a clear, actionable blueprint for a successful transition from single-factor authentication to mandated MFA (to mandated passkeys).

Before exploring the challenges of enforcement, it is crucial to establish a clear understanding of the authentication landscape and why mandates fundamentally alter it. The terminology itself can be a source of confusion, but the distinctions are critical for any security or product strategy.

The evolution of authentication is a direct response to the inherent weakness of its most basic form.

• Single-Factor Authentication (SFA): The familiar username and password combination. It relies on a single "knowledge" factor, something the user knows. Its vulnerability to phishing, credential stuffing, and brute-force attacks is the primary driver for stronger methods.

• Two-Step Verification (2SV): Often used interchangeably with MFA, 2SV is a distinct and weaker process. It requires two verification steps but may use two factors from the same category. A common example is a password followed by a security question, both of which are "knowledge" factors. While better than SFA, it does not meet the criteria for true multi-factor security.

• Multi-Factor Authentication (MFA): The security gold standard, MFA requires verification from at least two different categories of authentication factors. The three primary categories are:

  • Knowledge: Something the user knows (e.g., a password, a PIN).

  • Possession: Something the user has (e.g., a mobile phone receiving a code, a hardware security key).

  • Inherence: Something the user is (e.g., a fingerprint, facial recognition).

The transition from optional to mandatory MFA is a paradigm shift. An optional system allows for gradual adoption by the most security-conscious users, hiding the true friction points. A mandate forces the entire user base, from the tech-savvy to the tech-averse, onto the new system simultaneously, exposing every flaw in the user experience and support structure.

This shift has been accelerated by regulatory catalysts, most notably Europe's second Payment Services Directive (PSD2) and its requirement for Strong Customer Authentication (SCA). This regulation fundamentally reshaped the European payments landscape by mandating MFA for most online transactions. By forcing financial institutions to adopt open APIs and stronger security, PSD2 provides a massive, real-world case study in enforced authentication.

The primary goal of SCA was to reduce fraud by requiring two independent authentication factors for electronic payments. However, the initial rollout created significant friction, with some European merchants losing nearly 40% of transactions due to user confusion and cart abandonment. Over time, the ecosystem adapted, and an August 2024 report from the European Central Bank confirmed that SCA-authenticated transactions now have significantly lower fraud rates. This demonstrates the long-term security benefit, but also highlights the critical need to balance security with user experience.

While these mandates initially create friction, they also produce an environment of involuntary mass education. When millions of users are forced by their banks to approve a transaction with a fingerprint or a code, they become familiar with the concept of a second factor. This normalization, driven by regulation, paradoxically smooths the path for other organizations. The conversation can evolve from "What is MFA and why do I need it?" to "Here is our new, easier way to do the security step you already know." This creates the perfect foundation for introducing a superior experience like passkeys.

If you want to read more about the specifics of these regulations and their relationship with passkeys, you can explore these resources:

• Analysis of PSD2 & SCA Requirements

• What SCA Requirements Mean for Passkeys

• PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA

• SD3 / PSR Implications for Passkeys

• Delegated Authentication & Passkeys under PSD3 / PSR

Enforcing MFA across an entire user base uncovers a host of practical challenges that are often underestimated during initial planning. These issues impact user experience, security posture, and operational costs.

When enrollment is mandatory, a poor user experience is no longer just an annoyance; it becomes a direct obstacle to business operations. Organizations typically choose between two strategies: forced enrollment, which requires MFA setup on the next login, or progressive enrollment, which prompts users over time. While forced enrollment achieves compliance faster, it risks higher user frustration and drop-off if the process is not seamless. Success hinges on adhering to UX best practices, such as offering multiple authentication methods, providing crystal-clear instructions, and ensuring accessibility for all users, for instance by providing a text-based secret key alongside a QR code for authenticator apps.

Once MFA is active on an account, losing a second factor means being completely locked out. In a mandated world, this isn't an isolated incident for a few security-conscious users; it becomes a widespread, critical challenge for the entire user base and the support teams who serve them. This makes account recovery the single greatest challenge.

The financial stakes are high: a single helpdesk-led password or MFA reset can cost a company an average of $70. For an organization with hundreds of thousands of users, even a small percentage needing recovery can translate into millions of dollars in operational costs and lost productivity.

