Passwordless: a strategy that survives reality

The honest framing

"Passwordless" means different things. Magic links are passwordless. OTP codes are passwordless. Passkeys are passwordless. Only the last is also phishing-resistant. Pick the right one for the threat model.

Choose by threat model

• Consumer apps, low-value: Magic links or OTP. Frictionless, acceptable security.
• Consumer apps, high-value (financial, health, social): Passkeys with email/OTP fallback.
• Workforce, general population: Passkeys plus an authenticator app for legacy app federation.
• Workforce, admins and high-risk roles: FIDO2 hardware keys, no exceptions.

Implementation order

1. Add passkey enrollment alongside existing flows. Don't force it. Measure adoption.
2. After 6 months of voluntary adoption, default new accounts to passkey.
3. Migrate password-only users with progressive prompts at sign-in.
4. Sunset passwords as a primary factor (still allow as account recovery if you must).

Recovery is the hard part

Passwordless without a credible recovery story will lock users out. Plan for:

• Lost device with no backup authenticator
• Device migration (Android → iOS)
• Family member or assistant access (delegated identity)
• Account recovery that itself is not phishable

Vendor requirements

WebAuthn support with platform authenticator and roaming key flows. Account recovery that supports multiple methods. Telemetry to spot failed authentication patterns. Conditional UI for autofill flows in browsers.