Here are the key takeaways:
* Passkeys can be managed by password managers, but this comes with a tradeoff of relying on master passwords and second secret codes.
* Magic links for account recovery are considered a secure method, but they rely on email or SMS networks, which can be compromised.
* Ward links require security questions or backup code entry to use, adding an extra layer of security.
* Microsoft’s Entra ID and Intune products allow admins to configure conditional access policies that prevent proxied logins from succeeding.
* Many IAM solutions for enterprises allow admins to define the login and account recovery flow, enabling secure passwordless login flows using passkeys.
* Security teams should assume every login session is compromised and work to ensure that downgrading authentication methods breaks out of the existing session before continuing.
* Encouraging or requiring users to add multiple passkeys can prevent losing one from blocking access to an account.