Multi-factor authentication (MFA) is the single most effective defense against credential theft. However, not all MFA methods are created equal. SMS-based MFA and push notifications are vulnerable to SIM swapping and MFA fatigue attacks.
This post outlines our journey migrating 500+ employees to passwordless, phish-resistant FIDO2 passkeys.
Why Passkeys?
FIDO2 passkeys offer cryptographic security that makes phishing technically impossible. Unlike traditional codes, a passkey:
- Is tied to the domain: The browser will not allow a user to sign in with a passkey on a spoofed/phishing site.
- Requires biometric verification: Requires Touch ID, Face ID, or a hardware security key PIN.
- No shared secrets: The server only stores a public key, meaning a server-side breach does not compromise user credentials.
Migration Steps
Transitioning an entire enterprise required a phased rollout:
- Pilot Group: Enrolled IT and security teams first to gather initial feedback.
- SSO Integration: Updated our primary identity provider (Okta/Entra ID) configuration to promote WebAuthn options.
- Hardware provisioning: Distributed physical YubiKeys to employees without compatible biometric devices.
By enforcing phish-resistant credentials, we’ve significantly reduced our identity attack surface.