Passkeys at Work: Why Corporate SSO Still Dragged Its Feet

Consumer apps began flirting with passkeys—FIDO2 WebAuthn credentials bound to devices and biometrics—while enterprise IT watched from the balcony. Not because security teams love passwords, but because work identity is a political system with vendors, contracts, audit clauses, help desk economics, and a graveyard of “we will roll that out next quarter.”

By 2026, passkeys are no longer exotic in theory. In practice, many companies still live in a hybrid purgatory: SAML/OIDC SSO for the shiny central apps, passwords and MFA sprawl for the long tail, and a backlog of exceptions for contractors, kiosks, shared machines, and executives who travel with the wrong laptop.

This article explains why corporate SSO ecosystems dragged their feet, what changed, and what still stalls passkey adoption even when everyone agrees passwords are bad.

Spoiler: the foot-dragging is usually not cynicism. It is the weight of real users, real devices, and real auditors asking for receipts.

SSO solved one problem and revealed ten others

Single sign-on did enormous good: fewer distinct employee passwords for core SaaS, centralized offboarding hooks, and a place to enforce MFA policy at the IdP. It also centralized risk. If SSO is the front door, every authentication innovation becomes a program: device trust, conditional access, recovery flows, logging, and incident response playbooks.

Passkeys do not slot into that world like flipping a switch. They change how users enroll, how devices are registered, how backups work, and what “account recovery” means when a phone is lost.

Why enterprises hesitated: real constraints, not just inertia

Several constraints are legitimate:

• Device heterogeneity: not everyone has a managed smartphone with a secure enclave; not every workstation supports the flows you want.
• Recovery and help desk load: password resets are expensive; passkey resets can be worse if the process is immature.
• Vendor readiness: IdPs, browsers, OS versions, and SaaS apps move at different speeds.
• Audit language lag: frameworks and customer questionnaires still ask questions written for passwords + MFA, not passkey-centric models.
• Shared workstation reality: call centers, manufacturing floors, and hot-desking break naive “personal device biometrics solve everything” stories.

None of that means passkeys are wrong for enterprises. It means the rollout is an IT transformation, not a checkbox.

Synced passkeys, managed devices, and the “whose key is it anyway?” debate

Consumer passkey stories often assume a personal phone and a cloud sync fabric. Enterprise stories assume MDM, device attestation policies, and sometimes strict data residency. Those worlds collide when employees want convenience and security teams want enrollment provenance.

The workable pattern is usually explicit: corporate passkeys live in managed profiles where possible, with documented exceptions for contractors and BYOD that do not silently become the default. If you avoid that decision, you get shadow enrollments and mysterious credentials nobody can revoke cleanly.

What shifted the Overton window

Browser and OS support matured. Major identity providers added passkey features and conditional UI. Regulators and insurers kept pushing MFA. Phishing kept proving that OTP and push-based MFA are better than nothing yet still gameable. Passkeys offer phishing resistance in a way SMS codes never will.

Once security leadership could point to mainstream platform support, pilot projects became politically feasible—especially for customer-facing authentication first, then employee-facing.

Where SSO still “drags”: the integration long tail

Core apps on the SSO rail can adopt passkeys with enough effort. The long tail—legacy LDAP apps, thick clients, VPNs, industrial systems, and bespoke portals—does not care about your modern WebAuthn dreams. Enterprises often end up with layered policies: passkeys for the modern surface, fallback methods for the swamp.

That hybrid state can look like hesitation from the outside. Inside IT, it is triage.

Compliance theater vs measurable controls

Auditors ask for evidence. Passkeys change the evidence: fewer password rotation screenshots, more enrollment logs, more device trust telemetry. Teams stall when questionnaires still demand “password complexity” as if it were the only knob. Progressive organizations update control narratives: phishing-resistant MFA, secure enrollment, monitoring for anomalous WebAuthn events, and revocation drills.

If your compliance pack still treats OTP SMS as “strong MFA,” your SSO program will keep buying time with familiar pain.

Break-glass and the fear of locking out the locker-outers

Every mature identity architecture needs break-glass accounts with monitored usage. Passkeys do not remove that requirement; they complicate it unless you design break-glass credentials with extreme care—often hardware-bound, stored offline, and exercised on schedule so they rot less than the policies do.

