Passkey Rollout Checklist

Use this alongside the enterprise passkeys guide and Passkeys 101. The hard parts are recovery and the long tail, not the cryptography.

Plan

• Confirm your IdP and apps support WebAuthn/FIDO2 and passkeys.
• Decide synced vs device-bound passkeys per population (consumers vs privileged workforce).
• Define the authenticator mix: platform (Face ID, Windows Hello), roaming security keys for high-value users.
• Map fallback and recovery before enrollment, this is where rollouts fail.

Enroll

• Pilot with a friendly group; measure success and support load.
• Run an enrollment campaign with clear user guidance.
• Require at least two authenticators per user for backup.
• Treat enrollment as a high-assurance event with logging.

Recovery and edge cases

• Define a phishing-resistant account-recovery path that attackers cannot social-engineer.
• Handle lost-device and re-enrollment flows with strong verification.
• Plan for shared and kiosk devices and for users without modern hardware.

Harden and measure

• Make passkeys the default and de-emphasize passwords where possible.
• Track percent of users and logins on passkeys, and phishing-resistant coverage.
• Phase out weaker factors (SMS, push) as coverage grows.