Passkeys, built on FIDO2 and WebAuthn, replace passwords with device-bound cryptographic authentication that reduces phishing, support costs, and improves user experience. For ISO/IEC 27001 organizations, a compliant transition requires risk-based prioritization, mapping passkey deployment to Annex A controls, documented recovery procedures, and monitoring for new attack vectors. #Passkeys #ISOIEC27001
Keypoints
- Passkeys use asymmetric cryptography (private keys on-device, public keys with services) to eliminate password-based credential theft.
- Passkeys typically meet NIST AAL2/AAL3 and come as device-bound (higher assurance) or syncable (user-friendly) options.
- ISO/IEC 27001 alignment requires mapping passkey implementation to Annex A controls (access control, authentication information, secure authentication) and documenting policies and procedures.
- New risks—device loss, vendor lock-in, downgrade and consent/OAuth attacks—must be assessed, mitigated, and monitored.
- Best practices include prioritizing privileged accounts, maintaining defense-in-depth, planning phased migration, testing recovery processes, and keeping thorough documentation for audits.