Cost-benefit analysis of LLM-based receptionists vs human staff

The death of the password and rise of fido2

Honestly, passwords are just a disaster waiting to happen at this point. I've spent way too many hours helping users who got phished because they reused the same password for their bank and their work email and it's just exhausting.

According to the 2024 Data Breach Investigations Report from Verizon, phishing is still growing like crazy, and honestly, traditional mfa like sms isn't saving us anymore.

The problem is that passwords are "shared secrets"—if an attacker gets it, they're in.

• Credential reuse: A 2025 update from Penthara Technologies notes that 61% of breaches involve compromised credentials.
• MFA Fatigue: Users get so many push notifications they just hit "Approve" without thinking, which is a huge hole in retail and finance apps.
• Support Costs: Microsoft found that passwordless logins have a 98% success rate, compared to just 32% for first-time password entries.

fido2 is the standard that actually fixes this by using public-key cryptography instead of secrets. It basically splits the "key" so the server never even sees your actual login info.

As Microsoft Entra ID documentation explains, this process keeps the private key on your device so it can't be stolen remotely.

The technical handshake: webauthn and ctap

Before we get into the setup, you gotta understand how this actually works under the hood. It’s not magic, it’s just two protocols working together. First, you got WebAuthn. This is the api that lets the browser talk to the website. When you try to log in, the site sends a "challenge" to your browser, and the browser asks your device to sign it.

Then there is CTAP (Client to Authenticator Protocol). This is what lets your computer talk to the actual hardware, like a yubikey or your phone via bluetooth or usb. Your device uses its private key to sign that challenge and sends it back. The server uses the public key it already has to verify the signature. Since the private key never leaves your hardware, there’s nothing for a hacker to phish. It’s a way better way of doing things than typing "P@ssword123" into a fake site.

Understanding passkey types for deployment

So, you're ready to ditch passwords but realizing not all passkeys are built the same. Honestly, picking the wrong type for your team is a quick way to either annoy your users or leave a massive hole in your security posture.

You basically have two main flavors to deal with:

• Synced passkeys: These live in providers like Apple iCloud or google Password Manager. They're great for retail or general staff because they sync across devices. As mentioned earlier, these have a 98% success rate because they're so easy.
• Device-bound passkeys: These stay on one piece of hardware, like a yubikey or a laptop's TPM chip. You can't copy them. This is what you want for your sysadmins or folks in high-stakes finance roles.

If you're in a regulated industry like healthcare, you probably need attestation. This is just a fancy way for the server to verify exactly what kind of hardware is being used.

According to Microsoft Entra ID documentation, enforcing attestation means you can block synced passkeys entirely, ensuring only hardware-bound keys get in.

It's all about balance—don't force a physical key on a retail clerk who just needs to check their shift, but don't let your ceo sync their admin credentials to a personal ipad.

Strategic deployment in microsoft entra id

Setting up fido2 in microsoft entra id is honestly pretty straightforward, but you gotta be precise with the policies or you'll end up locking your admins out. I've seen it happen in a finance firm where they turned on attestation without checking if their keys were supported—total mess.

First, head over to the entra admin center. You need to hit up Authentication methods then Policies. Find Passkeys (FIDO2) and flip that toggle to enabled.

• Targeting: Don't just blast this to everyone. Start with a pilot group, maybe your IT team.
• AAGUID Restrictions: If you're in a high-stakes industry like healthcare, you might want to limit registration to specific hardware vendors like Yubico. You do this by adding their AAGUID (Authenticator Attestation Global Unique Identifier) in the configure tab. Think of an AAGUID as a unique serial number for a specific model of hardware key. You can usually find these in the vendor's documentation or by checking the logs after a test registration.
• Onboarding: Use a Temporary Access Pass (tap) for new hires. As noted by PlexHosted, users should register their keys at the security info page within five minutes of a fresh mfa check.

Once people are registered, you have to actually force them to use the keys. This is where Conditional Access comes in. Create a new policy and under "Grant," select "Require authentication strength." Pick the Passwordless MFA option.

A study mentioned earlier by Microsoft found that passwordless logins have a 98% success rate, so once you get past the initial setup, your helpdesk tickets for "I forgot my password" basically vanish.

Just make sure you exclude your break-glass accounts from these policies. If the api goes sideways or a tenant-wide issue hits, you’ll need a way back in that doesn't rely on a fido2 chip. Anyway, next we’ll look at how this changes the user experience and the impact on the business.

Optimizing the digital experience

Let's be real, security is great but if it takes ten minutes to log in, your users are gonna find a workaround. When you're designing the UX, you want to make the passkey button the "path of least resistance."

• UI Placement: Don't hide the "Sign in with a passkey" option behind three menus. Put it right on the front page. If the browser detects a passkey, it should ideally trigger the prompt automatically.
• Messaging: Tell users why they are doing this. Use simple language like "Use your face or fingerprint to sign in faster" instead of "Initiate WebAuthn ceremony."
• Platform consistency: Make sure the experience feels the same whether they are on an iPhone or a Windows laptop.

According to the FIDO Alliance, organizations see way higher sign-in success rates because the friction just disappears. In retail, a 3-second login means fewer abandoned carts. If a customer can touch a sensor and buy, they stay. Doctors shouldn't be resetting passwords mid-shift; they need instant, biometric access to patient records. When you deploy this right, the helpdesk tickets for "locked out" basically dry up.

Troubleshooting and common pitfalls

Look, even the best systems break when someone loses a yubikey or smashes their phone. If you don't have a recovery plan that's as solid as your fido2 setup, your helpdesk is gonna have a bad time.

• Redundancy: Always make users register two keys. One for the pocket, one for the safe.
• Recovery: Use a Temporary Access Pass (tap) for lockouts. As mentioned earlier, this lets them back in without reverting to weak passwords.
• Compatibility: Watch out for cross-platform quirks. A passkey made on ios might act weird on a windows machine if bluetooth is flaky.

The following diagram shows the standard recovery workflow for when a user loses their primary device, ensuring they can get back in without compromising security.

Honestly, just keep it simple. If you've followed the steps discussed earlier, your system is already way ahead of the pack. Stay secure out there.