In a nutshell: Passkeys require complex federated architectures and cloud-based identity services in large enterprises, while device loss leads to immediate access lockouts.
FIDO2-based passkeys offer strong protection against phishing attacks, but encounter significant integration hurdles in established enterprise environments. Particularly the lack of support from legacy systems and the risk of account lockouts upon device loss complicate enterprise-wide migration.
Passkeys are based on asymmetric cryptography: the private key is generated locally on the endpoint device in the Trusted Platform Module or Secure Enclave during registration and remains there irretrievably. Only the public key is transmitted to the identity service. During login, the device signs a server challenge after biometric or PIN verification. The WebAuthn protocol binds this authentication through Origin Binding firmly to the specific domain – phishing via fake login pages is thus technologically neutralized, as the signature API rejects the attacker’s domain.
In established enterprise structures, however, massive integration barriers emerge. Passkeys were primarily developed for consumer-oriented web applications and cloud-native environments. Large portions of enterprise IT, however, are based on legacy infrastructures: classic Active Directory, Kerberos, NTLM, proprietary applications, terminal interfaces, and SSH access. These systems cannot directly communicate with the WebAuthn API. To enable passkey login in these environments, enterprises must build complex federated architectures (Identity Federation) with cloud-based services such as Entra ID, Okta, or Ping Identity, which serve as translation layers and issue Kerberos tickets or SAML tokens for legacy systems.
Additional complexity arises with Virtual Desktop Infrastructures (VDI) and thin clients: forwarding cryptographic signature commands from the physical endpoint via remote protocols into the virtual work environment requires specific middleware versions and causes significant latency and compatibility conflicts.
The operationally most critical problem lies in account recovery upon device loss. If an employee loses the company smartphone or laptop with the registered passkey, access to all enterprise resources is immediately blocked. In the consumer space, synchronized passkeys via cloud infrastructures (such as Apple’s iCloud Keychain or Google Password Manager) provide a solution that enables synchronization between devices. For closed enterprise environments, this solution is not immediately available – employees rely on manual recovery processes that are time-consuming and undermine the system’s protective purpose.
Source: www.it-daily.net · Published 29 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.2.