{"id":20872,"date":"2026-07-07T04:30:00","date_gmt":"2026-07-07T04:30:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=20872"},"modified":"2026-07-09T16:05:13","modified_gmt":"2026-07-09T16:05:13","slug":"passkeys-in-the-enterprise-the-end-of-the-password","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/07\/passkeys-in-the-enterprise-the-end-of-the-password\/","title":{"rendered":"Passkeys in the Enterprise: The End of the Password"},"content":{"rendered":"<p><strong>The password is the vulnerability everyone knows about and few manage to eliminate. Passkeys step in to replace it by binding authentication to a device and a biometric factor. For companies, rollout is less a technology issue than a deployment question. The technology is ready-the challenge is clean execution.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Points in Brief<\/p>\n<ul style=\"margin:0;padding-left:22px;line-height:1.6;color:rgba(255,255,255,0.92);\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">No more shared secret:<\/strong> Passkeys use a key pair. The private part never leaves the device-there is no password to intercept.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Phishing falls flat:<\/strong> Because the key is bound to the real domain, fake login pages do not work.<\/li>\n<li style=\"margin-bottom:0;\"><strong style=\"color:#69d8ed;\">Recovery is the critical point:<\/strong> What happens when a device is lost determines the success of the rollout.<\/li>\n<\/ul>\n<\/div>\n<h2>Why Passkeys Beat the Password<\/h2>\n<p><strong>What is a Passkey?<\/strong> A passkey is a cryptographic authentication method that replaces a password with a key pair. The private key remains securely on the user&#8217;s device; the public key is stored with the service. Authentication is confirmed locally via biometrics or device PIN.<\/p>\n<div data-element=\"definition_box\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:20px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 8px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Definition &middot; Passkey<\/p>\n<p style=\"margin:0;color:#e6e3da;line-height:1.6;\">A cryptographic authentication method that replaces a password with a key pair. The private key remains on the user&#8217;s device; the public key resides with the service. Authentication is verified locally via biometrics or device PIN.<\/p>\n<\/div>\n<p>The security gain results from eliminating the shared secret. A password can be guessed, intercepted, or stolen from a database. A passkey carries no such value on the server, because only the public part is stored there, which an attacker cannot use. Even a successful breach into the user database yields no usable login credentials.<\/p>\n<h2>The Built-in Phishing Protection<\/h2>\n<p>Perhaps the greatest advantage is the domain binding. A passkey for the real company site cannot be used on a cloned phishing site because the protocol verifies the remote party. This removes the foundation from the most common attack vector against access credentials.<\/p>\n<p>For security officers this is a strong argument. Many incidents begin with phished credentials. This exact chain breaks when no interceptable secret exists anymore. The protection works without employees needing to be trained to recognize phishing. It is built into the protocol, not into individual vigilance. This is a fundamental difference from classic second factors such as one-time codes, which can still be intercepted.<\/p>\n<h2>Where Rollout Gets Stuck<\/h2>\n<p>The honest view: The hardest part is not the login, but recovery. If a device is lost, a secure way back into the account is required-one that does not itself become the new vulnerability. Falling back to the old password as an emergency exit would nullify the benefit, because the attacker would simply use that route.<\/p>\n<p>In the enterprise, device management and mixed platforms come into play. Users work on Windows machines, Macs, and smartphones from various manufacturers. Passkeys must remain usable across these devices without security suffering. This decides whether the rollout succeeds in everyday operations or fails due to practical hurdles.<\/p>\n<h2>How Rollout Succeeds Step by Step<\/h2>\n<p>A clean rollout plan does not begin with disabling the password, but with establishing recovery. First, it is defined how a user can securely regain access to their account after device loss-for example, via a second registered device or a controlled process through IT support with rigorous identity verification. Only once this path is in place does the rest follow.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Rollout Plan in Stages<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Define recovery process (second device or verified IT support)<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Initially offer passkeys in addition to the existing method<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Users get used to the login; IT gathers device experience<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Finally disable the password for secured accounts<\/li>\n<\/ul>\n<\/div>\n<p>Passkeys are then initially offered in addition, running in parallel to the existing method. Users register their passkey and become accustomed to the login while IT collects experience with the company&#8217;s own devices. In the final stage the password is disabled for the secured accounts. This staged approach is safer than an abrupt switch because it tests the critical recovery process before it is needed in an emergency.