Passkeys in Workforce Authentication

While passkey adoption has gained significant traction in Customer Identity and Access Management (CIAM), a significant opportunity remains for their application within the internal workforce. As organizations scale, the number of systems, applications, and tools employees require to do their jobs continues to increase. In this environment, ensuring that the right individuals have secure, seamless access to the right resources is a fundamental requirement for both security and operations.

In the consumer space, passkeys are often marketed as a convenience. Within the workforce, however, they serve a more strategic purpose: they bridge the gap between high-level security and employee productivity. By replacing legacy credentials with cryptographic keys, organizations can secure their expanding digital footprint without slowing down the people who power the business.

In this article we are also going to cover the following key questions regarding passkeys in the workforce:

1. Why are passwords no longer enough to protect a modern workforce?

2. How do passkeys actually work within existing enterprise systems like SSO?

3. What are the practical differences between using mobile passkeys and physical hardware keys?

In a standard legacy setup, an employee enters their username and password at a central Identity Provider (IdP). The IdP verifies this identity, often supplemented by a secondary MFA factor like an SMS code, and issues a token (such as a SAML assertion or JWT). This token acts as a digital passport, proving to other apps that the user is authenticated. While this improves the user experience by reducing the number of passwords to remember, the "shared secret" (the password) remains a significant vulnerability.

SSO with passkeys replace vulnerable secrets with a public/private key pair stored locally on the user's device.

The workflow is streamlined into three phases:

1. One-time Registration: The employee creates a passkey at the IdP. A private key is stored locally on the device, and the public key is stored at the IdP.

2. Authentication via Challenge: When logging in, the app/browser sends a challenge (random string) to the device. The device signs the challenge with the private key.

3. Assertion: The IdP verifies the signature using the public key, if correct, the user is authenticated and the usual SSO token is issued.

The transition to passkeys is driven by clear operational and security advantages. When we look at the workforce, these benefits translate directly into ROI and risk reduction.

The data supports this transition. According to the Verizon 2023 Data Breach Investigations Report, 74% of all breaches involve a human element, primarily through social engineering or stolen credentials. Furthermore, research from the FIDO Alliance indicates that passkeys can reduce sign-in times by as much as 50%, allowing IT teams to stop "fighting fires" and focus on high-value projects.

In the realm of employee identity management, device-bound passkeys stand out as a premier deployment strategy. By anchoring a passkey to a specific, often corporate-owned device, organizations ensure that credentials cannot be duplicated or synchronized with unauthorized personal hardware.

This approach aligns with security frameworks established by CISA and ENISA, which advocate for hardware-level trust and a move away from portable credentials. The strategic advantages include:

• Verified Access: Ensure authentications only originate from authorized, pre-registered hardware.

• Shadow IT Prevention: Effectively block the use of unmanaged personal devices within the corporate network.

• Rapid De-provisioning: Maintain the ability to instantly disable access in the event of hardware loss or employee offboarding.

Passkeys are most effective when managed as a dynamic identity asset rather than a one-time enrollment. In a workforce setting, the operational details like recovery, de-provisioning, and policy enforcement, are what determine the long-term success of the rollout.

To avoid "self-enrollment chaos," enrollment must be policy-driven. A standard enterprise flow involves Identity Proofing (using HR-verified credentials), a Device Trust Check (ensuring the hardware is managed and compliant), and Policy Assignment, where conditional access rules define exactly which resources the passkey can access based on metadata and risk levels.

Operational failure often happens when employees lose devices or face biometric lockouts. A best-practice recovery strategy uses two layers:

• Primary: Registering a second authenticator (e.g., a backup hardware security key).

• Administrative: A helpdesk-assisted flow with strict verification, such as manager approval. Critically, avoid falling back to insecure methods like SMS, which reintroduce the vulnerabilities passkeys were meant to solve.

When a device is lost, the response should be immediate and automated. This involves using MDM to wipe the device, revoking associated passkeys at the IdP, and invalidating all active sessions. With device-bound passkeys, a lost phone becomes a routine IT process rather than a security crisis.

