WebAuthn for Internal Tools: Replacing Passwords Sustainably
WebAuthn replaces passwords; replaces TOTP; replaces SMS. The user experience is finally as good as the security.
Why WebAuthn now
WebAuthn (FIDO2) is supported in every modern browser and OS. Passkeys (the consumer-friendly version) ship in iOS, Android, macOS, Windows.
Phishing-resistant by design; user experience competitive with password manager autofill.
Four-step rollout
- Phase 1: enable as opt-in second factor.
- Phase 2: enable as opt-in primary factor (passwordless).
- Phase 3: required for employees.
- Phase 4: deprecate passwords entirely.
Device-recovery story
The hardest part: lost device. Solutions: register multiple devices; admin-recovery flow; backup TOTP for recovery only.
Document and rehearse before mass adoption; recovery is the failure mode that stops adoption.
Stack consolidation
Once WebAuthn covers your internal tools, you can deprecate: TOTP apps, SMS-based MFA, password managers shared with admin.
One auth stack; less complexity; better security.
Antipatterns
- WebAuthn for some apps; password for others. Friction; users default to weakest.
- No recovery flow. One lost device = locked out.
- No required-mode timeline. Adoption stalls at 30%.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.