International workforces and the variable reality of devices

Global enterprises see uneven OS versions, handset markets, and regulatory attitudes toward biometrics. A passkey pilot that works in one region can flop in another because device capabilities differ or because local support cannot handle the failure modes. Rollouts need regional readiness criteria, not a single global flag day.

Designing recovery without rebuilding password hell

Enterprises fear lockouts more than breaches in weekly standups because lockouts are visible immediately. A passkey program needs explicit recovery: supervised enrollment, hardware tokens as alternates, break-glass admin paths, and documented steps that do not require three teams and a calendar invite.

If recovery defaults to “reset password,” you have not finished the passkey migration—you have added complexity.

Phishing resistance is the moral of the story—if you can keep it

Passkeys shine when they stop users from typing secrets into fake sites. That benefit collapses if organizations keep parallel “temporary” password login paths forever. Migration projects must include sunset criteria: which apps must flip, by when, and what constitutes an acceptable exception. Otherwise you pay for two systems and get half the security win.

Hardware security keys: allies, not enemies

Some teams treat passkeys as a replacement for YubiKeys and similar tokens. Often the truth is complementary: security keys remain excellent for high-risk roles, offshore admins, and scenarios where phone-based enrollment is undesirable. The enterprise stack that wins tends to offer a menu with guardrails, not a religious war between phone passkeys and hardware.

What procurement should demand in 2026

New SaaS purchases should ask blunt questions: WebAuthn support, passkey enrollment UX, offline recovery, SCIM provisioning behavior, and audit logs for credential changes. If a vendor’s answer is “we support SAML,” that is necessary but insufficient for a passkey-forward roadmap.

Change management: the invisible half of the stack

Technically viable rollouts still fail when executives show up with unmanaged devices, when interns rotate weekly, or when contractors bounce between tenants. Training materials need plain language: what a passkey is, what to do before travel, what to do after a phone swap, and how to recognize legitimate enrollment prompts versus phishing attempts pretending to be enrollment.

If your comms only say “more secure,” employees will invent folklore. If your comms include steps, screenshots, and SLAs, they might actually comply.

What a sensible 2026 roadmap looks like

1. Pilot on a low-risk cohort with strong device management.
2. Instrument failures: where enrollment breaks, which browsers, which regions.
3. Train help desk with scripts and tooling, not vibes.
4. Align procurement so new vendors must support WebAuthn or present a credible plan.
5. Shrink exceptions quarterly; exceptions are where phishing lives.

Between pilot success and “full rollout,” run a tabletop exercise: stolen laptop, wiped phone, contractor exits mid-week. If that ends in chaos, you are not ready—no matter how polished the vendor demo was.

Metrics that prove progress (and prevent eternal pilots)

Identity programs love pilots that never end. Pick measurable outcomes: reduction in password-reset tickets, reduction in OTP phishing incidents, percentage of workforce on phishing-resistant factors, time-to-offboard credentials, and successful quarterly revocation tests. If passkeys are “enabled” but adoption is 8 percent, you have a policy problem disguised as a feature flag.

What employees should expect—and what IT should promise

Employees will tolerate friction if the deal is clear: fewer passwords, clearer recovery, and faster sign-in on good days. They will not tolerate mystery. Publish SLAs for credential recovery, publish supported platforms, and publish what happens when someone loses a device on a Friday night in a different time zone.

Closing

Corporate SSO did not resist passkeys because security teams love typing passwords. It resisted because enterprise identity is a bundle of contracts, edge cases, and help desk terror. The foot-dragging was often rational caution.

The way out is not moralizing—it is engineering plus change management: better recovery, clearer policies, and a willingness to modernize the long tail instead of pretending a single IdP toggle fixes the world.

If your organization is still “evaluating passkeys” in 2026, ask what concrete blockers remain: vendor gaps, device gaps, or simply fear of the help desk queue. Name them, schedule them, and assign owners. Passkeys are not a science fair project; they are part of the baseline threat model against credential phishing.

SSO was never going to flip overnight from passwords to a perfectly clean passkey universe. The realistic goal is narrower and more powerful: fewer phishable credentials, faster offboarding, and an identity stack that matches how people actually work—not how login screens looked a decade ago.

Ship the boring parts first: recovery, logging, and help desk readiness. The passkeys will follow, and your users will notice the difference.