Every few years, the way we prove who we are online goes through a real shift. In an effort to address known vulnerabilities, we moved from simple passwords to complex passwords to password managers to two-factor authentication. And each time, organizations that waited too long to adapt paid for it in breached accounts, locked-out employees, and expensive cleanup.
Today, we’re at another one of those inflection points because virtually all major platforms are moving away from passwords as the default way to sign in and replacing them with passkeys. Those who haven’t yet done so should familiarize themselves with passwordless authentication now because the cybersecurity threats passkeys address are only getting worse.
What Passkeys Are (and Why They Improve Security)
| Feature | Passwords | Passkeys |
| How employees sign in | Type a password (often saved in a password manager) | Confirm with fingerprint, face scan, or device PIN |
| What attackers try to steal | Passwords can be stolen through phishing or breaches | The private key stays on the user’s device, so attackers cannot capture it during login |
| Risk of phishing attacks | Users can be tricked into entering passwords on fake sites | Passkeys only work with the legitimate website |
| What happens in a data breach | Stolen password databases can sometimes be cracked | Servers store only a public key, which cannot be used to log in |
| Extra security steps | Usually requires additional MFA codes or apps | Security check is built into the sign-in process |
| User experience | Passwords must be created, remembered, and occasionally reset | No password to remember, but users must have access to a device that stores the passkey |
| Support burden | Password resets create frequent help desk tickets | Fewer password resets, though organizations still need a recovery process if a device is lost |
A passkey is a login credential that lets you sign in to an app or website with a fingerprint, face scan, or PIN (the same way you unlock your phone).
Passkeys were created by the FIDO Alliance, an industry group whose members include Apple, Google, and Microsoft, to replace passwords with something that can’t be stolen, guessed, or phished. That something is a pair of cryptographic keys. The private key stays on your device, locked inside secure hardware. The public key goes to the service’s server.
When you sign in, the server sends a random challenge, your device signs it with the private key after you confirm with biometrics or a PIN, and the server checks the signature against the public key. No secret ever crosses the network, so there’s nothing to intercept, nothing to enter on a fake site, and nothing useful for an attacker to steal from a breached database (public keys are worthless on their own).
The fact that passkeys can’t be intercepted is important because stolen credentials remain the most common way attackers get into systems, according to the 2025 Verizon Data Breach Investigations Report. Even traditional multi-factor authentication doesn’t fully close the gap. SMS codes can be intercepted through SIM-swapping. Time-based codes from authenticator apps can be entered on fake login pages. Push notifications are vulnerable to fatigue attacks, where users approve fraudulent requests just to make them stop.
Of course, passkeys alone don’t prevent every single cyber attack in existence. While they do effectively stop credential phishing (the kind where an attacker tricks you into entering your login information on a fake site), they, for example, don’t prevent someone from being tricked into opening a malicious attachment or installing malware. But credential theft is where the bulk of the damage concentrates for most businesses, and passkeys take it off the table.
Where Passkeys Work Today (and Where They Don’t)
In a consumer survey released for World Passkey Day 2025, FIDO Alliance reported that roughly two-thirds of respondents had enabled a passkey on at least one account, while about three-quarters said they were familiar with passkeys as a technology. The same open industry association states that nearly half of the world’s top 100 websites now support passkey sign-in, and over 15 billion online accounts are passkey-eligible.
Here’s a quick look at where passkey support stands across the platforms SMBs use most:
- Microsoft: Microsoft has begun shifting new consumer accounts toward passwordless sign-in by default. On the workforce side, Microsoft Entra ID (the identity system behind Microsoft 365) supports passkeys through FIDO2 security keys and Microsoft Authenticator, with synced passkey support in preview. Admins can enforce passkeys through Conditional Access policies.
- Google: Passkeys have been the default sign-in option for personal Google accounts since October 2023. Google reported that 800 million accounts were using passkeys in 2024 with over 2.5 billion passkey sign-ins. Google Workspace admins can allow users to skip passwords entirely and sign in with passkeys that cover both first and second-factor authentication.
