Change Management Required to Rapidly Adopt Passkeys
The end-to-end process to implement support for passkeys requires careful change management. Anticipating this from the start can help to remove barriers that cause re-work or frustration. This effort requires leaders in engineering, IT, legal, product, user experience, content strategy, and marketing to manage change. For example, change management capabilities include bridging communication silos that might exist between departments or disciplines, understanding and helping to define the dependencies between departments or disciplines, cross-departmental budgeting, and cross-departmental collaboration.
Organizational buy-in
The Roll-Out Guide - Rapidly Adopt Passkeys is designed to rapidly migrate existing end users to passkeys and help ensure new accounts use passkeys as the default. This requires organization-wide buy-in, multiple presentations, and follow-up conversations with multiple departments in various regions. More specifically, this strategy requires buy-in and collaboration with marketing to coordinate marketing campaigns that accompany the initial launch of passkeys. This strategy also requires buy-in and participation from customer success and support.
For many organizations, the individual who first investigates this strategy will need to manage the passkey conversation up to their senior leadership. Then, the senior decision-maker, or a committee of decision-makers, can further research the program and ultimately approve the implementation project across multiple departments and regions around the world.
Cross-organizational planning
This strategy requires coordination of multiple teams across multiple departments to complete the tasks this integration requires. A significant amount of cross-organization planning is required for the rapid roll-out strategy. For example, the product and engineering teams will require collaboration with the risk and fraud, marketing, and customer support departments.
This strategy is applicable to multiple regions and if your organization operates in multiple regions you will need to coordinate between them.
Compliance and legal
Passkeys introduce a new authentication modality to your environment and there are tasks you need to complete to manage compliance, risk, and legal changes regarding digital identity and authentication. Inform your compliance and legal teams early in your process that you are investigating the use of passkeys. If they are not yet familiar with passkeys, suggest that they read Giving NIST Digital Identity Guidelines a Boost, the National Institute of Standards and Technologies (NIST) guidance for passkeys. NIST guidance states that synced passkeys meet Authentication Assurance Level 2 (AAL2). While not all organizations are required to follow NIST guidance, and NIST is a function of the United States government, companies in many regions of the world and in various industries regularly reference NIST as an authoritative source with guidance to consider in their decision-making.
It is common for legal teams to require that their customers have the ability to remove a passkey from their account. FIDO Alliance recognizes this and has created the design pattern Remove Passkeys from Service Provider Account Settings. This design pattern is backed by user experience research and has proven to be a reliable user experience model to achieve this legal requirement when required. In addition to fulfilling the common requirement from legal teams, this design pattern increases customer trust and satisfaction by empowering people to control their security settings and remove passkeys. It can lower support costs and resources required to handle requests related to forgotten, lost, or compromised passkeys.
Information technology (IT)
As you identify technology requirements, consider the long-term vision for your authentication architecture with passkeys. For example, you might consider accounting for continued use of existing authentication modalities along with passkeys for a certain period of time. Then, the existing authentication modalities might be phased out. Another consideration is to learn how passkeys are scoped to specific domains. Even if your initial launch exists on just a few domains, you might have longer term requirements for multiple domains. For example, marketing initiatives might launch micro-sites using subdomains, or occasionally launch new domains, and some of those micro-sites might require authentication services with passkeys. This is just one of the many IT considerations when implementing passkeys.
Authentication policy
Some organizations utilize technologies that assess the risk of authentication events. Telemetry about the identity seeking to sign in, such as IP address, operating system version of the authenticating device, and Wi-Fi fingerprints, is processed by a set of business policies that determine the next step for an end user. The technologies might allow them to sign in, or require them to perform additional steps to sign in, or block them from signing in, while simultaneously recording this data for further analysis. The set of technologies and systems used to perform this work is commonly called a risk engine.
Because passkeys have unique security characteristics, such as phishing resistance, companies can choose to integrate passkeys with risk engine policies. For example, if a end user creates a passkey, but then attempts to authenticate with a password on a device the risk engine has not previously seen this end user use, the risk engine could place limits on what kinds of transactions the end user is approved to carry out until they are identified as the correct account holder. This is just one example of risk engine policy enhancements that can be made with the introduction of passkeys. There are many policy enhancements that can be made by following various approaches.
If your organization uses a risk engine, this roll-out strategy assumes that some initial enhancements to the risk engine policies will be made for initial launch. After initial launch, additional risk policies can be enhanced further for user accounts that have registered passkeys.
User experience
The effort of change management required to optimize the user experience for the rapid roll-out strategy is significant. If not managed well, the user experience will be negatively impacted.
For example, there are passkey workflows engineers understand, but UX designers or content strategists might not. It is possible that the engineers might not have enough time, user experience knowledge, or user experience research insights to optimize the user experience of the workflows.
Another example is that changes to the authentication policy and decisions around technical architecture can affect the user experience. Also, users on different operating systems will have different experiences with passkeys, which also affects the user experience.
This is why it is important to consider whose job it is to understand, document, and resolve user experience topics that require collaboration between product, engineering, content strategy, IT, legal, and user experience design teams. You should plan for this job to be nuanced and time-consuming. You will need to communicate user experience decisions to the organization and properly solve them throughout the organization.
To help with this work, team members working on passkeys should read and follow the Design Guidelines.
As you work through the build and test phase, you will discover inconsistent technology between browsers, operating systems, and credential managers (password managers). You will encounter barriers to some passkey use cases and discover unhappy paths in the user journey. To understand these challenges in advance, reference Troubleshooting before, during, and after this phase. The Troubleshooting section contains learnings and guidance from FIDO Alliance member companies from their implementation of support for passkeys and will save you time during your own implementation.
User education
This roll-out strategy is designed to enable your end users to rapidly adopt passkeys. To achieve this goal, passkeys should be introduced to users at multiple moments throughout their journey with your organization. During each of these moments, your organization must educate and entice your end users to adopt passkeys. Most end users will rapidly make the decision to adopt passkeys. Others will want to learn more about passkeys before they make this decision.
You will need to map these user journeys and create helpful content. To assist with this, refer to Customer Communications for more information on creating user-facing support materials for passkeys.
