Skip to content
Enterprise
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial
Datargo OneEnterprise Single-pane-of-glass cockpit for enterprises. All modules from one source. Learn more
Flagships
Datargo Monitor Availability and security posture. Datargo CRM Support hub for every brand.
Operations & commerce
Datargo ID SSO and MFA for the whole suite. Datargo ERP GoBD-compliant commercial core.
Trust & crypto
NextPKINew Certificate lifecycle, 47-day ready.
Bundle of the month
Reliability Bundle

Datargo Monitor + NextPKI as a single billed package. NIS2 evidence and certificate lifecycle from one cockpit.

Learn more
By outcome
Reliability & security NIS2 evidence from monitoring + incident. Customer service hub Live chat, tickets, multi-brand. Identity & SSO One identity for all modules.
By compliance
NIS2-Evidence Evidence at the press of a button. DORA resilience Financial sector, register of information. ISO 27001 & GoBD Annex A controls and e-invoicing.
By size
Solo & indie team Productive in 5 minutes. Mid-market SSO, audit trail, multi-brand. Enterprise & public sector Hundreds of seats, region pinning.
Sovereignty Kit
NIS2 evidence package

Ready-made Datargo Monitor and Datargo CRM controls, mapped against NIS2 obligations. Start straight into the pilot.

Read the NIS2 whitepaper
Learn
Documentation Module guides, API reference, quick start. Best-practice guides NIS2 setup, multi-brand Datargo CRM, SSO rollout. Blog Release notes, compliance news, roadmap.
Trust
Trust Center Hosting, certificates, sub-processors. Status-Page Live availability of all Datargo modules. Legal & privacy DPA, sub-processor list.
Customers
Customer stories Case studies from finance, public, tech. Partner program System integrators, implementers, MSPs. Events & webinars it-sa, EIC, NIS2 roadshows.
From the cockpit
47-day TLS from 2029

NextPKI is already prepared for the new CA/B Forum reality. Whitepaper and migration guide available now.

Read the whitepaper
Platform Datargo Monitor Datargo CRM Datargo ID Datargo ERP NextPKI
Datargo One Pricing Compliance
Language
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial Book a call
Skip to content
Digital Identity

Passkeys in the Enterprise: Phishing-Resistant Sign-In Beyond Passwords and OTPs

23.06.2026 · 2 min read

A password plus an SMS or TOTP code remains phishable. Why FIDO2 passkeys solve the origin problem, what a risk-based rollout looks like, and which questions around recovery and device loss stay open.

Phishing remains the most reliable way into corporate networks, and most second factors do little to change that. A password plus an SMS code, TOTP app or push approval counts as multi-factor authentication, yet at its core it is attackable: lure the user onto a fake page and the second factor can be captured in real time too. FIDO2 passkeys address exactly this point.

Why classic MFA stays phishable

The problem is not the number of factors but their transferability. A one-time code is a shared secret: it works wherever it is entered, including on the phishing page. What is missing is a binding to the genuine counterparty. That binding is precisely what WebAuthn, the standard behind passkeys, provides.

What passkeys do differently

A passkey is a cryptographic key pair. The private key never leaves the device, and signing only happens against the domain for which the passkey was registered. This origin binding renders the classic phishing redirect useless: a fake domain simply receives no valid signature. There is no secret that could be entered on the wrong site. Germany’s BSI has published a formal threat model for this, and Technical Guideline BSI TR-03188 sets out requirements for operating a passkey server.

Synced, device-bound or hardware key

Not every passkey is the same. A sound rollout grades the variant by protection need:

  • Hardware security keys: for privileged access and administration, where the highest assurance matters.
  • Device-bound passkeys: on managed corporate devices, tied to the hardware and not syncable.
  • Synced passkeys: for the broader workforce, convenient across several devices, with a slightly lower hardening level.

This grading matches the expectation that regulators and auditors increasingly voice: for sensitive administrative access, phishing-resistant authentication is treated more and more as a requirement, not a recommendation.

The open questions

The hard part is not the sign-in but the edge cases. What happens when a device is lost? What does a recovery path look like that does not itself become a phishable back door? And how do you handle legacy systems that do not yet speak WebAuthn? A well-considered rollout answers these questions in advance instead of improvising them during an incident. As the connective layer of the platform, Datargo ID anchors single sign-on and MFA in one place, which bundles these questions rather than scattering them across each application.

The decisive shift is this: away from a secret you can know and therefore give away, toward a key that stays bound to device and counterparty.

Back to the blog

Datargo Datargo

The European Business Operations Platform. Monitoring, customer service, identity, accounting, and certificates in one sovereign suite. Auditable by design. Made in Germany.

EU hosting, Frankfurt GDPR-native Made in Germany
Platform
  • Datargo One
  • Datargo Monitor
  • Datargo CRM
  • Datargo ID
  • Datargo ERP
  • NextPKI
Solutions
  • Reliability & Posture
  • Customer service hub
  • Identity & SSO
  • Commerce & GoBD
  • Scaling
Compliance
  • NIS2 evidence
  • DORA resilience
  • ISO 27001 mapping
  • GoBD & e-invoicing
  • Sovereignty
Industries
  • Financial services
  • Public sector
  • Health & pharma
  • Industry & TISAX
  • SaaS & tech
Resources
  • Trust Center
  • Documentation
  • Status page
  • Customer stories
  • Partner program
  • Blog
Company
  • Datargo One for enterprises
  • Start your 90-day trial
  • Book a call
  • Contact
  • Careers
© 2026 Datargo GmbH. All rights reserved.
Imprint Privacy Terms DPA SLA Sub-processorsDORA / NIS2
Germany · English

Datargo® and Databurg® are registered trademarks of Datargo GmbH. All other product names, logos, and trademarks mentioned are the property of their respective owners.

Cookies & optional features. Datargo uses technically necessary cookies. Optionally we enable comfort features such as our live-chat support, an in-house Datargo service that processes personal data in the process. You can accept everything or keep only the necessary cookies.

More in the privacy policy