Passkeys in the enterprise: what we learned from 40 pilots

A year ago, passkeys were a keynote demo. This year they are a line item in security roadmaps, and for the past nine months we have been running structured pilots with 40 enterprise customers to find out what actually happens when you put them in front of a real workforce. Around 60,000 employees participated, from a trading floor at Ardent Financial to hospital wards at Halcyon Health to a distribution network at Copperline. Here is what we learned, including the parts that stung.
The good news is very good
Once enrolled, people love passkeys, and the data is unambiguous. Median authentication time across pilots dropped from 24 seconds with password plus push notification to under 4 seconds. Credential-related helpdesk tickets fell 68 percent among enrolled users. And in two pilots where the customer ran phishing simulations, exactly zero enrolled users were phished on the passkey flow, because there was nothing to type into the fake page. One pilot lead at Vantage told us enrollment was the first security rollout in her tenure that generated thank-you emails.
Where pilots actually stalled
- Shared workstations: nurses at Halcyon Health tap through eight shared terminals per shift. Platform authenticators bound to a personal device do not fit that life; security keys and badge-based flows do.
- Recovery is the real product: losing a phone on day one of a business trip was our most common escalation. If recovery falls back to a phishable factor, you have built a very elegant side door.
- Enrollment, not authentication, is where you win or lose: pilots that embedded enrollment into existing moments, device refresh, onboarding week, badge renewal, hit 80 percent adoption. Pilots that sent an email asking nicely plateaued near 30.
- Regulated device policy: several financial customers needed attestation that a passkey lives in certified hardware before allowing it near production systems. The standards support this; most tooling barely did.
What we changed in the product
The pilots reshaped our roadmap directly. Adaptive MFA now treats passkeys as the preferred step-up factor and can require attested hardware per policy. We shipped recovery flows that chain through a second enrolled passkey or an in-person verification event rather than falling back to SMS, ever. And we built enrollment campaigns into the admin console, because the difference between 30 and 80 percent adoption turned out to be product work, not user stubbornness.
Our honest guidance for 2024 planning: pilot now, with a population whose device reality you actually understand, and design the recovery story before the enrollment story. Passkeys are not a future bet anymore; they are an execution problem, and execution problems are the kind we like. If you want the full pilot playbook, our team shares it in every demo, war stories included.
Writing from inside the identity layer since 2023. For the conversation this post starts, bring it to your next architecture review — or to ours.
