BEST PRACTICES GUIDE

How to get started with

passwordless using
device-bound passkeys
Six deployment best practices to adopt the most secure
passkey authentication strategy for your organization

Yubico Getting started with passwordless 1

 Choosing the right passwordless approach
$4.35 million Passwords remain the most common form of user authentication, used by 91% of organizations1—but passwords
are fundamentally broken, offering weak security, increased support costs and a poor user experience. Data
average cost of data breach2 breaches carry a high cost across the globe ($4.35M USD2), with an additional $1M USD3 associated with annual
password reset costs and $5.2M USD4 in lost productivity due to account lockouts. In response, 66% of organizations
have deployed, are piloting, or are planning to deploy passwordless authentication within the next year.5

Passwordless authentication is any form of authentication that doesn’t require the user to provide a password at
$1 million login. Going passwordless is a journey for most organizations—first moving away from passwords and legacy forms of
MFA, which are all highly vulnerable to phishing, and moving to a modern MFA approach which offers strong phishing-
costs associated with annual defense. Once there, an organization is well poised to move to passwordless.
password reset3
While any form of multi-factor authentication (MFA) offers better security than passwords, not all MFA is created
equal. Basic or legacy forms of MFA passwordless such as SMS, mobile authentication and one-time passcodes
can be easily bypassed by malicious actors, making them susceptible to account takeovers from phishing, social
engineering and attacker-in-the-middle attacks. The only truly phishing-resistant and passwordless authentication
$5.2 million methods involve either Smart Card or FIDO2-based authentication protocols.

additional costs in lost productivity

due to account lockouts4
Phishing resistance is the ability of the authentication protocol to detect and prevent disclosure of
authentication secrets and valid authenticator outputs to an impostor relying party without reliance
on the vigilance of the subscriber.”

Only FIDO and Smart Card/PIV NIST 800-638-4 | Dec. 16, 2022
(PKI) are phishing-resistant

Yubico Getting
Yubico Getting
started
started
withwith
passwordless
passwordless 2 2
What are passkeys?
Passkeys are the modern, convenient replacement for passwords—a secure passwordless experience, based on
phishing-resistant FIDO2 authentication protocols, that is easy and available for individuals and organizations alike.

Phishable Phishing Resistant

SMS
Smart Card Smart Card
Password Mobile Push
FIDO U2F FIDO2 WebAuthn
OTP

A passkey is just a new name for a passwordless-enabled FIDO2/WebAuthn credential, which is good at blocking
phishing attacks. The passkey is the credential itself, a digital file. The passkey lives in an authenticator such as a
phone, laptop, or a device purpose-built for security such as a hardware security key. This distinction is important
when choosing a passkey implementation for an enterprise environment.

What’s the difference between a passkey 

and an authenticator?

A passkey is the credential itself, a digital file. An authenticator

is where the p
 asskey lives. For example, on a phone, laptop,
hardware key, or other device.

Passkey Authenticators

Yubico Getting started with passwordless 3

 Passkey implementations
Synced passkeys live in the cloud, which means credentials on a smartphone, tablet or laptop can be shared between
devices. While synced passkeys enable easier credential recovery in the case of a lost or stolen phone or laptop, the
FIDO credential is harder to track, so it is suitable for lower security assurance scenarios.

Device-bound passkeys offer enterprises greater control of their FIDO credentials compared to synced passkeys.
However, there are different types of device-bound passkeys—those that reside in general purpose devices such as
smartphones, laptops and tablets, and those that reside in hardware security keys purpose built for strong security.
Device-bound passkeys in modern FIDO security keys offer the highest security assurance and provide enterprises
with trusted credential lifecycle management and attestation abilities. With this passkey approach enterprises can
deliver the simplest user onboarding and credential recovery experience across devices and platforms, all while staying
in compliance with the most stringent requirements across industries.

