Industry pundits predict this year will be a year of accelerated passkey adoption, as more companies join the ranks of Microsoft, CIti, Target, Uber, Sony and other top brands that have deployed FIDO authentication. Their driving motivation: a critical need to improve security, compliance and customer experience (CX).
Punctuating the urgency, the Microsoft Digital Defense Report 2024 reveals Microsoft Entra blocked 7,000 password attacks per second last year. Microsoft’s recommendation: “Retire passwords in favor of phishing-resistant…passkeys.” Passkeys enable users to log in with a fingerprint or facial biometric, making them vastly more secure and easier to use.
There’s just one problem: critical touchpoints in the passkey lifecycle introduce risk. This is where the Transmit Security-Microsoft partnership plays a vital role in your customer identity and access management (CIAM) strategy. Transmit Security is the only Microsoft partner that offers everything you’ll need to protect passkeys every step of the way.
In this blog, we’ll introduce the layers of CIAM protection that are essential for optimizing passkey security and CX — so you can reap the rewards.
Better CIAM outcomes with Azure AD B2C, Entra External ID & Transmit Security passkeys
Customers who use passkeys achieve strong multi-factor authentication (MFA) with one touch or glance, making it easy to log in more often. In turn, organizations gain revenue, simplify compliance and prevent account fraud. To gain these advantages, however, passkeys must be secured and orchestrated throughout the customer identity lifecycle.
Businesses that implement Mosaic by Transmit Security and Azure AD B2C or Entra External ID see measurable gains with passkeys that are truly phishing-resistant:
- 30% or greater reduction in authentication failures: Customers authenticate as who they are and what they possess — not what they know. And by pairing passkeys with Transmit Security’s best-in-class fraud prevention engine, Mosaic provides passive authentication in the form of behavioral biometrics and strong device identification. Additionally, orchestration can call upon other forms of authentication, prompting the user to log in with an email magic link, one-time passcode (OTP) or other methods if needed.
- 70% reduction in credential-related support calls: Preventing login failures by verifying customers with passive forms of authentication described above and/or invoking other forms of authentication translates into fewer support requests.
- 95% detection of credential-stuffing attacks: AI-driven fraud detection determines if the user is the legitimate account owner, a bad actor or bot. This is essential in scenarios where passkey users are asked to authenticate with their legacy login method, often a phishable, stuffable credential.
- 30% faster login times: Simplified and reliable passkey authentication increases customer satisfaction, return visits, engagement and revenue.
- 98% positive customer feedback: Dynamic orchestration adapts passkey journeys in real time, ensuring smooth and easy access for trusted customers.
By rolling out passkeys with Transmit Security and Azure AD B2C or Entra External ID, you’ll strengthen and simplify all aspects of CIAM throughout the customer identity lifecycle.
Key CIAM technologies powering secure & easy passkey journeys
The passkey lifecycle introduces vulnerabilities during registration, account recovery, fallback authentication, step-ups and cross-device enrollment. In these scenarios users may be required to authenticate with their legacy login method (passwords, OTPs, etc.). There’s little to stop fraudsters from registering a passkey on a new device or taking over accounts.
Passkeys alone are not a silver bullet, but fortunately these challenges are easily solved. Mosaic’s seamless integration with Azure AD B2C or Entra External ID offers everything you’ll need: orchestration, fraud prevention, customer identity verification (IDV), strong device identification and passkeys. Here’s how to do it.
1. Create a seamless CX by orchestrating passkey journeys across the CIAM lifecycle
Transmit Security is the only Microsoft partner that offers identity orchestration, a unifying framework and powerful decisioning engine that adapts CIAM journeys based on risk/trust signals, user behavior and device intelligence. With it, you can optimize passkey user flows to remove friction for customers who achieve a high level of assurance (LoA).
If Mosaic’s fraud detection engine sees that a customer is behaving as they typically do and is using a known device, network and IP address, orchestration can allow the customer to transact without having to perform a step-up challenge. Other features include:
- Customizable journeys: Mosaic’s brandable UI and drag-and-drop journey editor, shown below, makes it easy to design and alter seamless user flows with no coding required.
- Fallback options: Rather than relying on passwords when passkeys are unavailable, orchestration invokes alternative methods, such as passive authentication, email magic links or identity verification.
