Natee Pretikul | Principal PM Manager at Microsoft Security
More About This Author >
Natee Pretikul | Principal PM Manager at Microsoft Security
More About This Author >
Over 99% of identity attacks remain password-based, yet for many business leaders, moving beyond passwords still feels like uncharted territory. Confusion over security standards, compatibility concerns, or fears about complexity at scale can slow progress.
Fortunately, adopting passkeys doesn’t require an all-at-once leap. At Microsoft, we’ve seen that organizations succeed by building momentum in stages: starting small, learning fast, and gaining trust as they go. Thousands of businesses are already on this journey. With guidance from Microsoft and our collaboration with Thales, you can follow a Crawl → Walk → Run model and transition smoothly to stronger security.
The Journey to Passkeys: Crawl → Walk → Run
Crawl
At this stage…
Your organization still relies primarily on passwords, with some badge-based access (such as certificate-based authentication). Your authentication strategy is fragmented and modernizing it is often viewed as a burden rather than a business enabler. You’re exploring options but haven’t committed to a passkey strategy.
Say, for example, you are a…
Retail chain or hospital system with thousands of frontline workers such as store associates, nurses, and doctors, who badge into shared devices like POS terminals or medical hardware kiosks. These environments demand fast, secure access without compromising compliance or patient safety.
What works at this stage…
Introducing multi-protocol cards that support FIDO2 authentication as well as certificate-based authentication is a low-friction entry point. These hardware-backed credentials offer phishing-resistant authentication and are easy to deploy in physical settings. In addition, finding ways to introduce even basic MFA methods at this stage gets you ahead of the curve. You don’t need to overhaul your entire infrastructure. It’s a foundational step that builds trust and sets the stage for expansion.
Walk
At this stage…
Your organization has taken initial steps toward modern authentication, but many employees still rely on passwords. Authentication varies across apps and devices, with some MFA deployed, but not extensively, and often using only the most basic methods.
Say, for example, you are a…
Professional services firm with consultants and analysts working remotely across client sites. You’ve secured some shared workstations, but employees still use passwords or basic MFA like SMS codes to access cloud tools and sensitive data.
What works at this stage…
Introducing app-based MFA, such as Microsoft Authenticator, or passkeys, strengthens protection against phishing and improves user experience. These methods reduce password reliance without requiring a full infrastructure revamp. Layering in stronger credentials helps unify your identity strategy and move toward passwordless authentication.
Run
At this stage…
You’ve made solid progress: Passkeys or other phishing resistant MFA methods are in place, and your identity governance is maturing. But authentication still varies, and legacy systems keep passwords alive. You’re ready to take the final step.
Say, for example, you are a…
Global tech company or digital-first business that’s invested in identity modernization and wants to minimize the use of passwords. You've seen the benefits of passkeys in pilots and want to expand across the enterprise.
What works at this stage…
Deploying passkeys across your ecosystem, as well as enforcing phishing-resistant MFA through Conditional Access policies (like those available through Microsoft Entra ID), makes authentication seamless and secure. It mitigates the need for passwords, reduces IT support costs, and strengthens compliance. At this point, you’re future-proofing your business and setting a new standard for digital trust.
Takeaways for Business Leaders
- Start where the risk to the organization is highest. For example, executives, members of the security team, and IT admins are highly targeted. You may want to focus on these personas first, and then expand to the broader organization, from greatest to least risk, until all users are secure.
- Think in stages, not silver bullets. Progress from basic passwords, to basic MFA, to passkeys, to policy enforcement, with each step building capability and confidence.
- Make identity strategic. Align passkey adoption with your broader Zero Trust and IAM goals. Yes, authentication is a security feature, but it is also a business enabler.
- Lean on trusted partners. Microsoft has worked with many leading partners to help our customers. For example, Microsoft’s identity leadership and Thales’ secure FIDO key lifecycle management offer a proven roadmap to scale safely and avoid common rollout pitfalls.
Microsoft–Thales Longstanding Collaboration in Identity Security
Microsoft and Thales have built a strong, long-term collaboration to help organizations secure their identities when migrating to the cloud. Together, Microsoft and Thales address the toughest challenges in passkey adoption
- FIDO2 security keys for enterprise. Thanks to Thales large portfolio of hardware security keys and management tools fully compatible with Microsoft Entra ID, organizations can easily deploy hardware-backed, phishing-resistant credentials that fit their various end-users’ needs.
- Hybrid credentials. Our joint support for passkeys provides flexibility for organizations at different stages of modernization.
- Scale with confidence. From pilot to full enforcement, we’ve worked together to design solutions that support enterprise needs, especially in regulated or global environments.
This collaboration gives decision-makers the tools to roll out modern authentication without reinventing their identity infrastructure, thus reducing complexity and accelerating business value.
Closing Thought
For enterprise customers, adopting passkeys is an important security strategy, but it requires proper planning. With a phased approach and the right partners, enterprises can transform their authentication experience, no matter what form it takes.