Passkeys: A practical guide for rolling out modern authentication

The shift to passkeys is underway, and this requires closing the gap between the technology and user understanding. During the 2025 Bitwarden Open Source Security Summit, Mark Zvolensky, senior manager of cybersecurity & IAM at Foot Locker, shared practical insights from deploying passkeys at scale. His talk highlighted a fundamental reality: Most people simply don't know what a passkey is.

Users are already juggling multiple authentication concepts like passwords, passphrases, passcodes, OTPs, and SMS codes. Passkeys introduced without context, add another layer of confusion. The technical explanation alone does not suffice. What does work, in Zvolensky’s experience, is explaining passkeys as digital keys, similar to car keys, that live on a phone or in a password manager. When onboarding an average user, skip the cryptographic details and focus on the practical reality: it's a password a user has rather than something a user remembers.

The Foot Locker rollout succeeded after an initial slow start. A year earlier, the company tested passkeys and determined that users were not ready because the technology was causing too much confusion and requiring additional internal support. A year later, the situation had matured enough to try again.

Key success factors:

1. Internal expertise first: The security team needed to become experts before expecting users to adopt the technology. They did this because they understood people would have questions about adding backup passkeys, storage locations, and workflow differences.

2. Standardize the workflow: Choose one authenticator app and one process. For Foot Locker, this meant directing users to open their authenticator app and tap "create passkey." The consistency in their approach greatly enhanced adoption.

3. Phased rollout: Zvolensky suggested users start with their team, expand to their department, then roll out organization-wide. Each ring provides learning opportunities and chances to refine the approach.

4. Multiple support formats: Documentation matters, and variety matters even more. Some suggestions for conveying information go beyond the basic requirements of email and message systems to include videos, knowledge base articles, town halls, and wikis. Different users need different formats.

5. Proactive engagement: Automated workflows can encourage behavior. Foot Locker implemented a system that waits a week after passkey registration, then prompts users to remove SMS authentication with a single button press.

6. Make it policy for privileged accounts: If organizations are of the consensus that passkeys are more secure, they should require them for high-risk users.

"Leave a little room for some magic. Use creative automations to get people on board with stronger authentication wherever possible." — Mark Zvolensky

The passkey ecosystem is still evolving. Different sites implement different UI patterns and workflows. Some platforms limit users to a single passkey. Authentication can still be downgraded because many sites maintain a "use password instead" option that undermines passkey security.

Unmanaged passkey storage can create passkey sprawl. Users might store passkeys in a browser password manager without realizing they should store them in their enterprise password manager.

This advice applies whether an organization is deploying at scale or helping family members:

• Conduct password check-ups regularly

• Maintain backup authentication methods, and consider keeping copies for family members

• Use emergency access features in password managers

• Enable multi-factor authentication on critical accounts, particularly email and financial services

• Perform personal security audits to identify dormant accounts that need attention

The reality is that this requires ongoing effort. Passkeys will not simply replace passwords overnight. Rollout success requires patience, repeated communication, and a willingness to meet users where they are. The technology is sound, and adoption depends on making it accessible to non-technical users through clear explanation and consistent support.

Ready to implement stronger authentication for your team or organization? Bitwarden makes passkey deployment straightforward.

Businesses looking to deploy passkeys can start a free trial of Bitwarden Teams or Enterprise to see how standardized workflows, emergency access features, and admin controls simplify adoption. Or start today with a basic free Bitwarden account to explore passkey capabilities on your own.