Passwords to passkeys: Staying ISO 27001 compliant in a passwordless era

One morning, you wake up and realize that your business has grown to the point where you can no longer afford to get into that old, worn-out diesel subcompact. Instead, you schedule a test drive of a brand-new electric vehicle. The business transitioning from password-based security to passkey technology experiences a similarly transformative feeling. Now, let’s dive into the details and break it down thoroughly!

Passwords have powered digital authentication for decades — much like an old diesel subcompact that somehow keeps starting every morning. But the engine is coughing. The doors don’t lock properly. Anyone who knows the trick can jiggle the handle and get in.

Research shows that 49% of security incidents involve compromised passwords, according to Verizon’s 2023 Data Breach Investigations Report, while 84% of users admit to reusing the same password across multiple accounts — creating a cascade of vulnerabilities. These are not minor inconveniences — they are warning lights flashing on the dashboard, signaling systemic risk.

Passwordless authentication, particularly through passkeys, is like upgrading to a high-tech bullet car: faster, sleeker, and nearly impossible to derail. The ride is smoother, quieter, and significantly harder to hijack.

For organizations under ISO/IEC 27001, switching from passwords to passkeys is less like a casual upgrade and more like overhauling an entire airline fleet to meet stringent new safety standards. It requires ensuring that the new drivetrain aligns with established controls, risk treatment plans, and documentation obligations.

This article examines how organizations can transition to passkeys while maintaining ISO/IEC 27001 compliance — covering the technical foundations and offering practical guidance for IT professionals navigating this modernization journey.

How passwordless authentication works: Technical foundations

Passwordless authentication eliminates the cognitive burden of remembering passwords. Authentication relies on cryptographic keys, biometrics, or possession-based factors — what you have or what you are.

Passkeys represent the most mature implementation of this approach. Passkeys, built on FIDO2 and WebAuthn standards, are like the latest GPS technology — they guide you securely to your destination without the risk of getting lost or taking a wrong turn.

When you create a passkey, your device generates a cryptographic key pair: a private key that stays locked on your device, and a public key that’s registered with the service. During authentication, the service sends a challenge, your device signs it with the private key, and the service verifies the signature. Because the private key never leaves your device, attackers have nothing to intercept or phish.

NIST’s Digital Identity Guidelines (SP 800-63B) classify authentication methods by Authenticator Assurance Level (AAL). Passkeys typically meet AAL2 or AAL3 requirements, representing a significant security upgrade over traditional password-based authentication.

Modern passkeys come in two flavors: device-bound (stored in hardware like security keys) and syncable (backed up across devices through encrypted cloud services). NIST’s updated guidance from August 2024 explicitly addresses syncable authenticators, recognizing that users who lose their only authentication method face significant access recovery challenges.

The adoption numbers tell a compelling story. FIDO Alliance reports that more than 15 billion online accounts now support passkeys — double the figure from 2023. Amazon has created 175 million passkeys, while Google reports 800 million accounts with passkeys enabled. The revolution is already underway.

ISO/IEC 27001 compliance requirements

ISO/IEC 27001 is like a detailed road map for navigating the complex terrain of information security risks, ensuring you don’t take a wrong turn. The 2022 revision reorganized Annex A controls into four themes: organizational, people, physical, and technological.

Authentication falls primarily under three controls:

• Annex A 5.15 (Access Control) defines rules and rights for accessing information and systems. Organizations must establish policies covering user authentication, authorization, access provisioning, and access revocation procedures.

• Annex A 5.17 (Authentication Information) requires organization-wide procedures for allocating and managing authentication credentials, including documenting authentication methods and protecting authentication data.

• Annex A 8.5 (Secure Authentication) specifies technical implementation requirements, including multi-factor authentication for privileged access.

For organizations with ISO/IEC 27001 certification, adopting passkeys requires demonstrating that the new authentication method meets or exceeds existing control objectives, that risks have been properly assessed, and that implementation is thoroughly documented.

Mapping passwordless adoption to ISO/IEC 27001 controls

Transitioning to passkeys touches multiple ISO/IEC 27001 controls. Here’s how to align your implementation:

A 5.15 (Access Control)

• Define passkey scope by risk level: device-bound passkeys for privileged accounts (AAL3), syncable passkeys for standard users (AAL2)

• Document fallback procedures for device loss scenarios

• Establish clear policies for when and how users can authenticate without passkeys during transition periods

A 5.17 (Authentication Information)

• Document the complete enrollment process, including who initiates registration and what identity verification steps are required

• Define encryption requirements for databases storing public keys

• Specify re-enrollment triggers: device compromise, security incidents, device loss, or role changes

• Establish access controls for authentication data management

A 8.5 (Secure Authentication)

• Demonstrate MFA compliance by documenting how passkeys provide two factors: possession (the device) plus biometrics or device PIN

• Explain how cryptographic binding to specific domains prevents use on phishing sites

• Detail technical implementation of WebAuthn protocols and FIDO2 standards

Risk assessment and treatment

• Document eliminated risks: credential theft through phishing, password reuse across services, brute force attacks, credential stuffing

• Address new risks: device loss or theft, vendor lock-in with syncable passkeys, recovery complexity, downgrade attacks where attackers manipulate interfaces to force fallback authentication

• Establish monitoring procedures for detecting and responding to new attack vectors

Organizations should prioritize device-bound passkeys (AAL3) for privileged accounts and syncable passkeys (AAL2) for standard users. Document fallback procedures, encryption standards, and re-enrollment triggers to satisfy auditor requirements.

