The Enterprise Guide to Passwordless Authentication in India — Microsoft, Okta & Fortinet Compared

Passwords are the single largest attack vector in enterprise security. The Verizon 2025 Data Breach Investigations Report found that stolen credentials were the initial access vector in 22% of all breaches, and 88% of basic web application attacks involved stolen credentials. 54% of ransomware victims had their credentials found in infostealer logs. The password is not just weak — it is the primary target.

The alternative is here. Passwordless authentication — powered by the FIDO2/WebAuthn standard and passkeys — replaces shared secrets with public-key cryptography. No password to phish, no credential to stuff, no token to intercept. This guide covers the three leading enterprise passwordless platforms — Microsoft Entra ID, Okta, and Fortinet FortiAuthenticator — with verified architecture details, adoption statistics, and deployment guidance for Indian enterprises.

The Numbers: Why Passwords Must Go

See Passkeys in Action

This official Microsoft Mechanics video demonstrates how synced passkeys work in Microsoft Entra ID for phishing-resistant MFA — from registration to daily sign-in.

How Passwordless Authentication Works

All modern passwordless systems are built on the FIDO2 standard, which combines two protocols: WebAuthn (browser-to-server) and CTAP (browser-to-authenticator). The core mechanism is asymmetric public-key cryptography:

1. Registration: The user's device generates a unique public/private key pair. The private key is stored in the device's secure element (TPM, Secure Enclave). The public key is sent to the identity provider (Entra ID, Okta, FortiAuthenticator).
2. Authentication: The server sends a random challenge (nonce). The user unlocks the private key with a biometric (fingerprint, face) or device PIN. The authenticator signs the challenge with the private key and returns the signature.
3. Verification: The server verifies the signature using the stored public key. If valid, access is granted. No password, no OTP, no shared secret ever crosses the network.

Why this is phishing-resistant: The private key is cryptographically bound to the specific origin (domain) it was registered with. If a user visits a phishing site at login-m1crosoft.com, the authenticator will not release the key — because the origin doesn't match login.microsoft.com. The attack fails silently. No user training required.

Passkeys: Device-Bound vs Synced

The FIDO Alliance introduced passkeys as the consumer-friendly term for FIDO2 credentials. There are two types:

• Device-bound passkeys — private key stays on a single device (FIDO2 security key like YubiKey or FortiToken 410, or Windows Hello). Highest assurance. Cannot be synced or exported. Required by some regulations.
• Synced passkeys — private key encrypted and synced across devices via a cloud provider (Apple iCloud Keychain, Google Password Manager). More convenient. Microsoft reports a 99% successful registration rate for synced passkeys. Suitable for general workforce.

Platform 1: Microsoft Entra ID

Passwordless Methods

• Windows Hello for Business — biometric (face/fingerprint) or PIN, tied to the Windows device TPM
• Microsoft Authenticator — device-bound passkey using mobile biometrics
• FIDO2 security keys — hardware tokens (USB/NFC/BLE) from vendors like YubiKey, Feitian
• Synced passkeys — via Apple, Google, or third-party passkey providers (GA March 2026)

Key Stats (from Microsoft)

• Nearly 1 million passkeys registered per day after making passkeys default for new accounts (May 2025)
• Passkey sign-in is 8x faster than password + MFA
• Users are 3x more successful signing in with passkeys (98% vs 32% with passwords)
• Passkeys are 14x faster than password + traditional MFA (3 seconds vs 69 seconds)
• 97% reduction in account takeover with biometrics + behavioral analysis
• 92% of Microsoft employees on phishing-resistant auth (Secure Future Initiative)

Sources: Microsoft Security Blog (May 2025), Microsoft Learn

Conditional Access Integration

Entra ID offers three built-in authentication strengths for Conditional Access policies: standard MFA, passwordless MFA, and phishing-resistant MFA (requires FIDO2/passkey/Windows Hello/certificate). Admins can enforce phishing-resistant auth for privileged accounts while allowing synced passkeys for general users — all via group-based passkey profiles.

Timeline

• May 2025: Passkeys made default for new Microsoft accounts
• March 2026: Passkey profiles + synced passkey support GA in Entra ID
• April 2026: Auto-enablement for tenants that haven't opted in

Platform 2: Okta

Passwordless Methods

• Okta FastPass — device-bound, phishing-resistant passwordless via the Okta Verify app. Uses TPM-backed key pairs, cryptographically bound to the Okta org. Supports Windows Hello, Touch ID, Face ID.
• FIDO2/WebAuthn (Passkeys) — hardware security keys and platform authenticators
• Email magic links — tokenised URL sent via email, one-click authentication
• Push notifications — one-tap approval via Okta Verify with optional number matching

How FastPass Works

During enrollment, Okta Verify generates a public/private key pair on the device. The private key is stored in the TPM; the public key is sent to Okta's cloud. At authentication, Okta sends a nonce, FastPass signs it with the device-bound private key, and Okta validates the signature. The credential is org-bound — it cannot be used on a phishing site impersonating a different Okta org.

