Passwordless authentication: passkeys, hardware keys, and what to deploy now
Passkeys reached critical mass in 2025. The technical foundations, deployment patterns, and pitfalls for Azerbaijani enterprises that want to leave passwords behind.
Passwordless authentication eliminates the shared secret. Instead of a password traveling from user to server, the user proves possession of a private key bound to their device, with biometric or PIN unlock locally. The W3C WebAuthn standard and FIDO2 specifications underpin both hardware keys (YubiKey, Titan) and synced passkeys (Apple, Google, Microsoft platform credentials). Windows Hello for Business and Apple Touch ID/Face ID integrate at the OS level.
The threat-model improvement is dramatic. Phishing fails because the cryptographic challenge is bound to the legitimate origin — a proxy on a look-alike domain cannot trick the authenticator. Credential stuffing fails because there is no shared password to stuff. Database leaks fail because the server stores only public keys. Verifier impersonation fails because attestation, when enabled, lets the server verify the authenticator type. NIST AAL3 is achievable only via authenticators in this class.
Deployment in 2026 is mature. Microsoft Entra ID supports passkey sign-in for both internal accounts and external identities. Okta FastPass and Okta Verify deliver passwordless flows. Google Workspace passkeys work across Chrome, iOS, Android, and Windows. Azerbaijani SaaS-heavy companies typically begin by enrolling employees on Authenticator + biometric (Microsoft Authenticator, Okta Verify), then add hardware keys for administrators and high-risk roles, then enable passkey sign-in for the workforce when their devices support it.
Watch the edge cases. Synced passkeys are convenient but the keys exist anywhere the user signs in to their cloud account — a compromised iCloud or Google account could leak passkeys to an attacker's device. For administrators and Tier 0 accounts, mandate device-bound hardware keys (YubiKey 5 series, Titan T2) which never leave the physical token. Define a verified-identity recovery process; losing the only passkey to a corporate account must not require help desk to bypass MFA via SMS. Plan for legacy IMAP, POP, and SMTP — disable them outright, since legacy protocols defeat any modern factor.
Related reading
Multi-factor authentication: essential, but not all factors are equal
SMS MFA was good in 2014 and risky in 2026. Here is how to ladder up to phishing-resistant factors without breaking your help desk.
Privileged Access Management: the controls that protect your crown jewels
A domain admin account is more valuable than any laptop. PAM tooling stores, rotates, and audits privileged credentials so a breach does not become a takeover.
Single Sign-On architecture: SAML, OIDC, and what to choose
SSO is not just convenience — it centralizes authentication, enables MFA enforcement, and shrinks your attack surface. Here is the technical landscape.