Synced passkeys Device-bound passkeys on Device-bound passkeys on

general-purpose
“Good”—better than devices
passwords hardware security keys

APP APP

• Lives on a smartphone, tablet, etc. • Lives in general purpose devices such as • Lives on a security key or other hardware
• Copyable/shareable smartphones and tablets. For example separate from everyday devices
using an authenticator app • Best option for enterprises; meet higher
• Consumer grade; lower security and
compliance assurance • Middle ground option for enterprises; but security and compliance assurance
less secure than device-bound passkeys • Only passkeys that meet Authenticator
on hardware security keys Assurance Level 3 (AAL3)

Yubico Getting started with passwordless 4

 Which passkey approach is right for you?

If you need Synced passkeys Device-bound passkeys on Device-bound passkeys on

general-purpose devices hardware security keys

APP APP

Synced/shareable between devices Unmanaged syncing Managed syncing No syncing between devices

Works across Apple/Google/ May not work Works across all platforms Works across all platforms
Microsoft

User registration/onboarding Weak; backed by password Weak; app backed by password Most secure as user registration
not reliant on a password

Credential recovery Easy to recover Time to replace phone and costly Fastest with a backup key

Compliance and audit Authenticator Assurance Authenticator Assurance Authenticator Assurance

Level 2 (AAL2) Level 2 (AAL2) Level 3 (AAL3)
No attestation; unsure if user Supports software attestation Supports hardware attestation
controls passkey

Risk/Costs Perceived as “free”; high IT/ Perceived as cheaper than HW; Perceived as higher cost upfront;
helpdesk costs and higher risk but risk exposure gaps can be but less costly due to lowered
exposure is costly costly in long run breach risk and reduced IT burden

Works across enterprise scenarios Not in mobile-restricted, Not in mobile-restricted, Works across all enterprise scenarios
shared workstations shared workstations

Yubico Getting started with passwordless 5

 YubiKeys enable passwordless with the most
The total economic
impact of YubiKeys: secure passkey authentication approach
Yubico created the YubiKey, a hardware security key that houses device-bound passkeys and delivers phishing-
resistant MFA and passwordless authentication at scale with with a seamless user experience.

The YubiKey is a multi-protocol security key, supporting a range of authentication protocols, passwordless authentication
via both Smart Card/PIV and passkey (FIDO2/WebAuthn), along with OTP and OpenPGP, integrating seamlessly across
Strongest Security High Return legacy on-premises and modern cloud environments to help organizations bridge to a passwordless future. YubiKeys
work with over 1,000 products, services and applications including leading identity and access management (IAM)
Reduce risk Experience ROI
by of platforms, privileged access management (PAM) solutions and cloud services. The YubiKey is proven to reduce risk by
99.9% and deliver significant business value to large enterprises at scale, delivering an ROI of 203%6, with a frictionless
99.9% 203% user experience, a frictionless user experience, letting users quickly and securely log in with a single tap or touch.

Unlike synced passkeys that reside in devices not purpose-built for security, and delivering the ease of copying and
sharing which introduces risk for the enterprise, device-bound passkeys residing in YubiKeys are not shareable or
copyable, enabling the enterprise to better track and trust the FIDO credential, which is critical at scale, for compliance
and for audits. Device-bound passkeys that live on a portable security key such as the YubiKey, also ensure that
More Value Faster users can seamlessly and securely work across a range of platforms and devices, and across the ecosystem (e.g. Apple,
Google, Microsoft).
Reduce support Decrease time to
tickets by authenticate by
Device-bound passkeys enable enterprises to implement passwordless and meet the most strict security and
75% >4x wregulated industries. Any other passkey available today supports only up to Authenticator Assurance Level 2 (AAL2).

Given the threat landscape, the need to move toward passwordless gets clearer on a daily basis. But how do you start
the journey to passwordless authentication? The remainder of this guide will detail six key best practices to implement
the highest-assurance path to passwordless using device-bound passkeys residing in the YubiKey.

The biggest benefit that Hyatt is going to receive from deploying YubiKeys is to be able to get rid
of passwords in our environment. You can’t compromise what you don’t have. I think we’re going
to have a great big party once we turn that button off and there’s no more passwords anywhere in
the environment.”

Art Chernobrov | Director of Identity, Access, and Endpoints | Hyatt Hotels Corporation
To read the case study go to yubi.co/hyatt.

