For thirty years the answer to “how do I log in” has been the same: type a password. And for most of those thirty years, security people have been telling you that passwords are a problem. They get phished, reused, guessed, and dumped onto the internet by the billion. The advice was always “use a longer one, add a second factor, do not reuse it.” Good advice, but it never fixed the underlying flaw, which is that a password is a shared secret you can be tricked into handing over.
Passkeys are the first genuinely different answer. They are not a stronger password. They are a replacement for the whole idea of a password, and the major platforms are now pushing them hard enough that small business owners should understand what they are before an employee asks about the “Face ID login” Google just offered them.
This post is a plain-English tour: what passkeys are, why they beat passwords, what using one feels like, and how a small business can start adopting them without breaking anything.
What a passkey actually is¶
A passkey is a cryptographic credential that lives on your device and replaces the password for a specific account. It is built on two open standards, FIDO2 and WebAuthn, that Apple, Google, Microsoft, and most of the browser and password-manager world have already implemented.
Here is the part that matters, without the math. When you create a passkey for a website, your device generates a matched pair of keys. One is a private key that never leaves your device. The other is a public key that gets stored on the website’s server. The public key is useless to an attacker on its own; it can verify a signature but cannot create one. To log in, the website sends your device a challenge, your device signs it with the private key, and the website checks the signature against the public key it holds.
The crucial difference from a password: there is no shared secret. With a password, you and the website both know the same string, so anyone who intercepts, phishes, or steals that string can log in as you. With a passkey, the website only ever holds the public half. There is nothing on the server that an attacker can steal and reuse, and there is nothing for you to type into a fake login page.
Why passkeys beat passwords¶
Almost every credential-based breach a small business suffers traces back to one of four password problems. Passkeys remove all four by design, not by discipline.
- Phishing. This is the big one. A passkey is cryptographically bound to the real website’s domain. If an employee clicks a link to
micros0ft-login.com, the passkey simply will not offer itself, because the domain does not match. There is nothing to type, so there is nothing for a fake page to capture. This is why passkeys are described as “phishing-resistant”: it is not a marketing slogan, it is how the standard works. - Credential stuffing and reuse. Password reuse is what turns one breach into ten. Attackers take a dumped list of email-and-password pairs and try them everywhere. Passkeys are unique per site by construction and are never reused, so a leak at one vendor cannot be replayed against your others.
- The stolen password database. When a service you use gets breached, the attackers walk away with password hashes they can crack offline at their leisure. A passkey-based service stores only public keys. There is no secret in that database worth stealing.
- Weak passwords and endless resets. No one picks a weak passkey, forgets it, writes it on a sticky note, or files a reset ticket, because there is nothing to remember. The whole category of “password hygiene” problems simply evaporates.
For a small business, that maps directly to the incidents that actually cost you money: the phished Microsoft 365 login that turns into invoice fraud, the reused password that lets someone into your accounting software, the help-desk hours burned on resets. Passkeys do not shrink those risks a little. They remove the mechanism that causes them.
What logging in actually feels like¶
This is where people relax, because the day-to-day experience is genuinely simpler than passwords, not harder.
To sign in with a passkey, you unlock it the same way you unlock your phone: Face ID, a fingerprint, or a device PIN. That local check proves it is really you holding the device; it never travels to the website. You tap “sign in,” your face or finger is read, and you are in. No username to remember, no password to type, no six-digit code to copy from a text message.
The other question everyone asks is “what happens when I get a new phone.” On Apple devices, passkeys sync through iCloud Keychain. On Android and Chrome, they sync through Google Password Manager. Cross-platform password managers like 1Password and Bitwarden also store and sync passkeys, which is usually the better answer for a business that runs a mix of Windows, Mac, iPhone, and Android. Because the passkey is synced, a new device inherits it automatically once you sign in to that ecosystem or manager. You are not re-enrolling every account by hand.
And if you are on a device that does not have your passkey (say, logging into your email from a client’s laptop), you scan a QR code with your phone. The phone does the signing over a local Bluetooth handshake, the laptop never sees the key, and you are in without typing anything sensitive on a machine you do not control.