Key Stats (from Okta Reports)

• Phishing-resistant passwordless adoption grew 63% year-over-year (Secure Sign-in Trends 2025)
• FastPass adoption nearly doubled: 6.7% to 13.3% of all authentications
• 7% of all workforce users used no password for any sign-in in January 2025
• FastPass YoY growth: 69% among Fortune 500, 52% overall (Businesses at Work 2025)
• Okta saved 7,700 person-hours/year going 100% passwordless internally
• Intermex: 70% reduction in password help desk tickets, $175K/year savings
• Targeted orgs jumped from 23% to 95% phishing-resistant enrollment once actively attacked

Sources: Okta Secure Sign-in Trends 2025, Businesses at Work 2025, Okta FastPass

Platform 3: Fortinet FortiAuthenticator

Passwordless Methods

• FortiToken 410 — USB FIDO2 hardware security key supporting FIDO U2F and FIDO2 protocols. AES-256, ECDSA P-256 cryptography. Passwordless login for VPN, FortiGate admin, web applications, and ZTNA.
• FortiToken Mobile push — one-tap approval via FortiToken Mobile app with Accept/Deny. FortiAuthenticator sends RADIUS Access-Accept on approval.
• Certificate-based authentication (PKI) — FortiAuthenticator as Certificate Authority. X.509 client certificates for SSL VPN and admin access. No username or password required.
• FIDO2 via SAML — FortiAuthenticator as SAML IdP with native FIDO2 service. Supports both SP-initiated and IdP-initiated flows.

FortiGate ZTNA + Passwordless Flow

The Fortinet passwordless stack integrates four components for Zero Trust access:

1. FortiToken 410 or FortiToken Mobile authenticates the user
2. FortiAuthenticator validates the FIDO2 assertion or push approval (SAML or RADIUS)
3. FortiClient EMS performs device posture checks and issues Zero Trust tags
4. FortiGate ZTNA proxy grants per-application access based on identity + device posture — no VPN tunnel needed

The SAML flow: FortiGate (SP) redirects to FortiAuthenticator (IdP) → FortiAuthenticator presents FIDO2 challenge → user taps FortiToken 410 → FortiAuthenticator validates cryptographic assertion → SAML response grants access. No password involved at any step.

FortiAuthenticator Cloud (formerly FortiTrust Identity)

For organisations that prefer IDaaS over on-premises infrastructure, Fortinet offers FortiAuthenticator Cloud with user-based licensing. Same capabilities: FIDO2, MFA, adaptive authentication, OIDC, SAML, OAuth2, and certificate management — delivered as a cloud service with native Security Fabric integration.

Sources: FortiAuthenticator 8.0 Admin Guide, FIDO2 for Agentless VPN, FortiGate ZTNA

Head-to-Head Comparison

The Impact: What Passwordless Actually Delivers

Why Indian Enterprises Should Act Now

India faces a specific set of pressures that make passwordless adoption urgent:

• CERT-In 6-hour reporting mandate — credential theft incidents must be reported within 6 hours. Eliminating passwords eliminates the most common credential theft vector.
• RBI Cybersecurity Framework — requires multi-factor authentication for critical systems. Phishing-resistant MFA (FIDO2) exceeds the requirement.
• DPDPA 2023 — data protection law with penalties up to ₹250 crore. Passwordless reduces the risk of breaches caused by stolen credentials.
• SEBI CSCRF — mandates cybersecurity controls for regulated entities. Passkeys satisfy the authentication requirements.
• Phishing epidemic — India is among the top 3 targets for phishing attacks globally. Passkeys make phishing technically impossible for covered accounts.

Deployment Recommendation by Environment

How Ogma Can Help

Ogma deploys passwordless authentication across all three platforms. We are an authorised Fortinet partner, Microsoft CSP, and work with Okta for multi-vendor environments. Our approach:

• Assessment — audit your current authentication landscape, identify high-risk accounts, map compliance requirements (RBI, SEBI, CERT-In, DPDPA)
• Architecture design — recommend the right platform based on your existing stack, not vendor preference
• Deployment — configure FIDO2, passkeys, or certificate-based auth across your IdP, firewalls, and applications
• Managed operations — ongoing token lifecycle management, policy tuning, and 24/7 support

Contact Ogma for a free passwordless readiness assessment.