Organizations are left with a difficult trade-off between security, cost, and convenience:

• Helpdesk-Led Recovery: A support agent can verify the user's identity through a video call or other means. This is a secure, human-verified process but is prohibitively expensive and slow to scale, making it unsustainable for most businesses.

• Email/SMS-Based Recovery: This is the most common method due to its low cost and user familiarity. However, it is also a critical security vulnerability. If an attacker has already compromised a user's email account, a common precursor to other attacks, they can easily intercept the recovery code and bypass MFA entirely. This method effectively negates the security benefits the mandate was intended to provide.

• Pre-Enrolled Backup Codes: Users are given a set of one-time-use backup codes during enrollment. While more secure than email recovery, this approach adds friction to the initial setup. Furthermore, users frequently fail to store these codes securely or lose them, which ultimately leads them back to the same lockout problem.

• Selfie-ID Verification: This high-assurance method requires the user to take a live selfie and a photo of a government-issued ID (like a driver's license or passport). AI-powered systems then match the face to the ID to confirm identity. While common in banking and financial services where identity is verified during onboarding, it raises privacy concerns for some users and requires them to have their physical ID on hand.

• Digital Credentials & Wallets: An emerging, forward-looking option involves using verifiable digital credentials stored in a digital wallet. A user could present a credential from a trusted issuer (like a government or bank) to prove their identity without going through a service-specific recovery flow. This method is still in its early stages but points to a future of more portable and user-controlled identity verification.

A frequent and critical failure point in any MFA system is the device lifecycle. When a user gets a new phone, the continuity of their authentication method is paramount.

• SMS: This method is relatively portable, as a phone number can be transferred to a new device via a new SIM card. However, this very process is the attack vector exploited in SIM-swapping attacks, where a fraudster convinces a mobile carrier to port the victim's number to a SIM they control.

• Authenticator Apps (TOTP): This is a major source of user friction. Unless the user has proactively enabled a cloud backup feature within their authenticator app (a feature that is not universal and not always used), the secret keys that generate the codes are lost with the old device. This forces the user into a full, and often painful, account recovery process for every single service they had secured.

• Push Notifications: Similar to TOTP apps, push-based MFA is tied to a specific app installation on a registered device. A new phone requires a new enrollment, triggering the same recovery challenges.

When an organization mandates MFA and offers a choice of methods, a predictable pattern emerges: +95% of users gravitate toward what is most familiar and perceived as easiest, which is often SMS-based one-time passcodes (OTPs). This behavior creates a paradox. A CISO can mandate MFA to improve security. However, if many users continue to rely on a phishable method like SMS, the organization can achieve 100% compliance without materially improving its defenses against sophisticated attacks. Recognizing this, platforms like Microsoft have introduced "system-preferred MFA," which actively nudges users toward more secure options like authenticator apps over SMS or voice calls. This highlights a critical lesson: simply mandating MFA is insufficient. The type of MFA matters profoundly, and organizations must actively steer users away from weaker, phishable factors.

The decision to mandate MFA has a direct and measurable impact on operational resources. It inevitably triggers a surge in helpdesk tickets related to enrollment problems, lost authenticators, and recovery requests. Gartner research indicates that 30-50% of all IT support calls are already for password-related issues; mandated MFA, especially when paired with cumbersome recovery flows, significantly exacerbates this burden. This translates to direct costs that CTOs and Project Managers must anticipate. Moreover, the helpdesk itself becomes a prime target for social engineering attacks, where attackers impersonate frustrated, locked-out users to trick support agents into resetting MFA factors on their behalf.

Examining large-scale, real-world implementations of mandated MFA provides invaluable lessons on what works and what creates significant friction. Rather than focusing on specific companies, we can distill these experiences into several universal truths.

• Initial Friction is Inevitable, but Manageable: The European SCA rollout demonstrated that forcing a major change in user behavior, even for security, will initially harm conversion rates. However, it also showed that with refined processes and user habituation, these negative effects can be mitigated over time. The key is to anticipate this friction and design the most streamlined, user-friendly flow possible from the outset.

• User Choice is a Double-Edged Sword: When given options, users consistently choose the path of least resistance, which often means selecting familiar but less secure MFA methods like SMS. This leads to a state of "compliance theater," where the organization meets the letter of the mandate but not its spirit, remaining vulnerable to phishing. A successful strategy must actively guide users toward stronger, phishing-resistant options.

