Passkey Readiness Checklist

Passkey readiness checklist

Readiness score: 56/100 (Prepare first)
Account types: Email and recovery, Password manager, Banking and payments, Device ecosystem, Work and admin
Devices: Personal phone, Personal computer
Recovery methods: Recovery email, Backup codes
Shared-account needs: A few
Security risk: Elevated

Migration readiness checklist:
1. [Do first] Make a category-only account inventory - Group accounts by email, banking, work, device ecosystem, cloud, social, shopping, and old subscriptions. Do not paste account names, passwords, recovery keys, or backup codes into this tool.
2. [Do first] Create a spare sign-in path - Enroll a spare trusted device or hardware key before replacing a password on accounts that protect money, work, email, or devices.
3. [Prepare] Plan shared-account fallbacks - For family, partner, assistant, or team accounts, keep a controlled fallback until delegated access or separate seats are working.
4. [Prepare] Test passkey sign-in on phone and computer - Add a low-risk account first, then confirm sign-in works from both daily devices before moving the reset chain.
5. [Prepare] Coordinate work and admin accounts - Check managed-device rules, admin recovery, and help-desk process before enabling passkeys on privileged work accounts.
6. [Prepare] Convert in waves, not all at once - Start with one or two accounts, verify recovery, then move through the priority list. Keep old credentials in a password manager until recovery has been tested.
7. [Maintain] Review recovery twice a year - Phones, jobs, partners, teams, and devices change. Recheck enrolled passkeys, spare devices, recovery email, and backup locations on a schedule.

Accounts to convert first:
1. [Convert first] Email and recovery - Create passkeys only after recovery email and backup access work. Reason: Email usually resets every other account.
2. [Convert first] Password manager - Add passkeys plus a documented emergency vault recovery path. Reason: The vault is the bridge while passwords and passkeys overlap.
3. [Convert first] Banking and payments - Convert one institution at a time and verify fallback sign-in. Reason: Financial accounts are high value and painful to recover.
4. [Next wave] Work and admin - Check policy, device management, and admin recovery before rollout. Reason: Work accounts may need team policy or help-desk recovery.
5. [Next wave] Device ecosystem - Enroll passkeys on daily and spare devices before removing options. Reason: Device accounts anchor passkey sync and device recovery.

Backup and recovery tasks:
1. Document the recovery chain: primary email, recovery email, device account, password manager, and any account that can reset the others.
2. Enroll at least one spare device or hardware key before removing password fallback on critical accounts.
3. Keep an offline recovery map that names storage locations and owners without exposing secrets.
4. For shared accounts, assign an owner, a backup owner, and a delegated-access plan before passkeys are the main sign-in method.
5. After each passkey is added, sign out and test sign-in plus recovery from the intended device path.
6. Only remove old weak recovery methods after the new passkey and backup path have both been tested.

Do not put real passwords, account names, passkeys, private keys, recovery keys, backup codes, security answers, or identity numbers in this exported plan unless you store it inside a private vault.
Generated locally by https://passlock.to/tools/passkey-readiness-checklist