Many organizations rely on mission-critical web applications that are difficult or risky to modernize. At the same time, pressure is rising to adopt phishing-resistant authentication, stronger access controls, and faster security rollouts. In this best-practices session, Michael Wendrowski explains how to secure legacy web applications with Passkeys (FIDO2) and multi-factor authentication without changing application source code and regardless of the web server or technology stack.

Using real-world scenarios, you will see how a security layer in front of the application can provide centrally managed MFA, reduce brute-force and credential-stuffing risk, verify user sessions with device fingerprinting, and enforce step-up protection through micro-authorizations for sensitive areas or actions. You will leave with practical guidance for introducing Passkeys, minimizing rollout friction, and achieving measurable security gains quickly in existing environments.