Workforce access is dynamic, and passkeys should be integrated into your governance system:

• Role Transitions: Higher-risk roles should trigger "step-up" authentication or mandatory hardware-key requirements.

• Offboarding: De-provisioning must be instant. Disabling the identity at the IdP should simultaneously revoke all passkeys, invalidate tokens, and remove device trust to prevent "access leakage."

Passkeys in the workforce are rarely deployed as a standalone “feature.” In practice, they’re delivered through Workforce IAM platforms (Identity Providers and access layers) that control enrollment, authentication policies, and access to apps via SSO. While most modern vendors build on the same underlying standards (FIDO2/WebAuthn), they differ in how they operationalize passkeys: device strategy (device-bound vs synced), policy controls, recovery patterns, and how well they fit hybrid (on-prem + cloud) realities.

Microsoft is the most pervasive workforce identity player and has heavily leaned into Entra ID to push passkey adoption.

• Implementation: Microsoft supports both device-bound passkeys (tied to a specific device or security key) and synced passkeys.

• Differentiator: Deep integration with Windows Hello for Business and the Microsoft Authenticator app enables employees to use biometrics and even their phone as a FIDO2-capable authenticator for workstation and cloud access.

• Key feature: "Authentication Strengths" policies allow admins to require phishing-resistant methods (including passkeys) for specific apps, groups, or higher-risk scenarios.

Okta is the leading independent identity provider and has positioned passkeys as a cornerstone of its passwordless strategy (e.g., FastPass).

• Implementation: Okta supports passkeys across its Workforce Identity Cloud, including biometric passkeys (Touch ID/Face ID) and hardware keys (e.g., YubiKeys).

• Differentiator: Okta’s Identity Engine supports “progressive” rollout patterns, users can start with existing factors and be guided to upgrade to passkeys over time, reducing change friction.

• Key Feature: Okta emphasizes ecosystem neutrality, aiming for consistent passkey experiences across Apple, Google, and Microsoft environments.

Following the merger, Ping and ForgeRock form a strong option for large enterprises with complex, hybrid environments.

• Implementation: PingOne and ForgeRock Identity Cloud offer robust WebAuthn support (the foundation for passkeys).

• Differentiator: Strong identity orchestration capabilities, especially through Ping’s DaVinci, make it easier to design and evolve passkey enrollment and login flows via visual, policy-driven workflows.

• Key Feature: Best suited for large-scale enterprises migrating legacy systems toward passwordless without breaking existing infrastructure.

It is important to identify technical gaps, operational requirements, and the governance policies necessary to move from traditional credentials to a phishing-resistant workforce.

• Which use cases are in scope? Have you identified whether passkeys will be used for standard cloud SSO, VPN/VDI access, privileged admin consoles, or shared workstations?

• What is the required assurance level? Where is "passwordless" convenience sufficient, and where does the security policy require strict, phishing-resistant MFA?

• How do passkeys align with your compliance? Does the choice between synced and device-bound passkeys satisfy industry-specific standards like NIST 800-63B, SOC2, or NIS2?

• Is the IdP fully compatible? Does your Identity Provider (Entra ID, Okta, Ping, etc.) support WebAuthn end-to-end for all required user flows?

• Can insecure fallbacks be eliminated? Are you able to enforce passkeys without leaving "backdoors" like SMS or weak passwords available for attackers?

• Are policies granular enough? Can you create Conditional Access rules that specifically require a FIDO2 credential for high-risk applications or groups?

• Will "synced" credentials be permitted? Will you allow employees to use synced passkeys (iCloud/Google) for general access, or must all credentials be device-bound to managed hardware?

• Where will the keys live? Will you utilize the OS-level platform (Windows Hello/FaceID) or a managed enterprise password vault?

• Are MDM policies prepared? Does the mobile device management (Intune/Jamf) allow the necessary permissions for browsers and security keys to function correctly?

• How is the "First Day" trust problem solved? How will the organization verify an employee’s identity and issue their first passkey without ever relying on a password?

