Page 247 - Cyber Defense eMagazine September 2025
P. 247
Phase the Rollout
• Start with low-risk apps or pilot groups.
• Gather UX feedback; fix friction before expanding.
• Provide just-in-time education: what a real prompt looks like, why never to read a code to anyone,
how to report a lost device fast.
Keep a Resilient Break-Glass Plan
• Define how to restore access if multiple authenticators are lost or a biometric fails:
o Break-glass accounts with strict controls
o Emergency recovery with multi-party approval
o Rapid revocation + re-enrollment workflows
• Test this plan like you test DR.
Governance & Controls (for IAM Teams)
• Set policy baselines: which groups must use passkeys; which fallbacks are allowed;
rotation/attestation requirements; logging minimums.
• Treat authenticator enrollment as a high-risk change requiring approvals and alerts.
• Map passkey posture into identity risk scoring and access reviews.
Leadership Playbook: Guidance for CISOs & Identity Architects
1. Frame it as a journey. Passwordless is not a switch; it’s a program involving IAM, endpoint, HR
(joiners/movers/leavers), legal/compliance, and helpdesk. Set realistic milestones and success
metrics (adoption %, reduction in password resets, phishing incident rates).
2. Run a risk assessment up front. Answer:
o What if a device is stolen?
o How do we verify new device enrollment?
o Which recovery flows are acceptable for which roles?
o How do we monitor and revoke authenticators at scale?
3. Use adoption to upgrade culture. If users no longer need passwords, they can handle tapping
a key. Provide training, normalize reporting lost devices quickly, and celebrate security positive
behavior.
Cyber Defense eMagazine – September 2025 Edition 247
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
