What Are Passkeys? FIDO2, WebAuthn and Security Keys (2026)

Last Updated: June 8, 2026

What are passkeys? Passkeys are a passwordless login credential built on the FIDO2 and WebAuthn standards. Instead of a shared secret you type, a passkey uses a cryptographic public-private key pair: the private key stays locked on your device or hardware security key, and the website only ever stores the public key. Because nothing reusable crosses the network and the credential is bound to the real website origin, passkeys cannot be phished, reused, or stolen in a server breach. They are the strongest, most phishing-resistant form of authentication available in 2026.

The End of Passwords: Why Passkeys Matter for Business

Passwords are the weakest link in enterprise security. Despite decades of password policies, training, and managers, credential-based attacks account for over 80% of breaches. Passkeys, built on the FIDO2 and WebAuthn standards, eliminate this entire attack category by replacing passwords with cryptographic key pairs.

Unlike passwords, passkeys cannot be phished, cannot be reused across sites, and cannot be stolen from a server breach. They represent the most significant authentication improvement since multi-factor authentication.

Understanding the Technology Stack

WebAuthn (Web Authentication API)

WebAuthn is the W3C standard that enables web applications to use public-key cryptography for authentication. It defines how browsers and servers communicate during registration and authentication ceremonies.

FIDO2

FIDO2 is the umbrella specification that combines WebAuthn (the browser API) with CTAP2 (Client to Authenticator Protocol), which defines how authenticators (security keys, phones, biometric readers) communicate with the browser.

Passkeys

Passkeys are the user-facing implementation of FIDO2 credentials. They can be device-bound (stored on a specific hardware key) or synced (backed up across devices via iCloud Keychain, Google Password Manager, or 1Password).

How It Works

1. Registration: The user's device creates a public-private key pair. The public key is sent to the server. The private key stays on the device
2. Authentication: The server sends a challenge. The device signs it with the private key. The server verifies the signature with the stored public key
3. Result: No shared secret ever crosses the network. Nothing reusable is stored on the server

Security Advantages Over Passwords and Traditional MFA

Attack Type	Passwords	Password + SMS MFA	Password + TOTP	Passkeys
Phishing	Vulnerable	Vulnerable	Vulnerable	Immune
Credential stuffing	Vulnerable	Partially protected	Partially protected	Immune
Server breach (credential theft)	Vulnerable	Vulnerable (passwords exposed)	Vulnerable (passwords exposed)	Immune (no secrets on server)
SIM swapping	N/A	Vulnerable	Not affected	Immune
Man-in-the-middle	Vulnerable	Vulnerable	Vulnerable	Immune (origin-bound)
Brute force	Vulnerable	Mitigated	Mitigated	Immune

The key insight is that passkeys are phishing-resistant by design. The credential is cryptographically bound to the specific website origin, so it cannot be used on a look-alike phishing domain.

Types of Passkeys and Security Keys

Platform Authenticators (Built-in)

• Apple Face ID/Touch ID: Passkeys synced via iCloud Keychain across Apple devices
• Windows Hello: Biometric or PIN-based authentication tied to the Windows device
• Android biometrics: Passkeys synced via Google Password Manager

Roaming Authenticators (External Hardware)

• YubiKey 5 Series: USB-A, USB-C, NFC. Supports FIDO2, PIV, OTP. Industry standard. $45-75
• YubiKey Bio: Fingerprint reader built into the key. $90-95
• Google Titan Key: USB-C + NFC. $30. Good budget option
• Feitian ePass: Various form factors including Bluetooth. Budget-friendly options from $15

Passkeys and Compliance: Meeting Phishing-Resistant MFA Mandates

The shift to passkeys is not only a security upgrade. It is fast becoming a compliance requirement. Regulators and frameworks now distinguish between ordinary multi-factor authentication and phishing-resistant MFA, and FIDO2/WebAuthn passkeys are the clearest way to satisfy the higher bar. For regulated organizations across the Research Triangle and nationwide, this is one of the highest-leverage controls you can deploy.

Framework	What it asks for	How passkeys help
CMMC 2.0 / NIST 800-171 Rev 3	Identification & Authentication (IA) controls, including multifactor and replay-resistant authentication for privileged and network access	FIDO2 is replay-resistant and phishing-resistant by design, directly supporting IA family controls and SPRS scoring
HIPAA Security Rule	Access controls and authentication safeguards for systems holding ePHI	Passkeys remove shared passwords from EHR and portal logins, reducing the largest cause of healthcare account compromise
PCI DSS 4.0	Phishing-resistant MFA for access to the cardholder data environment (req. 8)	Hardware security keys and platform passkeys meet the phishing-resistant standard PCI explicitly favors
FTC Safeguards Rule	MFA for any individual accessing customer information	Passkeys provide compliant MFA with far less user friction than SMS or app codes
CISA guidance	Phishing-resistant MFA recommended for all critical systems	CISA names FIDO2/passkeys as the gold standard of MFA

As Craig Petronella, CMMC Registered Practitioner and author of the CMMC 2.0 Certification Guide, often tells defense-contractor clients: an auditor does not just want to see that you have MFA, they want to see MFA that a determined attacker cannot trick a user into bypassing. That is precisely what FIDO2 delivers.