• Recovery Becomes the Achilles' Heel: In a mandated world, account recovery transforms from an edge case into a primary operational burden and a critical security vulnerability. Relying on email or SMS for recovery undermines the entire security model, while helpdesk-led recovery is financially unsustainable. A robust, secure, and user-friendly recovery process is not an afterthought; it is a core requirement for any successful mandate.

• Phased Rollouts Dramatically Reduce Risk: Attempting a "big bang" rollout to an entire user base is a high-risk strategy. A more prudent approach, proven in large enterprise deployments, is to pilot the new system with smaller, non-critical user groups first. This allows the project team to identify and resolve bugs, refine the user experience, and gather feedback in a controlled environment before a full-scale deployment.

• A Centralized Identity Platform is a Powerful Enabler: Organizations with a pre-existing, centralized Identity and Access Management (IAM) or Single Sign-On (SSO) platform are far better positioned for a smooth rollout. A central identity system allows for the rapid and consistent application of new authentication policies across hundreds or thousands of applications, significantly reducing the complexity and cost of the project.

Passkeys, built on the FIDO Alliance's WebAuthn standard, are not just an incremental improvement over legacy MFA. Their underlying architecture, based on public-key cryptography, is purpose-built to solve the most painful and persistent problems created by MFA mandates.

• Solving the Recovery Nightmare: The single biggest challenge of mandated MFA is account recovery. Passkeys address this head-on. A passkey is a cryptographic credential that can be synced across a user's devices through their platform ecosystem (like Apple's iCloud Keychain or Google Password Manager). If a user loses their phone, the passkey is still available on their laptop or tablet. This dramatically reduces the frequency of lockouts and lessens the reliance on insecure recovery channels like email or costly helpdesk interventions.

• Solving the Device Lifecycle Problem: Because passkeys are synced, the experience of getting a new device is transformed from a point of high friction to a seamless transition. When a user signs into their Google or Apple account on a new phone, their passkeys are automatically restored and ready to use. This eliminates the painful, app-by-app re-enrollment process required by traditional, device-bound authenticator apps.

• Solving the User Preference Paradox: Passkeys resolve the classic security-versus-convenience trade-off. The most secure authentication method available, phishing-resistant public-key cryptography, is also the fastest and easiest for the user. A single biometric gesture or device PIN is all that's required. There is no incentive for a user to choose a weaker, less secure option, because the strongest option is also the most convenient.

• Solving the Phishing Vulnerability: Passkeys are phishing-resistant by design. The cryptographic key pair created during registration is bound to the specific origin of the website or app (e.g., corbado.com). A user cannot be tricked into using their passkey on a look-alike phishing site (e.g., corbado.scam.com) because the browser and operating system will recognize the origin mismatch and refuse to perform the authentication. This provides a fundamental security guarantee that no method based on shared secrets (like passwords or OTPs) can offer.

• Solving MFA Fatigue: A single, simple user action, like a Face ID scan or fingerprint touch, simultaneously proves possession of the cryptographic key on the device ("something you have") and inherence via the biometric ("something you are"). This feels like a single, effortless step to the user but cryptographically satisfies the requirement for multi-factor authentication. This allows organizations to meet stringent compliance standards without adding the extra steps and cognitive load associated with legacy MFA.

Transitioning from legacy MFA to a passkey-first strategy requires a deliberate, multi-stage approach that addresses technology, user experience, and business goals.

Before you can mandate passkeys, you must understand your user base's technical capacity to adopt them. This is a critical first step to gauge the feasibility and timeline of a rollout.

• Analyze Your Device Landscape: Use existing web analytics tools to gather data on the operating systems (iOS, Android, Windows versions) and browsers your users favor.

• Deploy a Passkey Readiness Tool: For more precise data, a lightweight, privacy-preserving tool like the Corbado Passkeys Analyzer can be integrated into your website or app. It provides real-time analytics on the percentage of your users whose devices support platform authenticators (like Face ID, Touch ID, and Windows Hello) and crucial UX enhancements like Conditional UI, which enables passkey autofill. This data is essential for building a realistic adoption model.

