Migrating to Passkey MFA: Hardening Identity in the Enterprise

Multi-factor authentication (MFA) is the single most effective defense against credential theft. However, not all MFA methods are created equal. SMS-based MFA and push notifications are vulnerable to SIM swapping and MFA fatigue attacks.

This post outlines our journey migrating 500+ employees to passwordless, phish-resistant FIDO2 passkeys.

Why Passkeys?

FIDO2 passkeys offer cryptographic security that makes phishing technically impossible. Unlike traditional codes, a passkey:

  • Is tied to the domain: The browser will not allow a user to sign in with a passkey on a spoofed/phishing site.
  • Requires biometric verification: Requires Touch ID, Face ID, or a hardware security key PIN.
  • No shared secrets: The server only stores a public key, meaning a server-side breach does not compromise user credentials.

Migration Steps

Transitioning an entire enterprise required a phased rollout:

  1. Pilot Group: Enrolled IT and security teams first to gather initial feedback.
  2. SSO Integration: Updated our primary identity provider (Okta/Entra ID) configuration to promote WebAuthn options.
  3. Hardware provisioning: Distributed physical YubiKeys to employees without compatible biometric devices.

By enforcing phish-resistant credentials, we’ve significantly reduced our identity attack surface.

← Back to writing