- Broader passkey support: Mosaic enables customers to use their FIDO credentials on devices/OSes that aren’t compatible with passkeys. It also supports cross-device authentication flows for devices that are not in the same ecosystem (e.g., Google, Apple or Microsoft) — contributing to a better CX.
2. Optimize CIAM, fraud prevention and customer experience with behavioral biometrics
Robust behavioral biometrics detects unusual activity by assessing behavior throughout the passkey journey and comparing it with the individual’s historical behavior, such as their typical mousing patterns and keystroke dynamics. Capabilities include:
- Bot detection: Eliminates the need for CAPTCHA challenges, improving CX while strengthening security. Continuous monitoring detects bots based on behaviors like:
- Uniform and repetitive mouse movements
- Unrealistic typing speeds and patterns
- Anomalous behavior that doesn’t match the customer’s typical behavior
- Proactive threat detection: Since trojans, cookie hijacking and other attacks can take over mid session after a successful passkey login, it’s essential to continually analyze behaviors. Mosaic even detects micro-anomalies, such as latency in user interactions, which can indicate remote control of a device.
- Better CX: If Mosaic determines the user’s behavior matches that of the trusted customer’s typical behavior, and they’ve authenticated with a passkey, orchestration can remove step-ups or other forms of friction from the customer’s path.
3. Ensure 100% uptime with resilient CIAM architecture
Transmit Security offers the only passkey solution with an active-active multi-cloud presence across Microsoft Azure, Google Cloud Platform and Amazon Web Services. In-session failover guarantees business continuity and ensures customers have uninterrupted account access.
For additional resilience, identity caching provides backup authentication during infrastructure outages. This “break glass” mechanism serves cached credentials directly from the cloud without relying on your primary infrastructure. It’s resilient to its core — so customers can access what they want, when they want it.
4. Protect passkeys at every stage of the CIAM lifecycle
By building on top of Azure AD B2C or Entra External ID with Transmit Security’s outcome-driven passkey solution, you can secure and streamline every step of the customer identity lifecycle.
- Orchestration continuously ingests data from Transmit Security’s AI-driven fraud detection engine. Leveraging AI and ML, it analyzes hundreds of telemetry data points to analyze risk and trust in real time. With behavioral biometrics, threat intelligence and network intelligence, the fraud detection engine determines if the user is the account owner or a bad actor and generates recommendations to Trust, Allow, Challenge, or Deny. Orchestration then triggers the appropriate passkey user flow instantly.
- Strong, multi-layered device identification is another key differentiator that sets Mosaic apart, providing a robust alternative to traditional device ID that relies on cookies and other fraudable identifiers, which are increasingly obscured by browser privacy protections. With a combination of device crypto-binding and device fingerprinting, Mosaic verifies that the device belongs to the legitimate account holder and ensures the user registering the passkey is the rightful owner.
- Identity verification (IDV) can be invoked to verify for new and returning users, ensuring it’s the legitimate account owner who is registering, authenticating or recovering a passkey. Only Transmit Security provides native, risk-aware IDV that examines photo IDs, selfie liveness and facial biometrics within the context of real-time risk/trust signals. AI and ML models detect fake IDs, deepfakes, synthetic identities and other tricks that slip past point solutions.
Improve your CIAM strategy: implement passkeys by Transmit Security now
Adopting FIDO-compliant passkeys isn’t just a CIAM upgrade — it’s a strategic necessity. Mosaic, integrated with Microsoft Entra External ID or Azure AD B2C, offers:
- Instant procurement and savings: Use your committed spend to take advantage of Microsoft-Transmit Security partner discounts.
- Rapid deployment and easy integration: Easy-to-use APIs and SDKs offer seamless integration with Azure AD B2C and Entra External ID, ensuring you can deploy Mosaic without disrupting existing systems.
- Proven fraud prevention: Orchestration, fraud prevention and other layers of protection stop fraud before it occurs, safeguarding your customers and business.
- Enhanced customer satisfaction: Fast, secure logins and reduced friction lead to higher engagement and enduring customer trust.
- Future-proof security: Adaptive, resilient technologies ensure businesses remain online and available.
By combining Mosaic and Azure AD B2C or Entra External ID, you’ll not only secure passkey journeys but also optimize CX as customers enroll, login, recover and authenticate — for a complete, end-to-end CIAM strategy.
Let up help you tap the full potential of passkeys — Request a demo!
