In our previous article A Pragmatic Path to Phishing-Resistant Self-Recovery we explained why passwordless doesn’t have to be an all-or-nothing switch. Instead of replacing passwords outright, leading IAM teams are using passkeys to reduce the pain, cost, and risk associated with password resets. This hybrid approach is especially powerful in environments where passwords are still required for regulatory, operational, or technical reasons.
In this post, we’ll show how Secfense delivers that vision in a productized, zero-integration way. You’ll see how we enable phishing-resistant, self-service password reset without disrupting your existing IAM infrastructure.
The Problem: password resets are expensive, inflexible, and insecure
Password resets are often treated as a minor IT issue, but the hidden costs are substantial:
- Thousands of helpdesk tickets per month
- €15 – €30 per reset event
- Lost productivity for end users
- Friction for IT teams
Even organizations with “self-service” portals experience breakdowns when:
- Users are locked out of managed machines
- Reset portals require VPN access
- Legacy verification methods (e.g. security questions) are easily bypassed
- The fallback is still calling the helpdesk
It adds up fast financially and operationally.
The Secfense model: passkeys for secure, scalable recovery
Secfense introduces a drop-in passkey-based recovery layer that eliminates these issues without modifying applications, changing the identity provider, or installing endpoint agents.
Here’s how it works:
- One-Time Passkey Enrollment
- Users receive secure emails with registration links.
- They scan a QR code to register a passkey on their mobile device.
- Registration is fast, secure, and requires no app installation.
- Static QR Codes on Lock Screens
- Every machine displays a static QR code (via wallpaper or GPO).
- Users can scan this at any time even when locked out to initiate recovery.
- Phishing-Resistant Authentication
- The QR code leads to a secure recovery portal protected by Secfense full-site isolation.
- The user authenticates using their passkey (e.g. Face ID or fingerprint).
- If valid, the user is granted access to the password reset interface.
- Direct IAM Integration
- The reset request is sent directly to your identity provider (e.g. Active Directory).
- The new password is applied to the identity source of truth, not just locally.
- Fallback Option
- If a user hasn’t enrolled a passkey, they can still fall back to helpdesk recovery.
- Helpdesk has visibility into enrollment status for each user.
What makes this approach different
Secfense enables all of this without modifying your apps or replacing your IAM. It’s fully out-of-band and infrastructure-aligned.
| Traditional reset flows | Secfense recovery architecture |
|---|---|
| Requires logged-in device | Works from any device with a camera |
| Tied to VPN or domain access | Accessible via public gateway |
| Based on weak verification (e.g. security questions) | Based on strong, phishing-resistant passkeys |
| Managed-only environment | Works for BYOD, VDI, and mobile users |
| Manual rollout, long integration | Zero-code, zero-agent deployment |
What you need to deploy Secfense recovery
- A list of user emails (for initial enrollment)
- Placement of a static QR code on login screens
- Connectivity to your identity backend (e.g. AD, LDAP, or Entra)
No application rewrites. No development resources required. Just an overlay that sits beside your current IAM stack and adds a recovery path that’s both secure and scalable.
Built for mixed environments
This architecture works across all common enterprise setups:
| Environment | Supported by Secfense? |
|---|---|
| Active Directory (on-prem) | ✅ |
| Entra ID (Azure AD) | ✅ |
| Virtual desktops (e.g., Windows 365) | ✅ |
| Unmanaged devices / BYOD | ✅ |
| Remote users / field staff | ✅ |
It’s particularly valuable in industries like finance, telecom, and critical infrastructure where not all systems or user groups are ready for full passwordless adoption.
Strategic bonus: a stealth path to passwordless
Here’s the long-term benefit:
Once users register a passkey for recovery, that same passkey can be reused for:
- VPN access (
vpn.company.com) - Internal SSO portals
- Federated apps under the same domain
This means your organization gains a ready-to-use passkey inventory one that’s already device-bound, phishing-resistant, and policy-compliant.
Rather than launching a risky “big bang” passwordless initiative, you can:
- Start with recovery
- Expand to SSO
- Extend to CIAM
All without asking users to enroll again.
Why IAM Leaders Choose Secfense
| Benefit | Why it matters |
|---|---|
| No-code deployment | No dev resources or app rewrites needed |
| No endpoint agents | Nothing to install or manage at scale |
| Secure out-of-band auth | Passkey-protected access to reset flow |
| Native browser UX | No app install, no mobile MDM requirement |
| Works with existing IAM | AD, Entra ID, Okta, LDAP, etc. |
| Fast rollout | Visible results in weeks, not months |
Conclusion: a smarter way to reduce reset costs
Passwordless adoption may take years in legacy-heavy environments. But passkey-based recovery delivers immediate value reducing support tickets, improving UX, and establishing a privacy-first authentication path without the disruption.
Secfense makes it possible to deploy this in days, not months.
No custom development. No rip and replace. Just a smarter way to fix the password reset problem at scale.
✅ Want to see it live?
We’ll walk you through how this works in your current environment.
→ Book a demo
Antoni Sikora 