From TOTPs to Security Keys: Studying the Reality of Passwordless FIDO2 Authentication With PIN and Biometrics in a Corporate Environment

Phishing remains a major threat to companies. Many organizations use multi-factor authentication (MFA) methods like SMS or TOTPs which unfortunately still leave them vulnerable to attacks and even add cognitive, physical, and time strain for employees. Passwordless authentication with FIDO2 security keys could offer a promising alternative with strong phishing resistance and better usability, yet real-world adoption in corporate settings is underexplored. In a five-week field study at a mid-sized IT company, we compared security keys (PIN and biometrics) to passwords with TOTPs using authentication logs, surveys, and interviews with 34 employees. While biometric security keys reduced login times by nearly five seconds, PIN-based keys were not significantly faster. Despite this, and despite usability challenges such as hardware compatibility, employees were significantly more satisfied with both on-device authentication methods. Security perception remained unchanged, as employees already considered existing authentication secure. Critically, overall inconsistencies and complexities of authentication workflows were frequently criticized, suggesting that the authentication method itself may not always be the core issue and highlighting the need for organizations to analyze root causes of problems before adopting new authentication methods as quick fixes for fundamentally flawed infrastructures.