Deploying Admin-Enrolled Passkeys With Enterprise Password Managers

This guide describes how to combine Rublon’s admin‑enrolled FIDO authenticator capability with passkeys generated using modern enterprise-grade password managers (e.g., 1Password, Dashlane, Bitwarden, NordPass). The workflow is similar across all password managers.

• If you are looking for instructions on how admins can enroll user security keys/passkeys, refer to Rublon Admin Console – How to add user FIDO authenticator.
• If you are looking for instructions on how users can self-enroll their FIDO authenticators, refer to How to add a WebAuthn/U2F Security Key? and How to enroll a FIDO2 Passkey for MFA?.

Why Use Password‑Manager Passkeys?

• Cost Efficiency: No bulk purchase of hardware tokens; many password managers bundle passkey sync in standard plans.
• Built-in Security: No need for external devices that can be easily lost or left at home.
• Fast Recovery: Lost device? Passkeys become available again when the user installs the password manager on another device and signs back in.
• User Convenience: Automatic prompts from browser extensions shorten the sign-in time.
• Phishing Resistance: WebAuthn origin‑binding thwarts credential phishing attacks.

Security Considerations

• Syncable Passkey Security Level: Admin-enrolled syncable passkeys stored in a password manager do not meet the hardware-based and non-exportable requirements for NIST Special Publication 800-63B’s Authenticator Assurance Level 3 (NIST AAL3). They only satisfy the multi-factor and (optional) phishing-resistant criteria for NIST AAL2. For this reason, organizations from critical sectors where NIST AAL3 is required should enroll hardware FIDO keys (NIST AAL3) instead. Physical FIDO authenticators are also recommended for the most sensitive accounts in other sectors.
• Protection of Syncable Passkeys: Under NIST SP 800-63B § 5.1.8.1 and the April 2024 SP 800-63B Supplement 1, every authentication with a software passkey must include a local user-verification event (PIN or biometric), and the resulting WebAuthn assertion must carry the “UV = true” flag. Unlocking a password-manager vault with fingerprint or PIN satisfies that requirement only while the vault remains locked to a short interval and the authenticator continues to assert ”UV = true”; otherwise, a second prompt (or a hardware key) is required to stay at AAL2 or higher. For more information, refer to the documentation of the specific password manager you are using.
• Least-Privilege Admins: Provision passkeys from accounts that do not store other important credentials.
• Move Instead of Copy: Instruct users to move (and not just copy) passkeys to their private space to ensure the admin can no longer access the passkey.
• Audit Trails: Rublon logs key creation and deletion in Audit Logs; most enterprise-grade password managers log item moves and deletions as well. Regularly export both during audits.

Prerequisites

• An administrator role with permission to manage users & security keys.
• An enterprise or team subscription to one of the business-compatible password managers that offers a shared space between admins and users, like shared vaults or collections. (The following list is illustrative. Feature parity and compatibility can vary; verify with your vendor and test in your environment.)
  • 1Password Business / Enterprise
  • Dashlane Business
  • Bitwarden Teams / Enterprise
  • NordPass Business
  • Keeper Business
  • Sésame Password Manager
  • Enpass Business
  • Proton Pass Enterprise
  • KeePassXC (with sync solution)
  • Zoho Vault Enterprise
  • LastPass Business
  • Devolutions Password Hub Business
  • LogMeOnce Enterprise
  • Kaspersky Password Manager (Business)
  • pwSafe for Teams
  • Microsoft Password Manager (Edge Sync)
• Browser with WebAuthn and passkey support (Chrome ≥ 109, Edge ≥ 109, Safari ≥ 16.4, Firefox ≥ 122).
• Your company policy must permit centrally provisioned FIDO authenticators.

Step‑by‑Step Guide

The procedure is similar across modern password managers: create a temporary shared space, add the passkey in the Rublon Admin Console, place it in that shared space, and have the user move the passkey to their private space.

Step 1: Install the Password Manager’s Browser Extension

1. Install your password manager’s dedicated browser extension.
2. Sign in to the password manager with an account that has admin privileges and can manage the organization.

Step 2: Create a Temporary Shared Space

In the password manager:

1. Create a vault/folder/collection (the name may vary depending on the manager) that is shared only between you and the target user. You will save the passkey to this space after registering it in the Admin Console.

Step 3: Add a Passkey in the Rublon Admin Console

In the Rublon Admin Console:

1. Go to the Users tab → Select the user → Navigate to the Security Keys section.
2. Select Add Security Key, provide a name for this FIDO authenticator, and select Add.
3. Complete the FIDO authenticator enrollment in the browser.
4. If your password manager prompts for a save location, choose the shared space.

Step 4: Ask the User to Move the Passkey

1. Send a brief instruction to the user, asking them to sign in to an application with that passkey. If the test succeeds, the user should move the new passkey from the shared space to their private space.
2. After the user moves the passkey, it is no longer shared with you in the password manager, aligning with best practices from NIST and the FIDO Alliance. (Administrators can still deactivate this passkey by deleting it in the Rublon Admin Console.)

Frequently Asked Questions (FAQ)

Related Posts

Rublon Admin Console – How to add user FIDO authenticator

How to add a WebAuthn/U2F Security Key?

How to enroll a FIDO2 Passkey for MFA?