Benefits of passkeys

Real-world implementation data reveals benefits beyond theoretical threat modeling.  Google reports that passkeys eliminate password-based attacks entirely for accounts that use them exclusively, with a 30% improvement in authentication success rates and 20% faster sign-in times. Sony PlayStation observed an 88% conversion rate for users who started enrollment.

Password management creates ongoing operational costs through help desk calls for password resets, account lockouts, administrative overhead, oil changes, new tires, you get it? Gartner reports that password-related issues account for 20-40% of all help desk calls, with each reset costing organizations an average of $70 in direct support time.

Microsoft’s shift to passkeys as the default sign-in method for all new accounts, supporting over 1 billion users, represents a significant industry move away from this support burden. These costs accumulate quickly across enterprise environments with thousands of users.

Passkeys naturally align with multiple compliance requirements: NIST AAL2/AAL3 phishing-resistant authentication, PCI DSS 4.0 multi-factor authentication, GDPR reduced personal data exposure, and SOC 2 strong access controls. For organizations juggling multiple compliance frameworks, passkeys provide a single technical control that addresses requirements across standards.

Challenges and misconceptions

Passkeys significantly improve security, but implementation requires understanding their limitations. As an electric vehicle won’t take you 1,000 miles on a single charge the way diesel would. Modern technology requires modern infrastructure — charging stations, service networks, trained technicians. Passkeys face similar dependencies.

Passkeys aren’t completely phishing-proof

While passkeys resist traditional credential phishing, attackers adapt. Downgrade attacks force users back to passwords by manipulating authentication pages. Device code phishing and OAuth consent attacks bypass passkey protections entirely.

These attacks don’t compromise passkey cryptography — they exploit implementation choices and user behavior. Organizations should:

• Monitor for downgrade attempts

• Disable password fallback where possible

• Train users to recognize suspicious authentication flows

Account recovery complexity

If a user loses their device and hasn’t backed up their passkey, they’ve lost their authentication credential. Recovery approaches include:

• Email-based recovery (reintroduces email compromise as an attack vector)

• Backup passkeys on multiple devices

• Manual identity verification by administrators

• Recovery codes generated during enrollment

Each approach has security implications that your ISO/IEC 27001 documentation should address in detail.

Mixed authentication environments

Few organizations can go fully passwordless overnight. During transition periods, you’ll operate mixed environments where some users authenticate with passkeys while others use passwords. This creates:

• Inconsistent security posture — Your most sensitive systems may rely on passkeys while legacy applications still accept weak passwords, creating exploitable gaps.

• Policy enforcement challenges — Different authentication methods require different security policies, making it difficult to maintain uniform access controls across the organization.

• Audit trail complexity — Security teams must track and correlate authentication events across multiple systems, complicating incident investigation and compliance reporting.

• User confusion — Employees struggle to remember which accounts use passkeys and which still require passwords, leading to support calls and productivity loss.

Enterprise implementation considerations

Enterprise password management platforms should support:

• WebAuthn-based authentication through fingerprint readers, Face ID, PIN codes, and hardware security keys

• Flexible authentication policies allowing administrators to enforce passwordless authentication for specific user groups while maintaining password-based authentication for others during transition periods

• Email verification and authentication to ensure account recovery mechanisms reach legitimate recipients

• Audit trails and monitoring tracking authentication events, passkey registration, and modifications

These capabilities enable gradual migration while maintaining ISO/IEC 27001 compliance.

Best practices for implementation

• Prioritize by risk — Start with privileged accounts (administrators, developers with production access, users handling sensitive data). Document your prioritization rationale to demonstrate the risk-based thinking that ISO/IEC 27001 demands.

• Maintain defense in depth — Passkeys should be one layer in a comprehensive security strategy. Combine with robust session management, authentication pattern monitoring, and device security requirements (encryption, screen locks).

• Plan the transition — Define clear migration timelines with deadlines for passkey adoption by user population. Track which users continue using legacy authentication. Make clear this is a temporary state with a defined end date.

• Address account recovery proactively — Require multiple recovery options during enrollment. Test recovery procedures regularly. Monitor recovery usage for unusual spikes that may indicate phishing campaigns.

• Document thoroughly — ISO/IEC 27001 requires documented information for controls implementation. Maintain records of technical architecture, policy updates, risk assessments, operational procedures, and training materials. This documentation demonstrates compliance during audits and creates institutional knowledge that survives employee turnover.

The test drive is over: Time to sign the papers?

Your old password-based authentication still gets you from point A to point B — but is it ready for tomorrow’s journey? Passkeys don’t eliminate all authentication risks, but organizations that build adaptable authentication frameworks today will be better positioned to incorporate emerging technologies while maintaining rigorous security governance.

Passkeys represent a fundamental shift in authentication security, offering measurable improvements in security, user experience, and operational efficiency. For ISO/IEC 27001-compliant organizations, success requires risk-based prioritization, comprehensive documentation, and thoughtful management of the transition period.

Ready to strengthen your authentication security?

Passwork as a password manager provides enterprise-grade passkey support along with centralized credential management, detailed audit logs, and secure sharing capabilities designed for ISO/IEC 27001 compliance.

Discover a risk-free transition: free migration assistance and implementation support, pay nothing while your current subscription runs — then receive 20% off when you’re ready to switch.

Try Passwork free for 1 month and see how effective password management can transform your team’s security habits.

Sponsored and written by Passwork.