Migrating IAM systems to support passkeys: challenges and solutions

Modernizing identity and access management (IAM) to enable passkeys is shifting from “nice to have” to a competitive necessity for enterprises. As identity-based attacks and phishing campaigns reach unprecedented scale, it’s clear that passwords and legacy MFA are insufficient for today’s threat landscape. Transitioning to passwordless authentication based on the FIDO2/WebAuthn standard using passkeys represents a leap forward in both security and user experience for organizations ready to evolve.

But migrating existing IAM systems to support passkeys brings considerable technical and organizational complexity. Drawing on Secfense’s experience supporting BNP Paribas Bank Polska one of the first global banks to launch passkeys for corporate clients at scale this article outlines stages of IAM migration, key technical barriers, and proven implementation strategies for a seamless and secure transition.

Why Migrate to Passkeys?

• Passkeys offer phishing-resistance by eliminating shared secrets.
• They raise authentication security while simplifying user login flows.
• Enhanced compliance with frameworks like PSD2, DORA, NIS2, and GDPR is more attainable.
• The burden and cost of passwords reset requests, IT helpdesk, password leaks, credential stuffing are drastically reduced.^[1][2][3]

Stages of IAM System Migration to Passkeys

A typical migration journey evolves through these main phases:

1. Assessment and Strategy
   • Evaluate current IAM landscape, authentication flows, and regulatory needs.
   • Identify systems and applications most vulnerable to credential-based attacks.
   • Build a migration roadmap minimizing disruption and risk.
2. Proof of Concept (PoC) and Pilot Testing
   • Limit early deployment to a select user group (“friends & family”) to test UX and system compatibility.^[4]
   • Use feedback to refine backend processes and user interfaces.
3. Hybrid Mode Deployment
   • Operate passkeys alongside legacy authentication (passwords, MFA) to maximize business continuity and ease user onboarding.
   • Allow users to choose their authentication method during a transition window.
   • Ensure no changes to existing business-critical apps or IAM logic are required.^[4][1]
4. Organization-Wide Rollout & Opt-In Expansion
   • Gradually expand passkey support to broader groups.
   • Run targeted user education campaigns on passwordless benefits and use.
5. Full Passwordless Migration (Optional)
   • Decommission passwords once adoption and technical readiness reach target levels.

Technical Barriers to Passkey Enablement

1. Integration with Legacy and Complex IAM Landscapes

Many organizations have grown through mergers and acquisitions, leaving them with fragmented identity systems, multiple authentication protocols, and legacy applications. Modifying these applications to support passkeys can threaten stability and incur massive cost and risk.^[5][3][4]

2. Maintaining Compliance and Auditability

Heavily regulated sectors (finance, healthcare) must meet demanding audit, logging, and compliance requirements. Any IAM migration must preserve or enhance compliance with standards like PSD2 RTS for strong customer authentication and ensure robust key management and lifecycle documentation.^[2][1][4]

3. User Experience and Platform Compatibility

The path to passwordless must be frictionless for end-users. But passkey experience varies by OS/browser, and even advanced users face confusion over sync, recovery, and multi-device access. Applications may require new UI elements for passkey registration, management, and fallback flows sometimes impossible to add without code changes.^[3][6]

4. Security and Risk Mitigation

Fallback methods (recovery options for lost keys/devices) must not reintroduce weak security. Secure backup, revocation, and attestation controls across multiple device ecosystems require fresh policies and technical solutions.

Implementation Strategies: Overcoming Common Challenges

1. The Secfense User Access Security Broker (UASB) Approach

Secfense has pioneered a layer-based, agentless method for enabling passkeys on any IAM stack without modifying application code or disrupting business operations. At BNP Paribas, Secfense provided an integration layer that:

• Injected passkey logic into existing application flows via the load balancer, introducing passkey UI and logic dynamically, with zero code changes to core business apps.^[1][4]
• Seamlessly routed passkey authentication traffic to a dedicated FIDO2 server, leaving legacy flows untouched.
• Made it possible to run legacy and modern authentication side-by-side, reducing migration risk and maximizing uptime.^[2][4][1]
• Ensured full compliance, strong separation of authentication mechanisms, and robust audit trails.

2. Phased, Opt-In Migration and Fallback Control

• Launch with a limited “opt-in” pilot to control risk and collect real-world feedback.
• Use backend user targeting (not risky email links or cookies alone) to activate the passkey flow for specific users.^[4]
• Provide secure fallback and key management workflows (registration, revocation, device recovery) tightly coupled with strong authentication.

3. “No-Code, No-Agent” Integration for Maximum Scalability

• Avoid risky and expensive application rewrites by leveraging network-level interventions (like content adaptation in the load balancer) and flexible security brokers.^[1][4]
• Deliver new authentication methods (passkeys, strong MFA, biometrics) across all applications even legacy or third-party regardless of backend technology.

4. Regulatory Compliance by Design

• Align technical controls and reporting with sectoral regulations (PSD2, GDPR, etc.).
• Use robust FIDO2 servers and lifecycle management for passkey generation, storage, and revocation.
• Leverage secure enclaves, end-to-end encryption, and on-device key handling for data confidentiality and integrity compliance.^[4]

Key Takeaways for IAM and Security Leaders

• Passwordless is a process, not a switch: Hybrid coexistence of old and new authentication is required especially in regulated, multi-system environments.
• User experience is as critical as security: Adoption depends on balancing frictionless flows and highest security assurance.
• No-code, agentless solutions like Secfense UASB supercharge velocity: They empower organizations to modernize IAM quickly, without waiting on slow and risky code changes or upgrades.
• Compliance and auditability are foundational: Choose IAM upgrade paths and vendors with proven records meeting strict security and audit requirements.

Ready to Start Your Journey?

Migrating your IAM system to passkeys is a strategic move that will define your security posture for the years ahead. With Secfense, you can bridge old and new worlds enjoying the strongest, phishing-resistant authentication, seamless user experience, and regulatory peace of mind.

Contact Secfense today to schedule a demo or proof-of-concept and discover how your organization can become passwordless faster, safer, and simpler than you ever thought possible.

Keywords: identity and access management, identity and access management solutions, identity and access management tools, identity and access management system, identity and access management services, identity and access management vendors^{[7][8][5][3][2][1][4]}

Sources

1. https://secfense.com/blog/how-bnp-paribas-implemented-passkeys-at-scale/       
2. https://www.kuppingercole.com/watch/banking-on-trust-lessons-eic25    
3. https://www.darkreading.com/identity-access-management-security/passkey-usability-challenges-require-problem-solving    
4. Hybrid Passwordless Authentication in Banking | Secfense
5. https://www.corbado.com/blog/why-passkey-implementations-fail  
6. https://devops.com/navigating-passkeys-challenges-pitfalls-and-considerations-for-developers/ 
7. https://secfense.com/webinars/eic2025-bnp-paribas-passkeys/ 
8. https://www.ubisecure.com/identity-platform/how-to-migrate-iam-system/ 
9. https://ventureoutny.com/blog/ventureout-2020-cyber-alum-secfense-scores-a-big-one-with-bnp-paribas-bank-polska/ 
10. https://x.com/secfense_team 
11. https://www.ubisecure.com/identity-platform/how-to-migrate-iam-system-part-2/ 
12. https://www.youtube.com/watch?v=1Nbixa4bgUk