One Standard, Two Problems: Why Passkeys Work Differently for Workforce and Customers

Passkeys are built on one standard. That does not mean they solve the same problem in every environment.

Organizations that have started passkey projects — either for employees or for customers — quickly discover that workforce authentication and customer authentication are fundamentally different programs. Different threat models. Different device contexts. Different recovery requirements. Different compliance constraints.

This article explores why these two passkey deployment paths diverge, what that means in practice, and what decisions organizations need to make before starting either program.

We have also covered this topic in depth in one of our webinars. If you prefer to watch rather than read, the recording is available on the Secfense YouTube channel:

https://www.youtube.com/@secfense

For upcoming Secfense webinars on passkeys, passwordless authentication, and identity security, follow the events page on LinkedIn:

https://www.linkedin.com/company/secfense/events/

In Brief

This article is intended for:

• IAM architects

• Security engineers and CISOs

• Digital identity teams

• Anyone responsible for authentication strategy in organizations considering passkeys

The core argument is straightforward: the FIDO2 standard is the same, but the deployment context for workforce and CIAM is different enough that treating them as a single project is a common and costly mistake.

The Standard Is One. The Problems Are Two.

FIDO2 and passkeys solve the credential problem: they replace passwords with public-key cryptography, eliminate phishing risk, and deliver a significantly better user experience.

But organizations deploying passkeys face two distinct environments:

Workforce authentication — securing access for employees, contractors, and administrators to internal systems, SaaS applications, VPNs, and legacy applications.

Customer authentication (CIAM) — securing access for external users to digital services, portals, and customer-facing applications.

Both are passwordless projects. Both use FIDO2. But almost everything else is different.

How Workforce and CIAM Passkey Projects Differ

Device ownership and control

In workforce environments, organizations typically manage the devices users authenticate from. Device-bound passkeys can be enforced, hardware security keys can be issued, and attestation policies can restrict which authenticators are permitted.

In CIAM environments, organizations have no control over user devices. Customers may authenticate from personal phones, shared computers, or devices that change over time. Synced passkeys — which roam across a user's Apple, Google, or Microsoft ecosystem — are often the only practical option at scale.

Recovery flows

When an employee loses access to their device, IT handles recovery. The process is controlled, auditable, and can involve hardware replacement.

When a customer loses access, recovery must be self-service, low-friction, and available around the clock. The recovery mechanism itself becomes an attack surface — and designing it carefully is one of the most underestimated challenges in CIAM passkey projects.

Fraud risk

Workforce deployments are primarily concerned with external attackers targeting employee credentials.

CIAM deployments face an additional threat: account takeover by attackers who have already obtained a customer's personal data. Passkeys help here, but fraud risk management becomes part of the authentication design.

Compliance requirements

Regulated industries add further complexity. DORA, NIS2, and PSD2 each carry specific requirements around authentication assurance, device binding, and audit trails.

Workforce deployments typically serve internal audit requirements. CIAM deployments may be subject to consumer protection regulations and financial sector requirements simultaneously.

Onboarding and adoption

Employee onboarding for passkeys can be managed through IT rollout programs. Adoption can be enforced.

Customer onboarding is a UX problem as much as a security problem. Customers who find passkey setup confusing will abandon it, or abandon the service. Adoption rates directly affect business outcomes.

Four Questions to Answer Before Starting

Regardless of whether a passkey project starts in workforce or CIAM, organizations should answer four questions before selecting architecture or vendors.

1. What is the device model?

Are users authenticating from managed devices, personal devices, or a mix? This determines whether device-bound or synced passkeys are the right default, and which authenticator types are acceptable.

2. How will recovery work?

What happens when a user loses their authenticator? Who handles it, how fast must it work, and what verification is required before restoring access? Recovery design is often more complex than the authentication design itself.

3. What does gradual rollout look like?

Neither workforce nor CIAM projects can move all users at once. What is the pilot group? How do you manage users who have not yet enrolled? How do you handle edge cases during transition?

4. What will auditors ask?

Where is authentication enforced? Where are policies defined? Are logs centralized and attributable? For regulated industries this is not a post-deployment question — it needs to be part of the architecture from the start.

Watch the Webinar

Secfense has covered this topic — the architectural differences between workforce and CIAM passkey deployments — in a dedicated technical session. No product demo, no sales content. A discussion designed for IAM architects, security engineers, and CISOs.

You can find the recording on the Secfense YouTube channel, alongside all previous webinars on passkeys, passwordless authentication, and identity security:

https://www.youtube.com/@secfense

To stay updated on upcoming Secfense webinars, follow the events page on LinkedIn:

https://www.linkedin.com/company/secfense/events/

Learn More About Passkeys at Secfense

If your organization is evaluating passkeys for workforce or customer authentication, Secfense provides resources covering:

• enterprise passkey architectures for workforce environments

• CIAM passkey deployment models

• compliance considerations for DORA, NIS2, and PSD2

• no-code passkey deployment across legacy and modern systems

Contact Secfense to discuss your specific architecture and deployment context.

FAQ: Passkeys for Workforce vs. Customers

Are passkeys the same technology in workforce and CIAM?

Yes — both use FIDO2 and public-key cryptography. The standard is identical. The deployment context, threat model, and operational requirements differ significantly.

Can organizations deploy passkeys for both workforce and customers at the same time?

Technically yes, but in practice it is rarely advisable. The two programs have different stakeholders, different timelines, and different technical requirements. Running them in parallel without separating them creates confusion and delays both.

What is the main risk in CIAM passkey deployments?

The most underestimated risk is account recovery. Designing a recovery flow that is secure, low-friction, and resistant to social engineering is consistently harder than the passkey enrollment flow itself.

Do device-bound passkeys work in customer environments?

Device-bound passkeys can work in CIAM, but they create significant usability challenges when customers change devices or need cross-device access. Most CIAM deployments at scale use synced passkeys as the default, with hardware keys available as an option for high-assurance use cases.

What regulations apply to passkeys in CIAM?

Financial services organizations in the EU typically need to consider PSD2 SCA requirements, DORA authentication assurance requirements, and potentially NIS2 obligations depending on classification.