ACE Journal

Passkey Deployment in the Enterprise - Real Friction Points

Abstract

The FIDO2/WebAuthn passkey standard has achieved consumer platform support across Apple, Google, and Microsoft ecosystems, and a wave of major services completed passkey rollouts through 2024-2025. Enterprise adoption is lagging for structural reasons that go beyond IT conservatism. This article examines the concrete friction points - account recovery, device lifecycle management, managed device policies, and identity provider integration - that security teams encounter when moving from a pilot to full enterprise passkey deployment.

Account Recovery Without a Password

The hardest problem in enterprise passkey deployment is not the happy path - it is what happens when a user loses their authenticating device. Consumer passkeys solve this with cloud-synced credential vaults: Apple syncs passkeys via iCloud Keychain, Google via Password Manager. In enterprise settings, syncing passkeys to a personal cloud account is often policy-prohibited, and enterprise managed passkeys backed by hardware security keys (YubiKey 5 series, Google Titan) are bound to the physical device. The result is that account recovery requires an explicit second-factor or backup credential path. Most enterprise identity providers (Okta, Microsoft Entra ID, Ping Identity) now support passkeys as a phishing-resistant authenticator, but their recovery flows still default to email or SMS - defeating the phishing-resistance guarantee for the recovery path. Designing recovery around a second hardware key, or a time-delayed recovery with identity verification, adds friction that helpdesk teams and end users push back against.

Managed Device and MDM Integration Gaps

On managed Windows and macOS endpoints, platform passkeys (Windows Hello, macOS Secure Enclave) integrate with the OS credential store, which is generally accessible only through the device’s TPM or Secure Enclave. Mobile Device Management (MDM) solutions have inconsistent support for passkey lifecycle events. When a managed device is wiped, offboarded, or transferred, the associated passkeys are lost - there is no MDM API on iOS or Android that allows enterprise administrators to enumerate, revoke, or transfer individual passkeys. This creates a gap between the SCIM provisioning model that enterprise identity systems use for user lifecycle management and the passkey reality on the device. Organizations running Jamf, Intune, or VMware Workspace ONE are managing around this gap with process controls rather than technical ones.

Identity Provider Integration in Practice

Integrating passkeys with an enterprise IdP for SSO flows requires WebAuthn relying party (RP) registration at the IdP, careful handling of the rpId scope (which determines which origins can consume the credential), and FIDO metadata validation for hardware authenticators. The rpId scoping issue is non-trivial in enterprises with multiple domains and subdomains: a passkey registered to accounts.example.com is not usable at legacy.example.com without either related-origin requests (a newer WebAuthn L3 feature with limited implementation support) or a separate registration. Organizations consolidating onto a single IdP domain simplify this significantly; those with fragmented identity estates face substantial re-registration burden during migration. The practical advice for teams starting in 2026 is to pilot with a single application and a single authenticator class, measure helpdesk call volume, and use that data to set realistic fleet rollout timelines before committing to a hard password deprecation date.