- Apple: iCloud Keychain syncs passkeys across Apple devices with end-to-end encryption. iOS 26 and macOS 26 (released in late 2025) added automatic passkey upgrades, where passkeys are created in the background when a user signs in with a password, and secure import/export between credential managers.
- Intuit (QuickBooks, TurboTax): Intuit supports passkeys across its products and has reported a 15% improvement in login success rates and 70% faster sign-ins after rolling them out.
- DocuSign: The popular provider of electronic signature and contract management services has been supporting passkeys for login on mobile devices and web browsers since 2023.
- HubSpot: Passkey support on web, iOS, and Android. Super Admins can enforce allowed login methods on a specific date. One limitation is that if your organization requires SSO for login, passkeys aren’t available as a separate option.
- Other supported platforms include GitHub (over 1.4 million passkeys registered in mid-2024), AWS (as an MFA factor), Dropbox, Adobe Creative Cloud, Amazon, PayPal, and Zoho.
That said, gaps in passkey support still exist in 2026. For example, Salesforce supports WebAuthn only as a second factor, not as a standalone passwordless login. Slack and Zoom have no native passkey support and rely on SSO through identity providers instead. On-premises Active Directory doesn’t support passkeys natively either, which means organizations still running legacy Windows infrastructure will need to maintain hybrid authentication during the transition.
Download the Compliance as a Service (CaaS) Explainer Document.
How to Start Moving Toward Passwordless
The FIDO Alliance’s rollout guidance recommends deploying passkeys as an additional sign-in option first while continuing to offer existing methods while adoption grows. That way, employees can get comfortable with the new sign-in flow without anyone getting locked out, and IT teams can identify issues before they affect the whole organization.
In practice, the road from passwords to passkeys looks something like this:
- Audit where your identities live: You need to know which systems manage your user accounts. If your organization is fully on Microsoft Entra ID, you’re in good shape because passkey enrollment and enforcement happen through your existing admin console.
- Start with your highest-risk users: Begin with IT admins, executives, and anyone who handles sensitive data or has elevated privileges since their accounts are the most attractive targets for attackers and benefit the most from phishing-resistant authentication. Such high-risk users can benefit from FIDO2 hardware security keys (like YubiKeys) because they provide the strongest protection. For the rest of your workforce, synced passkeys through Microsoft Authenticator are a lower-cost option that still eliminates the phishing risk.
- Plan your recovery flows: Account recovery is the weak spot in every passkey deployment. Most implementations still fall back to weaker methods like email or SMS when someone loses a device, which reintroduces the exact vulnerabilities you’re trying to eliminate. The most secure backup is a second passkey or a hardware security key enrolled as a spare.
- Train your employees: A passkey rollout is a change management project as much as a technical one. Employees need to understand what passkeys are, how to enroll them, and what to do if they lose a device (yet another reason to plan your recovery flows early).
- Configure identity policy: Passkey rollouts work when they’re enforced through your identity platform, not by sending an email and hoping for the best. Use your admin console to require phishing-resistant authentication for specific groups, then gradually expand the scope.
- Account for legacy systems (if necessary): As mentioned above, on-premises Active Directory and older applications that don’t support modern authentication will need to keep using passwords or existing MFA while you transition.
The good news is that the work that goes into a passkey rollout pays for itself relatively quickly. A FIDO Alliance survey of enterprises found that over 75% reported fewer help desk calls after deploying passkeys, and 82% said the user experience improved.
Conclusion
Passwords aren’t disappearing tomorrow, but they’re losing their place as the default because passkeys offer stronger security with less friction, and most of the platforms your business depends on have already made the switch. If you’re not sure where your organization stands when it comes to the implementation of passwordless authentication, we at OSIbeyond can help. Get in touch by scheduling a meeting with our team, and we’ll help you assess your current setup and plan the transition.