Passwords to Passkeys: Staying ISO 27001 Compliant in a Passwordless Era

The legacy password model is increasingly untenable; Verizon’s 2023 breach report links nearly half of incidents to stolen credentials, and 84 % of users recycle passwords across services. Passkeys eliminate the secret‑sharing problem by storing a private key on the user’s device and leveraging public‑key cryptography for verification. Adoption is accelerating—FIDO Alliance notes over 15 billion accounts now support passkeys, with tech giants like Google and Amazon reporting hundreds of millions of active implementations. This shift not only raises the security baseline but also aligns with emerging regulatory expectations for phishing‑resistant authentication.

For ISO/IEC 27001‑compliant organizations, the move to passwordless authentication is more than a technical upgrade; it is a compliance exercise. Annex A 5.15 (Access Control) now requires policies that define passkey scope and fallback mechanisms, while Annex A 5.17 (Authentication Information) mandates documentation of enrollment workflows and encryption of public‑key repositories. Annex A 8.5 (Secure Authentication) expects evidence that passkeys deliver multi‑factor assurance, typically combining device possession with biometrics or PINs. Mapping these controls to passkey deployments enables auditors to see that risk‑treatment plans have been updated, new attack vectors—such as device loss or downgrade attacks—are mitigated, and evidence is retained in the ISMS.

Practical rollout demands a phased strategy. Enterprises should start with privileged users, deploying device‑bound passkeys that meet AAL3 requirements, and then extend to standard users via syncable passkeys meeting AAL2. Robust recovery processes—backup keys, secondary verification channels, and regular testing—prevent lockouts and satisfy ISO documentation obligations. Integrating WebAuthn‑compatible platforms, enforcing uniform audit trails, and training staff on phishing‑resistant flows reduce support overhead and improve user experience. By embedding passkeys into the broader security architecture, organizations not only future‑proof authentication but also streamline compliance across PCI DSS, GDPR, and SOC 2, delivering a compelling business case for the passwordless era.