Yubico Getting started with passwordless 6

 Six key best practices to accelerate the adoption
of passwordless using device-bound passkeys
Getting started is easy. Getting started is easy. Based six step deployment process to plan for and accelerate
on Yubico’s experience assisting hundreds of customers passwordless adoption using device-bound passkeys
to optimize authentication security, we have created a at scale.

Plan Validate Integrate Launch Adopt Measure

Ensure readiness Confirm the process Ensure key apps Distribute keys to Drive adoption with Report on security
by clarifying use with a small group and services are users with turnkey best practice training and business
case cases and of users before YubiKey-ready delivery services or and support value impact
user populations broader rollout channel partners

01. Plan
Clarify use cases and
ensure readiness
A phased approach is the best way to ensure a
frictionless deployment. Put your high value users
and data first, then expand. Rank use cases and
user populations based on risk, workforce location,
business impact and ease of technical integration.

Yubico Getting started with passwordless 7

Deploy the right passkey approach for the right user groups and risk profiles:

Consumers First line Office

Consumers
at risk workers workers

Synced passkeys or High-risk users— Need a soultion that Require security

app-based passkeys e.g. journalists—may is not dependent on keys with hardware
on their devices are require extra security thier personal device attestation to ensure
probably ok for passkeys, such to authenticate credentials cannot
as those residing in be copied
security keys

Privileged Remote Mobile Supply

users work restricted chain

Highest risk users— Protect against Hardware keys can Require a solution
require security passkeys being shared go where mobile that cannot be shared
keys with hardware to other devices or devices are not among employees
attestation to know compromised by other allowed (e.g. call or compromised if
where the credentials devices attached to centers, manufacturing attached to personal
are stored the iCloud account environments, server iCloud accounts
rooms, clean rooms,
hardened rooms)

Yubico Getting started with passwordless 8

 Assemble key stakeholders
While the amount of resources committed to the project departments can positively influence the implementation
can vary based on the size and breadth of the YubiKey of the YubiKey across the organization. It’s important to
deployment, key stakeholders within the following have buy-in across all teams to ensure a smooth rollout:

HR/Learning
IT Security Finance Help Desk
& Development

Engage Yubico experts as needed

With a tried and true process that hundreds of authentication. No matter where you are on your journey
organizations have followed already, and with a ‘YubiKey to passwordless, we’ll meet you there, offering best-in-
as a Service’ model, Yubico offers flexible and cost- class technical and operational guidance in support of
effective solutions to heighten solutions and streamline your YubiKey implementation and rollout.

YubiEnterprise Services* Yubico Professional Services

I am all about making the
adoption of technology as YubiEnterprise YubiEnterprise Deployment
Subscription Delivery Deployment 360
easy as possible. If I can hit planning

the easy button using YubiKeys

and also using their subscription Simplifies how Global turnkey YubiKey Turnkey planning, Jump start your rollout
model to ensure all my users businesses procure, distribution through technical integration with workshops &
upgrade and YubiEnterprise Delivery and deployment projects to review use
have YubiKeys, that is a big
support YubiKeys or local channel partners support cases and develop a
win for me!” customized strategy

Brent Deterding | CISO | Afni

* YubiEnterprise Services are available for organizations of 500 or more users.

Yubico Getting started with passwordless 9

 02. Validate
Confirm the process with a small
group of users
Validate with a small group of users across a priority use
case for confirmation and feedback, leveraging Yubico
best practice resource guides, videos and engagements.
Practice, learn and then move forward with expansion.

03. Integrate
Works with
Ensure your environment is
YubiKey YubiKey-ready
YubiKeys, the industry’s #1 YubiKeys can work with over 1,000 applications and seamlessly across your technical stack, below are
security keys, work with services, including leading IAM platforms such as Microsoft, some critical questions to think about. It’s considered
hundreds of products, services, Okta, Ping and Google. YubiKeys offer platform flexibility a best practice to first answer these questions for
and applications. To browse between Apple, Google and Microsoft for your passkey your pilot program, then circle around for each
YubiKey compatibility go to implementation. To ensure that YubiKeys are integrated expanded deployment.
yubi.co/wwyk.

