Inside RSA: Deploying FIDO and Passwordless Solutions at Scale | FIDO Alliance Case Study

Developed in collaboration with the FIDO Alliance, this case study documents RSA’s journey deploying passwordless authentication at scale, capturing real-world lessons learned from using its own platform in production.

Download the free case study now to learn:

• How RSA deployed its own solutions to implement passwordless for its global workforce
• Lessons learned from internal development
• How the RSA authenticator app’s support for device-bound mobile passkeys accelerated progress
• Best practices for addressing behavior and motivating passwordless adoption

The following excerpt details the technology, deployment, and redundancy best practices RSA learned in using its solutions to implement global passwordless. Download the full report to learn more.

Platform architecture comes first.

Remove password dependencies from enrollment, recovery, and policies before deploying authenticators. Otherwise, FIDO becomes an add-on, not a replacement, leaving weak links in an organization’s identity chain.

Passwordless enables adjacent security improvements.

Help desk verification was a longstanding vulnerability. Passwordless infrastructure made bi-directional live verification feasible, eliminating shared secrets at a critical touchpoint.

Device-bound passkeys in mobile apps offer a third option.

Beyond “synced passkeys vs. security keys,” this approach enhances enterprise control, improves UX, and eliminates hardware distribution overhead.

Leverage existing user behavior.

RSA progressed faster because employees already had the mobile app. Organizations should find and prioritize their existing authentication foothold.

Sequence deliberately: alternatives → lower-stakes → high-stakes.

Don’t start with the most visible system. Build comfort first.

Deploy broadly, mandate later.

Give employees time to adopt on their timeline. Learn what confuses people. Build a network of interested testers across the business and champions.

Campaigns and deadlines outperform either alone.

Voluntary adoption will plateau regardless of how good the UX is — plan for it. Social proof matters, but so does urgency. RSA saw a 3x usage increase when it combined them with a clear deadline.

Plan for when a method fails or a device goes missing — because it will happen.

Passwordless authentication requires deliberate redundancy, both in methods and devices. The FIDO Alliance recommends each user register at least two passkeys when possible for this reason. In the RSA deployment, certain user groups received both a software-based device-bound passkey via the RSA mobile app and a hardware-based device-bound passkey, so that losing access to either one never meant losing access entirely.

Budget enough time to drive behavior change. Technology deployment takes weeks. Organizational habit change takes months.

Set ambitious goals, then be transparent about scope.

The RSA leadership team mandated 100% passwordless—and that bold target drove the organization much further than a softer goal like “improve authentication” would have. RSA eliminated passwords from all managed endpoints and primary authentication flows. Legacy systems and edge cases exist; RSA documents them and is developing plans to resolve them rather than claiming perfection. Every enterprise will face this reality.

“What’s a passkey?” is a real question.

Outside engineering, employees needed education. RSA developed clear analogies and updated documentation to connect the technology to familiar mental models.

Consolidate authenticator methods in a single application.

When employees can authenticate via passkey, QR code, or biometric from the same app they already use, compliance doesn’t require behavior change — it just requires a different tap. RSA’s ability to offer the right method at the right moment, without switching apps or adding friction, materially reduced resistance during the mandate rollout.