How an SMB can start adopting passkeys now¶
You do not need a project plan or a budget to start. The support is already sitting inside tools you pay for. As of mid-2026, passkeys are supported by Google Workspace, Microsoft 365 and Entra ID, Apple ID, GitHub, most major password managers, and a growing list of banks, payroll platforms, and SaaS apps. The gap now is adoption, not availability.
A realistic phased rollout¶
- Start with your highest-value accounts. Your Google Workspace or Microsoft 365 admin account is the master key to your business. Add a passkey to it first. If someone phishes that one account, they own your email, your files, and your ability to reset everything else.
- Add passkeys alongside your existing MFA, not instead of it (yet). During the transition, keep your authenticator app or hardware key active as a fallback. A passkey can be your primary login while your old MFA stays as a backup. You lose nothing and you are strictly more secure.
- Roll out to the team a few systems at a time. Pick one or two apps everyone uses (email and your password manager are good first choices) and walk staff through adding a passkey. Short instructions beat a company-wide mandate. Let people feel how much faster it is before you ask them to do it everywhere.
- Set the admin controls. In Google Workspace and Microsoft Entra, an administrator can allow, encourage, or eventually require passkeys, and can register a company-managed hardware security key as a recovery method for critical accounts. Decide early whether personal-device sync is acceptable for your business, or whether sensitive roles should use a dedicated hardware key.
The honest headline is that you can protect your most dangerous account this afternoon, for free, in about ten minutes.
The honest caveats¶
Passkeys are the direction of travel, but we are still in the messy middle of the transition, and it would be dishonest to pretend otherwise.
- Account recovery and device loss. If your passkeys sync through iCloud or Google and you lose access to that ecosystem account, recovery can be painful. This is why you keep a second factor or a backup hardware key during the transition, and why the platform account those passkeys sync through needs to be locked down hard.
- Not universally supported. Plenty of the smaller vendors, legacy line-of-business apps, and older banking portals your business relies on still only offer passwords. You will be running a hybrid setup for a while, which means you still need a password manager for everything that has not caught up.
- Shared and service accounts. Passkeys are bound to a person’s device and biometrics, which is exactly wrong for the shared logins small teams love: the front-desk account three people use, the social media login, the vendor portal. Those need a different plan, usually a password manager with shared vaults, not passkeys.
- The transition itself is a small but real project. Someone has to decide the policy, document the recovery process, and answer the “I got a new phone” questions. It is not hard, but it does not run itself.
None of these are reasons to wait. They are reasons to roll passkeys out deliberately instead of flipping a switch and hoping.
Where passkeys fit in your security plan¶
A passkey is a control. Like any control, it is only as good as the written decision behind it. Which accounts require a passkey? What is the approved recovery method if someone loses a device? Who is allowed to register a new authenticator, and how is that request verified? How are shared accounts handled? If the answers live only in one person’s head, you have a tool, not a policy, and the day that person is on vacation is the day it matters.
This is the same reason a cyber-insurance underwriter or an enterprise customer’s security questionnaire asks how you manage authentication, not just whether you “use MFA.” They want to see that your access control is written down and repeatable. Adopting passkeys pairs naturally with a short, written access-control and authentication policy (the kind of foundational document set in our Cyber Essentials bundle) so the good decision you made this week is still being followed next year. The technology is the easy part; the policy is what makes it stick.
If you want help rolling this out¶
If you want a hand deciding where passkeys fit for your business, email support@breachsecurity.io with a quick note about what you use for email and identity (Google Workspace, Microsoft 365, something else), how many people are on the team, and whether you have shared accounts to worry about.
We will reply with a plain recommendation: which accounts to protect first, what to keep as a fallback, and whether you are at the point where a written authentication policy is worth putting in place. Sometimes the answer is “add a passkey to your admin account this week and you are in good shape.” Passwords are not going away tomorrow, but they are on the way out, and the businesses that start now are the ones that will not be cleaning up a phished login next year.