Who What Where How

Who needs access? What passwordless Where in your environment How does location
approach will you take? do you require strong impact deployment?
Employees, contractors,
authentication?
third parties, supply chain Smart Card, synced or Remote, hybrid, on-
device-bound passkeys Corporate systems and premise, multi-location
E-comm hardware/servers,
shared workstations and What types of devices
POS terminals, network, need to be supported?
apps, and dev tools
Owned, BYOD, desktop,
How do you manage laptop, smartphone,
access? tablet, POS terminals,
inventory scanners
IAM, IdP, PAM, SSO, VPN

Yubico Getting started with passwordless 10

 Prepare to deploy
After ensuring that your environment is YubiKey ready, organizational change management through effective
it’s time to create a plan to deploy YubiKeys across communication, training and support. Yubico offers a
your organization. Optimizing deployment involves variety of Professional Services to help you deploy quickly:

Yubico Professional Services

Deployment Integration Implementation Service

planning services projects bundles
Rollout plan Architecture Technical Flexible consulting
development and infrastructure engagements to hours for when & how
review, vendor implement YubiKeys you need them
integration analysis in your environment

04. Launch
What?

Get keys in hands and plan

Increase awareness
Build up user training Go Live events
and support materials
We want your deployment to be as frictionless as critical questions about how you will distribute keys to
possible for all teams and all users. This includes users and how you will manage the YubiKey lifecycle.
simplifying deployment plans, helping you answer
Why?

Boost engagement Distribution Key management

Demonstrate value to the
organization and the user
Self-service | Channel Partner | Y
 ubiEnterprise Delivery Onboarding | Support | Offboarding

Yubico Getting started with passwordless 11

 YubiKey rollout best practice
recommendations
Once your users have their YubiKeys, the next step is the recommended next step. If a user leaves the
involves registering the keys with the applications organization, some organizations retrieve YubiKeys prior
and devices they will use. We recommend that each to their departure while others prefer to allow departing
user has a second YubiKey as a backup, and if users users to keep their YubiKeys and continue using it for
cannot locate a YubiKey, revoking and replacing keys their own personal accounts.

Offer flexibility and Two YubiKeys per Future-proof with Encourage security Plan an event to
choice since YubiKeys person for backup extra keys to cover with personal use make the future of
are available in a for churn or lost/ policies your organization’s
variety of form factors stolen keys security exciting

Go Live events
Why users love the YubiKey Support the launch with a series of kick-off communica-
tions that introduce the YubiKey to users­—communicate
early, often. The ideal Go Live communications make
users excited about the modern features of the YubiKey.
Faster

Easier

More Secure

Yubico Getting started with passwordless 12

 How to?
05. Adopt
Support adoption and
Educate users
Have clear calls to action on how boost engagement
to get started and how to get help
At Yubico, we believe success should not be measured arise for onboarding and troubleshooting (e.g. what to
by how many YubiKeys you have, but by how many do in case of a lost key).
keys are being used.
Effective education and awareness is important during
While the Go Live communications educate users on the this phase in order to showcase to your user community
‘what YubiKeys are’ and the ’why they are important’, why the company invested in the YubiKey, and the direct
support teams need to be prepared to explain the how, benefits to users. The YubiKey’s simple user experience
with FAQs available to help with any questions that may requires minimal training and on-going support for users.

06. Measure
Folks that aren’t really computer
savvy are able to register so
Report on security and
quickly, so painlessly, and then
business impact
begin using their YubiKey so
effortlessly and instantaneously— We know the truth is in the numbers. Validate the pilot
that’s an easy win for us.” against these metrics, then expand to other users to
increase the overall business impact.
Art Chernobrov | Director of
Identity, Access, and Endpoints |
Hyatt Hotels Corporation
Deployment Performance Security User
metrics: metrics: metrics:
Deployment metrics: metrics:

Number of keys Support time Security threats Ease of onboarding,

distributed, reductions related mitigated, simplified ease of use,
users activated, to password compliance or audit satisfaction
applications resets, productivity reporting
enabled increases related to
login times