For organizations targeting the highest assurance level, NIST 800-63B identifies hardware-backed FIDO2 authenticators as one of the few methods that can meet Authenticator Assurance Level 3 (AAL3), the tier expected for the most sensitive systems and privileged administrative access. Building toward AAL3 now positions defense contractors, healthcare practices, and financial firms ahead of where most frameworks are clearly heading.

Enterprise Deployment Strategy

Phase 1: Assessment (Weeks 1-2)

1. Audit current authentication methods across all applications
2. Identify applications that support FIDO2/WebAuthn
3. Assess user device capabilities (biometrics, USB ports, NFC)
4. Define the target authentication architecture

Phase 2: Pilot (Weeks 3-6)

1. Select a pilot group (IT staff and willing early adopters)
2. Deploy hardware security keys to pilot users
3. Enable passkey authentication on 2-3 critical applications
4. Collect feedback on user experience and issues

Phase 3: Rollout (Weeks 7-16)

1. Expand to all users department by department
2. Enable passkeys on remaining compatible applications
3. Set password-optional or password-free policies where supported
4. Update help desk procedures for passkey-related support

Phase 4: Enforcement (Ongoing)

1. Require passkeys for high-privilege accounts
2. Phase out SMS-based MFA
3. Monitor adoption metrics and address holdouts
4. Update security policies to reflect passkey requirements

Implementation Considerations

Synced vs. Device-Bound Passkeys

Synced passkeys (iCloud, Google) prioritize user convenience by working across devices automatically. Device-bound passkeys (hardware security keys) prioritize security by ensuring the credential never leaves the physical device. Most enterprises benefit from a hybrid approach: synced passkeys for general staff, hardware keys for privileged accounts.

Account Recovery

The biggest challenge in passkey deployment is account recovery. If a user loses their security key and has no backup authenticator, they are locked out. Solutions include:

• Require registration of at least two authenticators
• Provide a secure recovery process (in-person identity verification)
• Use synced passkeys as a backup alongside hardware keys
• Maintain a supervised recovery station with manager approval

Compatibility

As of 2026, passkey support is widespread but not universal. Major platforms (Google Workspace, Microsoft 365, Okta, Duo, AWS, GitHub) all support FIDO2. Legacy applications may require identity provider integration or wrapper solutions.

Cost-Benefit Analysis

Factor	Passwords + MFA	Passkeys + Hardware Keys
Hardware cost per user	$0	$50-100 (2 keys)
Password reset costs/year	$200-500 per user	$0
Phishing incident risk	High	Near zero
User friction	High (complex passwords, MFA prompts)	Low (biometric or tap)
Help desk tickets	30-50% are password-related	Minimal after deployment

For most organizations, the hardware key investment pays for itself within 6-12 months through reduced password reset costs and eliminated phishing incidents alone.

According to CISA's MFA guidance, phishing-resistant MFA (which includes FIDO2/passkeys) is the strongest form of multi-factor authentication available and is recommended for all critical systems.

How Petronella Technology Group Deploys Passkeys

Rolling out passkeys across a real organization is less about the technology and more about sequencing, recovery design, and user adoption. Petronella Technology Group, Inc. has spent 24+ years helping Raleigh, Durham, and Triangle-area businesses, plus clients nationwide, move off fragile password-and-SMS authentication and onto phishing-resistant credentials, with zero client breaches across its managed security program.

A typical PTG passkey engagement runs inside a broader zero trust rollout and includes:

• Authentication audit and identity provider readiness: we map every application against FIDO2/WebAuthn support and tie passkeys to your Microsoft 365, Google Workspace, or Okta tenant so coverage is centralized, not application-by-application guesswork.
• Hardware key provisioning for privileged accounts: domain admins, finance, and executives get device-bound keys (typically two each) before any password-optional policy is switched on.
• Recovery architecture: we design dual-authenticator enrollment and a supervised recovery process so nobody is permanently locked out, the single most common reason passkey projects stall.
• Continuous monitoring through our Managed XDR Suite and 24/7 SOC: passkeys close the credential-theft door, and our SOC watches for the lateral-movement and session-hijack techniques attackers pivot to next.
• Security awareness training: our simulated phishing program reinforces why the new login flow exists and measures the drop in successful lures after rollout.

Craig Petronella, MIT-certified cybersecurity professional, NC Licensed Digital Forensics Examiner, and expert witness, leads this work with the same forensic perspective he brings to breach investigations: design the control so that even a convincing phishing site or a stolen session cannot reuse the credential.

