Passkeys in SMEs: The End of the Password

6 min read

The password is the last single point of failure that nearly every company voluntarily keeps. Phishing emails don’t target the firewall-they target the person entering their password on a fake login page. Passkeys eliminate this exact attack vector, and by 2026, they’ll be productively available to mid-sized businesses as well.

Key Takeaways

Phishing-resistant by design. A passkey is tied to the domain and can’t be entered on a spoofed site. This eliminates the most common attack path for credentials.
Platforms are ready. Microsoft Entra ID and Google Workspace already support passkeys in production. Microsoft has rolled out synchronized passkeys to general availability by 2026.
The devil’s in the recovery. Without a well-thought-out process for lost devices, you risk locking employees out. That’s where the real project work lies-not in the rollout itself.

Why passwords have become a risk

Most successful breaches don’t start with a brilliant exploit-they start with a stolen password. Phishing, credential reuse across services, leaked databases: passwords are vulnerable because they’re a shared secret. The user knows it, the server knows it, and anyone who intercepts or guesses it in between knows it too.

Traditional multi-factor authentication (MFA) has mitigated this-but not solved it. Attackers forward one-time codes via fake pages or harvest session tokens long before the victim grows suspicious. This is where the shift comes in: if there’s no secret left to phish, the most common attack falls flat.

What is a passkey? A passkey is a cryptographic key pair based on the FIDO2 and WebAuthn standards. The private key stays on the user’s device and is unlocked via biometrics or PIN, while the public key resides with the service. There’s no password to transmit, store, or steal.

How passkeys solve the phishing problem

The key mechanism is domain binding. A passkey registered for the real login page will only work there. If an employee lands on a convincing fake, the browser simply won’t have a matching key to offer. The attack fails not because the user is vigilant, but because of cryptography.

That’s why passkeys are classified as phishing-resistant authentication-a category even security agencies explicitly recommend. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) lists FIDO2 and WebAuthn as one of the few methods that withstand modern phishing. For security teams, this is a rare case where a change eliminates the most common attack path instead of just adding another hurdle.

Rolling Out via Entra ID and Google Workspace

Getting started in practice has become significantly easier in 2026, as major identity platforms have caught up. Microsoft Entra ID has moved synchronized passkeys and passkey profiles into general availability, now allowing administrators to roll out passwordless sign-in through targeted registration campaigns. The number of permitted passkey profiles per tenant has been increased from three to ten, enabling more nuanced policies for different user groups.

March 2026

Microsoft Entra ID brings synchronized passkeys into general availability. Passwordless sign-in is leaving pilot status behind, becoming a standard option for businesses.

Source: Microsoft Entra ID Roadmap, 2026

Google Workspace and Apple’s platforms also support passkeys in production. For mid-sized businesses, this means the building blocks are ready within familiar identity platforms-the effort now shifts from technical implementation to smooth adoption. It’s worth checking your current licensing status.

Where Mid-Sized Businesses Hit Snags

The trickiest part of a passkey project isn’t the sign-in instructions-it’s the recovery process. What happens if an employee loses their smartphone, where their passkey is stored? Without planning for this scenario, you’ll have locked-out colleagues come Monday morning instead of enhanced security. Best practices include backup security keys registered during onboarding, IT-issued recovery codes, and a clearly defined process for re-registration after identity verification.

The second hurdle is legacy applications. Not every internal system or older single sign-on integration supports WebAuthn yet. During the transition, passwords or one-time codes will remain in place for these, turning the rollout into a phased project rather than a single cutover. A smart approach is to start with well-supported, critical accounts like Microsoft 365 and Google Workspace, gradually expanding the passwordless zone from there.

Frequently Asked Questions

What’s the difference between a passkey and a password?

A password is a shared secret that can be transmitted-and intercepted. A passkey is a cryptographic key pair where the private key never leaves the device. There’s nothing to enter on a phishing site.

Do passkeys require expensive special licenses?

Passkeys are supported in Microsoft Entra ID and Google Workspace under common business plans. Check your specific tier for exact licensing needs. The main effort, however, lies in adoption and recovery planning-not licenses.

What happens if an employee loses their device?

That’s where the recovery plan kicks in. Common solutions include backup security keys registered during onboarding, IT-issued recovery codes, and a defined process for re-registration after identity verification. This scenario must be tested before rollout.

Can mid-sized businesses go fully passwordless right away?

Rarely. Legacy applications and older single sign-on integrations often don’t support WebAuthn yet. The transition happens gradually, starting with well-supported accounts like Microsoft 365, while older systems temporarily continue using passwords or one-time codes.

Does a passkey replace multi-factor authentication?

A passkey combines both factors in one step: possession of the device and authentication via biometrics or PIN. This meets the requirements for strong, phishing-resistant sign-in without needing a separate second factor.