Yubico Getting started with passwordless 13

 Ready for scale
Yubico offers expert consulting services, including designed to jump-start and accelerate your YubiKey
operational and technical workshops, implementation deployment at scale.
projects, on-demand resources and custom engagements,

YubiEnterprise Services* Yubico Professional Services

YubiEnterprise YubiEnterprise Launch Training & Analytics &

Subscription Delivery planning support reporting

Cost effective Global Create a Best practice Customized

and flexible turnkey YubiKey marketing and training & support metrics &
YubiKey distribution through communication materials and dashboard design
procurement YubiEnterprise plan tailored to processes
To download the Professional Services Delivery or local your users
Solution Brief go to yubi.co/ps. channel partners

* YubiEnterprise Services are available for organizations of 500 or more users.

YubiEnterprise YubiEnterprise
Subscription Delivery

Gain leading, phishing-resistant authentica- Yubico and trusted partners provide IT

tion security for less than the price of a cup teams with powerful capabilities to manage
of coffee per user, per month. YubiKeys as delivery of hardware security keys to users
a service, via subscription, delivers peace of globally and accelerate the adoption of strong
mind in an uncertain world. authentication.

Learn more yubi.co/yes Learn more yubi.co/delivery

Yubico Getting started with passwordless 14

 Ready to get started with passwordless?
While the path to passwordless can feel daunting, it doesn’t have to be. There are many roads to passwordless and
different passkey implementations offer tradeoffs for organizations and users alike. Therefore, a ‘one size fits all’
approach for passkeys is sub-optimal for an organization that houses critical customer and financial data with a
range of security, compliance and scale requirements.

Device-bound passkeys using hardware security keys such as the YubiKey offer the most secure passkey
authentication approach to meet the strictest compliance requirements. A set of deployment best practices that have
already helped hundreds of organizations efficiently get on the bridge to passwordless can help you demystify how to
get started.

Modern enterprises recognize that security as a service can take all the guesswork out of achieving success. When
you choose YubiKeys as a Service, you get to make decisions as you go with custom insights and help from Yubico
experts, simplifying the process of scaling YubiKeys and delivering passwordless experiences to wider circles of users
as your business needs grow. We include success guides and priority support to help you be successful as quickly
as possible.

If you want a closer partnership on any of the six steps of this plan, Yubico’s Professional Services team is here to help.

Contact us Learn more

yubi.co/contact yubi.co/ps

Yubico Getting started with passwordless 15

Sources
1
 &P Global Market Intelligence, With Security Breaches Mounting,
S
Now Is the Time To Move From Legacy MFA to Modern, Phishing-
Resistant MFA, 2023
2
IBM, 2022 Cost of Data Breach Report, (Accessed August 12, 2022
3
 orrester Research, Inc, Optimize User Experience With Passwordless
F
Authentication, (March 2, 2020)
4
 onemon Institute, 2019 State of Password and Authentication
P
Security Behaviors Report, (Accessed September 14, 2021)
5
 &P Global Market Intelligence, With Security Breaches Mounting,
S
Now Is the Time To Move From Legacy MFA to Modern, Phishing-
Resistant MFA, 2023
6
 orrester, The Total Economic Impact of Yubico YubiKeys,
F
(September 2022)

Yubico Getting started with passwordless 16

About Yubico
Yubico (Nasdaq First North Growth Market
Stockholm: YUBICO) is the inventor of the YubiKey,
a hardware security key that is the gold standard in
phishing-resistant multi-factor authentication (MFA).
Yubico’s solutions offer organizations and users
deployment expertise and operational flexibility as
YubiKeys work across hundreds of consumer and
enterprise applications and services.

Yubico is a creator and core contributor to the

FIDO2/passkey, WebAuthn, and FIDO Universal
2nd Factor (U2F) open authentication standards,
and is a pioneer in delivering modern, hardware-
based passkey authentication security at scale to
customers in over 160 countries.

For more information, please visit: www.yubico.com.

© 2024 Yubico Yubico Getting started with passwordless 17