Integration with Zero Trust

Passkeys are a foundational component of zero trust architecture. They provide strong, phishing-resistant authentication that can be combined with device posture checks, conditional access policies, and continuous verification for a comprehensive zero trust implementation. Pairing FIDO2 logins with continuous monitoring is also how regulated clients keep CMMC 2.0 and HIPAA access controls audit-ready year round.

Common Passkey Rollout Mistakes (and How to Avoid Them)

In our 24 years securing Triangle-area and national clients, the same handful of mistakes account for most stalled passkey projects. Knowing them in advance is the difference between a four-month rollout and a project that quietly dies after the pilot.

• Enrolling only one authenticator. A single device-bound key with no backup is a help-desk emergency waiting to happen. Always require two authenticators per user before enforcing passkey-only access.
• Turning off passwords too early. Disabling password fallback before every critical application supports FIDO2 strands users who hit a legacy system. Phase enforcement application by application, not all at once.
• Ignoring the identity provider. Treating passkeys as an app-by-app setting multiplies the work and the gaps. Anchoring passkeys at the Microsoft 365, Google Workspace, or Okta layer gives you one place to manage policy and one place to audit.
• No supervised recovery path. Account recovery is the single most exploited weakness in any authentication system. If your recovery process is a quick phone call to the help desk, an attacker can social-engineer their way back in and undo the protection passkeys provide.
• Skipping the human side. Users who do not understand why the login changed will look for shortcuts. Pairing rollout with security awareness training keeps adoption high and support tickets low.

What Passkeys Do Not Solve

Strong authentication is necessary but not sufficient. Honest security advice means being clear about the limits. Passkeys close the credential-theft and phishing doors, but they do not, on their own, address:

• Session hijacking after login. Once a session token is issued, an attacker who steals it can still ride the authenticated session. This is why PTG pairs passkeys with conditional access, short session lifetimes, and continuous verification.
• Authorization and least privilege. Passkeys prove who you are, not what you should be allowed to do. Over-permissioned accounts remain a risk regardless of how they authenticate.
• Endpoint compromise. A device riddled with malware can abuse a legitimately authenticated session. Endpoint detection and response through our Managed XDR Suite covers that gap.
• Insider misuse. A trusted user with a valid passkey can still exfiltrate data. Monitoring, data loss prevention, and the 24/7 SOC remain essential.

This is exactly why passkeys belong inside a layered cybersecurity program rather than being treated as a single silver-bullet control. The strongest results come from combining phishing-resistant authentication with monitoring, least privilege, and a workforce that knows what good security looks like.

Frequently Asked Questions

What are passkeys in simple terms?

A passkey is a login credential that replaces your password with a pair of cryptographic keys. The private key stays on your phone, laptop, or hardware security key and never leaves it. The website keeps only the matching public key. You sign in with a fingerprint, face scan, PIN, or a tap of a security key, and there is no password for an attacker to steal or phish.

What is the difference between FIDO2, WebAuthn, and a passkey?

WebAuthn is the browser API, FIDO2 is the broader standard that pairs WebAuthn with the CTAP2 protocol used by security keys, and a passkey is the actual credential those standards create and that you use to log in. In short: FIDO2 and WebAuthn are the plumbing, and a passkey is what the user experiences.

What happens if I lose my security key?

If you registered a backup authenticator (second key, synced passkey, or platform authenticator), use that to log in and register a replacement. If you have no backup, contact your IT administrator for supervised account recovery. This is why registering two authenticators is critical, and why PTG designs recovery into every deployment.

Are passkeys more secure than authenticator apps?

Yes. Authenticator apps (TOTP) generate codes that can be phished by real-time proxy attacks. Passkeys are cryptographically bound to the legitimate website origin, making phishing impossible regardless of how convincing the fake site looks.

Do passkeys satisfy CMMC, HIPAA, or PCI MFA requirements?

Yes. FIDO2/passkeys are recognized as phishing-resistant MFA, the strongest tier these frameworks reference. They directly support NIST 800-171 Rev 3 identification and authentication controls for CMMC 2.0, access-control safeguards under the HIPAA Security Rule, and the phishing-resistant MFA that PCI DSS 4.0 favors for the cardholder data environment.

Can passkeys work without internet?

Hardware security keys work offline because the authentication is performed locally between the key and the browser. However, the application you are authenticating to typically requires internet connectivity.

Do all applications support passkeys?

Support is growing rapidly. Major platforms (Google, Microsoft, Apple, AWS, GitHub) all support FIDO2 passkeys. Legacy applications can often be connected through identity providers like Okta or Azure AD that support passkeys at the provider level.

How do passkeys work with shared devices?

On shared devices like kiosks, hardware security keys are the best option because the credential stays on the physical key, not the shared device. Each user taps their personal key to authenticate, and no credential remains on the device after use.

What is the deployment timeline for a mid-sized company?

A typical deployment takes 3-4 months: 2 weeks for assessment, 4 weeks for pilot, 6-8 weeks for full rollout. Ongoing enforcement and optimization continue after initial deployment. Companies with simpler IT environments may complete the process faster.