• Is the enrollment flow orchestrated? Is there a guided "wizard" to help users register their biometrics, or is the process dependent on self-service documentation?

• Can the enrollment device be verified? Are you able to restrict passkey registration so it only occurs on trusted, compliant, and managed hardware?

• What is the "Device Lost" protocol? Is there a secure recovery path—such as a secondary hardware key or a high-assurance helpdesk flow—that avoids falling back to insecure SMS?

• Is offboarding instant and automated? Does disabling a user in the IdP immediately revoke all associated passkeys and terminate all active sessions across the ecosystem?

• Are events being logged for security signals? Are all enrollment and authentication events being fed into a SIEM for real-time threat detection?

• Have user personas been mapped? Has the authentication journey been tested for different roles, such as developers on Linux versus field staff on mobile devices?

• What is the bridge for legacy apps? How will the organization handle legacy on-prem systems or SSH/RDP flows that do not natively support WebAuthn?

• Is there a plan to communicate the "Why"? Is there a clear internal campaign to explain the security benefits of passkeys and reduce resistance to the new login flow?

Hardware security keys are physical devices (USB, NFC, or Bluetooth) that perform cryptographic authentication. They rely on public/private key pairs, similar to passkeys, but the private key resides on the hardware security key rather than on a smartphone or laptop. Common examples include the YubiKey, Feitian, HyperFIDO, and the Google Titan Key. These devices support industry protocols like FIDO2/WebAuthn and U2F.

How They’re Used in the Workforce:

• MFA and SSO Integration: Hardware security keys can act as a second factor or replace passwords entirely when logging in via an IdP (e.g., Okta, Azure AD, Ping Identity).

• Shared Environments: In hospitals or call centers where devices are shared, employees can plug in their individual key to ensure secure, personal authentication.

• Compliance: They help meet rigorous standards like NIST SP 800-63B.

While powerful, hardware security keys come with specific management overhead:

• Costs: Each key represents a physical investment that adds up in large organizations.

• Lost Keys: Organizations must develop backup and recovery flows for misplaced hardware.

• User Training: Some employees require guidance on physical interactions like tapping NFC or plugging in USB devices.

• Managed Environment Conflicts: Enterprise MDM policies often restrict personal cloud syncing (like iCloud Keychain). This means passkeys may not move between devices as easily as they do for consumers, requiring IT-led provisioning to bridge the gap.

Corbado helps organizations introduce passkeys into workforce in a controlled, enterprise-friendly way, covering enrollment, recovery, and lifecycle management so rollouts stay secure and reliable at scale. Whether you’re prioritizing device-bound passkeys on managed endpoints, Corbado supports a consistent implementation that reduces password-related support overhead while strengthening phishing-resistant access across the workforce.

Workforce authentication is no longer just an SSO UX detail, it’s a security and productivity decision. SSO reduced password sprawl, but it still relies on shared secrets that can be phished, stolen, or reused.

Passkeys replace passwords with device-based public-key cryptography, delivering phishing-resistant MFA that fits into existing IdP/SSO flows while reducing reset tickets and speeding up logins. For most organizations, device-bound passkeys are the best default because they enforce managed-device access, reduce Shadow IT, and enable fast offboarding. Hardware security keys remain ideal for shared-device environments and strict compliance cases.

In this article we have also covered the following questions:

• Why are passwords no longer enough to protect a modern workforce? As organizations scale and "tool sprawl" increases, traditional passwords have become a critical vulnerability, accounting for 74% of human-centric breaches and creating a significant productivity drain through constant resets.

• How do passkeys actually work within existing enterprise systems like SSO? Passkeys replace vulnerable shared secrets with a public/private key-based workflow, where the user’s device signs a cryptographic challenge from the Identity Provider (IdP) to grant access to all connected apps without ever transmitting a password.

• What are the practical differences (and costs) between using mobile passkeys and physical security keys? While mobile-bound passkeys offer a cost-effective and seamless experience by utilizing an employee's existing device, physical security keys provide a more robust solution for high-security or shared-workstation environments despite the higher overhead of hardware procurement and management.