The enterprise password problem is not a behavior problem — it is a structural one. Passwords are phishable, reusable, and breach-tradeable by design. The FIDO2 standard and its consumer-facing implementation (passkeys) represent the first credential architecture that is genuinely unphishable at scale. Migrating your workforce is now an operational question, not a theoretical one.
Why Passwords Fail at Enterprise Scale
Credential stuffing, phishing, and password spraying collectively account for the majority of initial access vectors in enterprise breaches. Complexity requirements and mandatory rotation — long the industry's standard response — have been shown to reduce security by pushing users toward predictable patterns. NIST SP 800-63B deprecated mandatory rotation in 2017; most enterprises still enforce it out of inertia.
MFA improved the situation but introduced new attack surfaces. SIM swapping, MFA fatigue attacks (flooding users with push notifications until they approve), and real-time phishing proxies (tools like Evilginx that intercept sessions mid-flow) can bypass TOTP and push-based MFA entirely. The attack surface has followed the defense at every step — until FIDO2.
How FIDO2 Works
FIDO2 consists of two components: the WebAuthn API (a W3C standard implemented in every major browser) and the CTAP2 protocol (Client to Authenticator Protocol, governing hardware security keys). Together they enable authentication using public-key cryptography that is cryptographically bound to a specific origin (domain).
During registration, the authenticator — whether a hardware key, a device TPM, or a platform authenticator like Face ID — generates a key pair. The private key never leaves the device. During authentication, the server sends a challenge; the authenticator signs it with the private key and returns the signature. The server verifies with the stored public key. There is no shared secret to steal, no credential to replay, and no generic credential that works across domains. Phishing is structurally impossible: a credential registered to bank.com cannot authenticate to bank-secure.attacker.com.
FIDO2 authentication satisfies the MFA requirements under DORA Article 9 and NIS2 Article 21, and is specifically recommended by ENISA for high-assurance authentication scenarios in critical infrastructure.
Enterprise Migration Strategy
Phase 1 — Inventory and IdP readiness: Audit your identity providers for FIDO2 support. Okta, Microsoft Entra ID, Ping Identity, and most major IdPs now support WebAuthn natively. Identify populations with hardware security keys already in use — often your privileged admin accounts — as your pilot group.
Phase 2 — Pilot with high-value targets: Roll out FIDO2 to IT administrators and executives first. These accounts carry the highest breach impact and tend to have the most motivated users. Require FIDO2 as a second factor initially, keeping passwords as a fallback while building operational confidence and help-desk playbooks.
Phase 3 — Workforce rollout: Deploy platform authenticators (passkeys on managed devices) to the general workforce. Integrate device management (MDM/Intune/Jamf) to ensure authenticators are tied to corporate-managed hardware. Provision hardware security keys (YubiKey, Google Titan) for users without compliant managed devices.
Phase 4 — Password elimination: Once FIDO2 adoption exceeds 90% for a population, begin removing passwords from those accounts entirely. Monitor help-desk authentication failure tickets — expect a brief spike followed by a sustained reduction as users adapt. This is your lagging indicator of success.
The Legacy Application Problem
Legacy applications that cannot speak WebAuthn require an SSO proxy layer — typically your IdP handling FIDO2 at the authentication boundary and presenting a legacy protocol (SAML, OIDC, LDAP) downstream to the application. This is the primary friction point in most enterprise migrations. Identify your legacy estate early, map each application to an SSO integration path, and sequence the rollout to modernize the authentication boundary first.
The goal is not perfection on day one. A workforce where 80% of authentications are FIDO2-backed is dramatically more resilient than one where 100% of authentications depend on passwords plus TOTP. Ship the migration in phases and measure the reduction in phishing-related incident response workload — the business case writes itself.