Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passkey adoption at scale: what IAM teams still need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Passkey deployment succeeds when organisations close the gap between stronger authentication and user understanding, using standardised workflows, phased rollout, and proactive support, according to Bitwarden’s summit coverage of Foot Locker’s experience. The practical challenge is not cryptography, but operational adoption: users need clear explanations, consistent process, and backup options that do not undermine policy.

NHIMG editorial — based on content published by Bitwarden: passkey rollout guidance from the 2025 Open Source Security Summit

Questions worth separating out

Q: How should organisations roll out passkeys without overwhelming users?

A: Use a phased rollout with one standard enrolment flow, clear plain-language guidance, and support materials in multiple formats.

Q: Why do passkey programmes still need strong support and education?

A: Because most users do not think in cryptographic terms.

Q: What breaks when password fallback remains too easy after passkey rollout?

A: The organisation preserves a weaker authentication path that users can choose instead of the stronger one.

Practitioner guidance

  • Standardise the enrolment journey Choose one primary authenticator path, define the enrolment steps in plain language, and remove avoidable variation across teams and geographies.
  • Train support staff before broad rollout Make the security and help desk teams fluent in backup passkeys, storage locations, device loss handling, and common user confusion points before expansion.
  • Run phased adoption rings Start with a small internal cohort, expand to a department, then scale organisation-wide after each ring exposes the process gaps that need refinement.

What's in the full article

Bitwarden's full article covers the operational detail this post intentionally leaves for the source:

  • Practical examples of how Foot Locker communicated passkeys to non-technical users in a way that reduced confusion.
  • The workflow decisions behind a standardised enrolment path, including how users were guided to create and store passkeys.
  • The support playbook used for backup passkeys, recovery questions, and the transition away from SMS-based authentication.
  • Recommendations for using automation and policy to remove weaker authentication from privileged accounts after enrolment.

👉 Read Bitwarden's passkey rollout guidance from the 2025 Open Source Security Summit →

Passkey adoption at scale: what IAM teams still need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

User adoption is the control plane for passkey success. The article makes clear that the problem is not user resistance in the abstract, but the gap between stronger authentication and the language people use to understand it. That gap determines whether passkeys are trusted, enrolled, and retained, which makes communication a governance control rather than a soft skill. For IAM teams, the practical conclusion is that rollout quality depends on comprehension quality.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
  • Another finding from the same research shows that 97% of NHIs carry excessive privileges, which broadens the attack surface when governance is weak.

A question worth separating out:

Q: Who should require passkeys first in an identity programme?

A: Privileged users and high-risk accounts should be first in line because their access carries greater impact if compromised. Requiring passkeys for those roles ensures the strongest control is applied where the downgrade cost is highest and where weaker fallback options are least defensible.

👉 Read our full editorial: Passkey rollout still fails when user understanding lags technology



   
ReplyQuote
Share: