Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Microsoft

What Are Passkeys and Should I Use Them?

Quick Answer

Passkeys are cryptographic credentials that replace passwords. They're stored on your devices, verified using biometrics or PIN, and can't be phished because they're bound to legitimate sites. They're more secure than passwords and easier to use. Yes, you should use them.

Quick answer: Passkeys are cryptographic credentials that replace passwords. They're stored on your devices, verified using biometrics or PIN, and can't be phished because they're bound to legitimate sites. They're more secure than passwords and easier to use. Yes, you should use them.

How Passkeys Work

The basics

Instead of: Username + password + maybe MFA

Passkeys use: Cryptographic key pair (public + private) + biometric or PIN verification

What this means:

  • Private key never leaves your device
  • Site only sees public key
  • Authentication is cryptographic proof, not shared secret
  • Biometric or PIN unlocks the key (doesn't leave device)

Why this matters

Passwords can be:

  • Phished
  • Guessed
  • Reused across sites
  • Stolen in database breaches
  • Keylogged
Passkeys can't be:
  • Phished (cryptographically bound to legitimate site)
  • Guessed (no password to guess)
  • Reused harmfully (unique key per site)
  • Stolen from server (only public key stored)
  • Keylogged (nothing to type)

Phishing Resistance

This is the critical advantage.

Password phishing works because: You can type your password into any site that asks—including fake ones.

Passkey phishing fails because: The private key only works with the legitimate site's domain. Fake site = authentication doesn't work. Even if you click the link, passkey won't authenticate to the wrong domain.

This defeats AiTM attacks that currently bypass traditional MFA.

User Experience

Signing in with password:

  1. Navigate to site
  2. Enter username
  3. Enter password
  4. Receive MFA prompt
  5. Approve MFA or enter code
Signing in with passkey:
  1. Navigate to site
  2. Touch fingerprint sensor or face scan
Passkeys are both more secure AND easier.

Where Passkeys Work

Supported by:

  • Apple (iCloud Keychain syncs across devices)
  • Google (Google Password Manager)
  • Microsoft (Windows Hello, coming to authenticator)
  • Major browsers (Chrome, Safari, Edge, Firefox)
  • Growing list of websites and applications
Enterprise support:
  • Microsoft Entra ID (Azure AD) supports passkeys
  • FIDO2 security keys work as passkeys
  • Integration with identity providers

Business Considerations

Advantages

  • Phishing-resistant authentication
  • Better user experience (faster, simpler)
  • No password reset costs
  • Reduced helpdesk burden
  • Compliance with emerging requirements

Challenges

  • Not universally supported yet
  • Device loss considerations (need recovery options)
  • Syncing across ecosystems (Apple passkeys don't sync to Windows natively)
  • Some applications don't support them yet
  • Enterprise deployment requires planning

Implementation Approaches

For consumer-facing services

  • Enable passkey sign-up alongside passwords
  • Encourage adoption through better experience
  • Maintain password fallback during transition

For enterprise

  • Start with FIDO2 security keys for admins (phishing-resistant MFA)
  • Pilot passkeys with technical users
  • Plan device and recovery strategy
  • Integrate with identity provider (Entra ID)
  • Gradual rollout as ecosystem matures

For high-security use cases

  • Hardware security keys (YubiKey, etc.) as passkeys
  • Not synced to cloud—physical possession required
  • Strongest assurance available

Passkeys vs FIDO2 Keys vs MFA

Passwords + MFAFIDO2 KeysPasskeys
Phishing resistantNoYesYes
User experienceFrictionModerateBest
Device requiredPhone for MFAPhysical keyEnrolled device
CostFree£20-50 per keyFree
SyncingN/ANoYes (within ecosystem)
RecoveryPassword resetBackup keys neededCloud backup

Our Recommendation

Now:

  • Enable passkeys where available for personal use
  • Deploy FIDO2 keys for privileged accounts
  • Prepare for enterprise passkey adoption
Soon:
  • Pilot passkeys for enterprise users
  • Integrate with Entra ID / Microsoft 365
  • Develop device and recovery strategy
The direction is clear. Passwords are legacy. Passkeys are the future. Start preparing now.

---

about passkeys and FIDO2.

---

Related Questions