HomeDocs / Migration
TOTP to Passkey Migration
A practical playbook for reducing OTP dependence without breaking account access.
Last updated: March 19, 2026
Author: Perry Lei
Reviewed: March 21, 2026 by TOTPBOX Security Review
Migrate in phases. Do not remove TOTP immediately after enabling a Passkey until you have tested recovery and secondary device access.
1. Prioritize accounts by risk
Build a migration queue starting with accounts that can cause the largest blast radius if compromised.
- Primary email and identity providers
- Developer infrastructure and cloud consoles
- Finance and payment systems
- Internal admin portals and SSO control planes
2. Check Passkey readiness
For each account, verify whether Passkeys are supported and whether device-bound or synced credentials are allowed in your policy.
3. Register Passkeys safely
Enrollment controls
- Register at least two authenticators when possible
- Store backup/recovery material in a secure workflow
- Document which device or platform holds each credential
Validation
- Test sign-in with Passkey
- Test fallback login path
- Confirm account recovery still works
4. De-risk TOTP fallback
Keep TOTP only while operationally necessary. Once Passkeys are stable, rotate or retire obsolete fallback configurations.
5. Operational checklist
- No single-device dependency for critical accounts
- Recovery process tested quarterly
- Legacy TOTP disabled where Passkeys are fully adopted
- Account owners and admins have explicit ownership records