<\/p>\n<h2>What Passkeys Mean for Compliance<\/h2>\n<p>Passkeys are not only a convenience gain but directly contribute to regulatory requirements. Regulations such as NIS2 demand effective measures against unauthorized access. A phishing-resistant authentication method delivers precisely that. Those who technically eliminate the most common cause of breaches can demonstrate this to regulators.<\/p>\n<p>For leadership, this is an argument that reaches beyond IT. A single successful phishing attack can trigger a costly incident. An authentication method that neutralizes phishing within the protocol measurably reduces this risk and at the same time strengthens defensibility toward auditors and insurers.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is closed. Tapping unlocks the answer.<\/p>\n<details>\n<summary><strong>What distinguishes a passkey from a password?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">A password is a shared secret that can be transmitted and stolen. A passkey uses a key pair whose private part never leaves the device. Only the useless public part is stored on the server.<\/p>\n<\/details>\n<details>\n<summary><strong>Does a passkey really protect against phishing?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Yes. The passkey is bound to the real domain and does not work on forged pages. This strips the most common method of harvesting credentials of its effectiveness.<\/p>\n<\/details>\n<details>\n<summary><strong>What happens if the device is lost?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">This requires a previously defined recovery path, for example a second registered device or a secure backup method. This path is the most critical part of the rollout.<\/p>\n<\/details>\n<details>\n<summary><strong>Do all passwords have to disappear immediately?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. A staged rollout plan that initially offers passkeys in addition is more practical than an abrupt switch, especially with mixed platforms.<\/p>\n<\/details>\n<details>\n<summary><strong>Are passkeys also suitable for companies with many devices?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Yes, but they require well-considered device management and clear recovery rules. With these prerequisites they can also be rolled out in large environments.<\/p>\n<\/details>\n<p>\n<!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/07\/adaptive-mfa-nis2-pressure-as-a-zero-trust\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/adaptive-mfa-nis2-bsi-zero-trust-mittelstand-fido2-2026-hero-250x167.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Adaptive MFA: NIS2 Pressure as a Zero-Trust<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/07\/if-a-phone-call-stops-car-production\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">When a Phone Call Halted Car Production<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/05\/what-is-nis2-definition-obligations-and-liability\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-nis2-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What Is NIS2? Definition, Obligations, and Liability<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/29\/kritis-in-the-cloud-what-secures-the-migration\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-kritis-cloud-migration-c5-nis2-dachgeset-70478771.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">KRITIS in the Cloud: What Secures the Migration<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/the-ai-oversight-in-germany-now-has-an-address\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-die-ki-aufsicht-in-deutschland-hat-jetzt-91048899-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI oversight in Germany now has an address<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/en\/the-ai-writes-the-code-who-is-liable-for-it\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-ki-generierter-code-haftung-governance-r-68881977-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI writes the code. Who is liable for it?<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Passkeys replace passwords with a key pair and remove the foundation for phishing. What matters when implementing them in a company.","protected":false},"author":10,"featured_media":20777,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Passkeys","_yoast_wpseo_title":"Passkeys in the Enterprise: The End of the Password","_yoast_wpseo_metadesc":"Discover how passkeys replace passwords with secure key pairs, eliminating phishing risks. Learn key steps for seamless enterprise implementation.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/passkeys-unternehmen-passwortlos-cover-hero-1.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/passkeys-unternehmen-passwortlos-cover-hero-1.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[254],"tags":[],"class_list":["post-20872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-praxis-umsetzung"],"evm_reading_time_minutes":6,"wpml_language":"en","wpml_translation_of":17951,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=20872"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20872\/revisions"}],"predecessor-version":[{"id":20984,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20872\/revisions\/20984"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/20777"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=20872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=20872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=20872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}