For thirty years, passwords have been the default way we prove who we are online. We all know they’re bad — too many to remember, too easy to steal, constantly being phished or leaked — but the alternatives have been worse, so we’ve kept using them.

That’s changing fast. Passkeys are the password replacement that every major platform — Microsoft, Apple, Google, Amazon, most banks — now supports. They’re materially more secure, faster to use, and impossible to phish. This post explains what they are, how they work, and what Australian businesses should do about them.

What is a passkey?

A passkey is a cryptographic credential stored on your device — your laptop, phone, or a hardware security key. Instead of typing a password, you prove who you are by unlocking your device (Face ID, fingerprint, PIN) and your device signs a cryptographic challenge from the service.

The key is never revealed to the website or service. It never crosses the internet. It can’t be phished because it’s mathematically tied to the exact domain that created it — a fake login page can’t trick your device into signing for the real domain.

Passkeys are built on a set of standards called FIDO2 / WebAuthn. You’ll sometimes see them called “FIDO keys,” “security keys,” or “device-bound credentials.” Same underlying technology.

Why passkeys are materially more secure

Passwords have three structural weaknesses that passkeys don’t.

1. They can be phished. A convincing fake login page captures the password and the attacker replays it on the real service. This is the single most common cause of SMB account compromise.

Passkeys can’t be phished. The cryptographic signature is tied to the real domain — a fake domain mathematically can’t request a valid signature.

2. They can be stolen from the service side. When a company gets breached, their password database (even hashed) ends up on the dark web. Attackers then try those password/email combinations on every other service.

Passkeys can’t be stolen server-side because the server only has the public key. The private key — the part that signs — lives only on your device.

3. They can be reused. Staff reuse passwords across work and personal services. A breach on LinkedIn ends up being a breach on your M365 tenant.

Passkeys are unique per service by design. Re-use isn’t possible.

How passkeys actually work for users

The experience is simpler than the explanation.

On sign-up or when adding a passkey to an existing account:

The service asks “do you want to use a passkey?”
Your device says “yes” and creates a key pair
You approve with Face ID / Touch ID / Windows Hello / PIN
The public key is sent to the service; the private key stays on your device

On subsequent sign-ins:

Enter your username (sometimes)
The service sends a cryptographic challenge to your device
Your device prompts you to approve (Face ID etc.)
You approve; you’re logged in

Total time: 2-3 seconds. No password to remember. No SMS code to wait for. No authenticator app to open.

Types of passkeys

There are two flavours worth knowing about.

Device-bound passkeys live on a single device. If you lose the device, you lose access. Used when security is paramount — typically hardware security keys like YubiKeys for administrators and privileged accounts.

Synced passkeys sync across your devices via your platform’s cloud (iCloud Keychain, Google Password Manager, Microsoft Authenticator, or a third-party like 1Password). Lose your phone, restore from iCloud/Google, your passkeys come back. More convenient, still phishing-resistant, slightly less strict on device possession.

Most SMBs should use synced passkeys for general staff and device-bound hardware keys for administrators.

What Microsoft, Apple and Google have done

Every major platform now supports passkeys on both the sign-in side (services that accept them) and the storage side (how users manage them).

Microsoft 365 / Entra ID. Full passkey support for user sign-in. Administrators can enforce phishing-resistant authentication for sensitive accounts. Windows Hello for Business is effectively a passkey built into the device.

Apple. iCloud Keychain syncs passkeys across Apple devices. iOS and macOS sign-in prompts are built in.

Google. Google Password Manager syncs passkeys across Android and Chrome. Google’s own account now accepts passkeys as the default sign-in.

Third-party password managers. 1Password, Dashlane, Bitwarden now store passkeys alongside passwords. Useful for businesses using a cross-platform password manager.

What your business should actually do

Transitioning a whole business from passwords to passkeys won’t happen overnight. A practical, staged approach:

Step 1: Enable passkey support in your identity platform. In M365, this is turning on FIDO2 / passkey authentication methods in Entra ID. This costs nothing and doesn’t force any change on staff.

Step 2: Mandate phishing-resistant MFA for administrators. Issue hardware security keys (YubiKey or similar) to every admin account. This is high-leverage — admin accounts are what attackers actually want, and SMS MFA on admin accounts is increasingly insufficient.

Step 3: Encourage passkey adoption for general staff. Turn on passkeys as an option. Staff who are technically comfortable will adopt voluntarily. Don’t force it on everyone on day one.

Step 4: Retire SMS-based MFA over time. SMS MFA is better than nothing, but increasingly vulnerable to SIM-swap attacks and phishing. Move users to app-based (Microsoft Authenticator) or passkey-based MFA as they’re ready.

Step 5: Look at password manager deployment. Even if passkeys eventually replace most passwords, the transition will take years. A sanctioned password manager (1Password, Dashlane, or similar) is still a meaningful security upgrade for the interim.

Common concerns and answers

“What if a staff member loses their phone?” They recover via their platform account (iCloud / Google / Microsoft) like any other sync. Passkeys come back. Most SMBs should pair this with a documented account recovery process.

“What if I have old services that don’t support passkeys?” Keep using passwords + app-based MFA for those. A password manager bridges the gap.

“Will staff find this confusing?” The first sign-in feels slightly unfamiliar. After that, most people find it significantly easier than passwords — just Face ID and you’re in. Training is minimal.

The bottom line

Passkeys are a genuine upgrade over passwords: faster, more secure, and phishing-resistant by design. The infrastructure is now mature enough for SMBs to start adopting rather than waiting.

The highest-leverage first move is hardware security keys for administrators — if there’s only budget or appetite for one change, that’s the one. Broader rollout follows as the business is ready.

If you’d like help planning a passkey rollout — from Entra ID configuration to hardware key procurement to staff rollout communications — get in touch. It’s a project with clear, measurable security benefit and a genuinely better user experience at the end of it.