I've started experimenting with passkeys for my IT team and some test users, and I'm really liking the advantages over traditional username and password multi-factor authentication (MFA). Not only do passkeys seem to offer better security and resistance to phishing, but they also provide a smoother experience for users, which I've noticed leads to less hassle with logins.
I'm considering rolling this out for all users, but my boss is worried that having multiple authentication methods may confuse users, especially if they forget their passwords when trying to log in from mobile devices. He's concerned about potential complaints and password reset requests that could arise from this change. While I personally think this could be a straightforward improvement for the IT side—better security and a happier user experience—I understand his perspective. He primarily uses Android with Google Auth rather than Microsoft Auth, and I'm curious about others' experiences. For those of you who've adopted passkeys, what has the user experience been like?
5 Answers
Good point on the various devices and versions. Last I heard, MS still needed to improve certain flows, like the scanning QR codes for login on desktop. It can be tedious! But overall, passkeys have the potential to streamline things in the long run.
We've made a full switch to passkeys company-wide and it’s been amazing so far! We did a three-month pilot to prepare, and especially for Android users on version 14+, the support has been solid. Definitely recommend trying it out as it reduces the hassles of password management, but be prepared for a bit of a learning curve at first.
I personally use my YubiKey on Android without any issues, although I've noticed some bugs with MS's onboarding process. Just keep in mind some users might still struggle with the MFA concept if they’ve relied on SMS in the past. You’ll want to prepare for some resistance from certain users as they adapt.
Just be careful—if you're moving to passkeys, there are still some systems that might not work seamlessly with them. We've encountered some that only function with traditional methods, so it's definitely worth checking what your environment supports.
From my experience, using passkeys on Android 14+ with the Microsoft Authenticator app has been really secure. I totally get your boss's concerns about users getting confused, especially those who prefer to use SMS over personal devices. But in my team, we did a pilot before rolling it out, and it went smoothly. Users really liked not having to remember passwords anymore! They just needed a little coaching on how to set it up.
I agree, the setup can be confusing. But once users get through it, they tend to appreciate the change! A quick tutorial can really help ease the transition.
So true! It took some time, but now users are loving the flexibility. Just make sure everyone understands they still can fall back on passwords if needed.