Semperis: Enforcing Phishing-Resistant Authentication at Scale with Passkeys

Passkeys are rapidly emerging as the cornerstone of a phishing‑resistant identity strategy, and Semperis’ experience illustrates how a mature organization can transition from a mixed MFA landscape to a unified passwordless model. By leveraging Microsoft Entra’s native support for device‑bound credentials, the company avoided third‑party identity providers and kept its authentication stack within a single ecosystem. This decision simplified policy enforcement, enabled granular tiered controls for general, privileged, and break‑glass accounts, and demonstrated that hardware‑backed FIDO keys can coexist with platform‑native solutions like Windows Hello for Business.

The human element proved decisive. Semperis abandoned email‑only campaigns in favor of live, on‑the‑spot enrollment during routine meetings, turning a potentially disruptive change into a brief, collaborative exercise. Clear deadlines and the promise of “no passwords” resonated more than abstract security arguments, driving rapid adoption even among less‑technical staff. Edge‑case handling—such as providing synced passkeys for Android 13 devices via Google Password Manager and creating temporary application exceptions—highlighted the importance of flexible policy design and continuous monitoring during a large‑scale rollout.

Post‑deployment, the organization reports that credential‑phishing attempts are now viewed as low‑severity, allowing security teams to prioritize session‑theft and downgrade attacks. The case underscores a broader market trend: enterprises that sell identity‑security solutions must first master passwordless authentication internally to maintain credibility. As synced passkeys mature and device support expands, companies can expect smoother migrations, reduced re‑enrollment friction, and the eventual deprecation of legacy passwords, solidifying a more resilient security posture across the digital workforce.