The transition to passkeys will be gradual, not instantaneous. A successful strategy requires a hybrid system that promotes passkeys as the primary, preferred method while providing a secure fallback for users on incompatible devices or for those who have not yet enrolled.

• Choose an Integration Pattern:

  • Identifier-First: The user enters their email or username. The system then checks if a passkey is registered for that identifier and, if so, initiates the passkey login flow. If not, it seamlessly falls back to a password or another secure method. This approach offers the best user experience and typically leads to higher adoption rates.

  • Dedicated Passkey Button: A "Sign in with a passkey" button is placed alongside the traditional login form. This is simpler to implement but places the onus on the user to select the new method, which can result in lower usage.

• Ensure Fallbacks are Secure: Your fallback mechanism must not undermine your security goals. Avoid falling back to insecure methods like SMS OTPs. A stronger alternative is to use a time-sensitive one-time code or magic link sent to the user's verified email address, which serves as a possession factor for a specific session.

Effective communication is paramount for a smooth rollout. The goal is to frame passkeys not as another security hassle, but as a significant upgrade to the user's experience.

• Benefit-Driven Messaging: Use clear, simple language that focuses on user benefits: "Sign in faster and more securely," "Say goodbye to forgotten passwords," and "Your fingerprint is now your key." Consistently use the official FIDO passkey icon to build recognition.

• Phased Rollout Strategy:

  1. Start with "Pull" Adoption: Initially, offer passkey creation as an option within the user's Account Settings page. This allows early adopters and tech-savvy users to opt-in without disrupting the flow for everyone else.

  2. Move to "Push" Adoption: Once the system is stable, begin proactively prompting users to create a passkey immediately after they successfully sign in with their old password. This captures users when they are already in an "authentication mindset."

  3. Integrate into Onboarding: Finally, make passkey creation a primary, recommended option for all new user sign-ups.

A data-driven approach is essential to validate the investment in passkeys and to continuously optimize the experience. All teams should track metrics relevant to their roles.

• Adoption & Engagement Metrics:

  • Passkey Creation Rate: The percentage of eligible users who create a passkey.

  • Passkey Usage Rate: The percentage of total logins that are performed with a passkey.

  • Time-to-First Key Action: How quickly new users perform a critical action after adopting passkeys.

• Business & Operational Metrics:

  • Reduction in Password Reset Tickets: A direct measure of reduced helpdesk costs.

  • Reduction in SMS OTP Costs: Tangible cost savings from eliminating a legacy factor.

  • Login Success Rate: Comparing the success rate of passkey logins to password/MFA logins.

  • Decrease in Account Takeover Incidents: The ultimate measure of security effectiveness.

The following tables provide a concise summary, comparing authentication methods and mapping passkey solutions directly to common business pain points.

How Passkeys Provide Solutions to Mandated MFA Pain Points

The era of mandated Multi-Factor Authentication is here to stay. While born from the critical need to defend against credential-based attacks, these mandates have inadvertently created a new landscape of challenges.

We've seen that enforcing MFA introduces significant operational burdens, from the direct costs of SMS fees to the surge in helpdesk tickets from users struggling with enrollment and device changes. We've learned that when given a choice, users gravitate towards familiar but phishable methods like SMS, achieving compliance on paper but leaving the organization exposed to real-world attacks. Most critically, we've established that in a mandated world, account recovery becomes the single biggest point of failure, a source of immense user frustration and a gaping security hole when handled improperly.

Legacy MFA methods cannot solve these problems. But passkeys can. We've demonstrated that passkeys are the definitive answer, directly solving the interconnected issues of recovery, user friction, and security. Their synced nature eliminates most lockout scenarios, their biometric ease-of-use removes the incentive to choose weaker options, and their cryptographic design makes them immune to phishing. Finally, we've laid out a clear, four-step blueprint, from auditing readiness to measuring success, that provides a practical path for any organization to make this strategic transition.

To view this shift solely as a compliance headache is to miss the strategic opportunity it presents. The pioneers of Strong Customer Authentication in European banking, despite initial struggles, ultimately shaped user expectations for an entire industry. Today, the pioneers of passkeys have the same opportunity. By embracing this transition, organizations can transform a security mandate from a burdensome obligation into a powerful and lasting competitive advantage. The time to plan your move from mandate to momentum is now.