Adopting passkey is not enough to protect our services from phishing attacks. When organizations maintain password authentication alongside passkeys, attackers will continue targeting password-based vectors even as users adopt the more secure option. To truly protect services against phishing attacks, complete password deprecation and mandatory passkey usage is essential.

However, given the deep entrenchment of password-based systems in today's services, an immediate transition to a passkey-only environment is impractical. It's a journey with multiple stages.

This presentation introduces the concept of the "Passkey Journey" - a strategic, phased approach to implementing passkeys while deprecating passwords. We'll look at important things to think about along the way, including acceptable authentication method, account recovery, and user centric experience. These practical insights will help companies to building truly phishing-resistant systems.