Your team has been logging in with passwords since the day they created their first Hotmail account (that might be dating me harshly...). Some of those passwords are strong, most are probably reused somewhere, some haven't changed in years, and pretty regularly someone in the office mixes things up and needs a reset.
It's a problem that has a practical solution, one that's actually easier to act on than most people expect.
Passkeys are a newer way to log in that doesn't rely on a password at all. They've been getting a lot of attention in IT circles, but the conversation tends to get technical fast. We're going to keep it a little more lightweight here: what's the difference, why does it matter, and how do you do it?
The premise of a password is that a secret shared between you and a website stays secret. Decades of breach data suggest that's not a safe assumption.
The Verizon Data Breach Investigations Report has tracked the leading causes of data breaches for years. Compromised credentials - either stolen, guessed, or phished - are consistently at the top of the list. And the needle hasn't moved much because the underlying issue hasn't changed.
When you create an account somewhere, your password gets stored on that service's servers. When that service gets breached (and breaches happen constantly, at companies of every size), your password is part of what gets taken. If you've reused that password anywhere else, those accounts are now exposed too.
Multi-factor authentication (MFA) helps significantly. Adding a second step means a stolen password alone isn't enough. But the most common form of MFA, one-time codes sent by text message, has a known gap. SMS codes can be intercepted through SIM swapping, where an attacker convinces a carrier to transfer your phone number to a device they control. Authenticator apps, like Microsoft Authenticator, are a more secure alternative. The codes they generate are tied to the device and never travel over a phone network.
A passkey replaces the password entirely. Instead of a secret you type in, your device generates a unique cryptographic credential when you register with a service. The private half of that credential stays on your device and never leaves it. The service gets the public half.
When you log in, your device verifies your identity using biometrics or a PIN, and uses your private credential to complete a login challenge from the service. No password gets entered, there isn't anything to be intercepted, and because the credentials are tied to the legitimate domain fake login pages can't trigger it.
The practical upside is that passkeys can't be phished, can't be reused across sites, and can't be exposed in a server-side breach because the private credential never exists outside your device.
Most teams running Microsoft 365 already have the infrastructure for passkeys. Microsoft made them the default sign-in for new personal accounts in May 2025. For many businesses, the first step is simply making a choice.
The question most business owners ask is whether this is a major project or something that can be phased in gradually. The answer is gradual, and intentionally so.
Passkey migration runs passwords and passkeys in parallel so nobody is going to lose a familiar process for the transition. Users enroll a passkey on their device and start using it for supported accounts, accounts that aren't configured or supported yet keep using passwords as usual until ready.
Microsoft 365 support passkeys fully. So do a ton of major platforms you might be using, things like GitHub, Shopify, or Dropbox.
Not every business application supports passkeys yet. For those, the good alternative in the meantime is using a password manager and generating unique credentials for each account. That eliminates weak passwords and password reuse for now and then when those platforms add passkey support, go for it.
Starting with administrators and staff who have access to sensitive systems makes sense. They often carry the highest access risk and can give useful feedback before rollout makes its way to the whole team.
Beyond the security improvement, passkeys help get rid of the annoyances that we've all come to accept as normal. No more botching the password twice before getting it right (or having to sit down at the desk and use your muscle memory to remember it 😂), no waiting for a email/text codes, and no more accidental lockouts.
Microsoft's own data shows passkey sign-ins are three times faster than a traditional password and eight times faster than a password combined with MFA. For any organization where users are moving between systems throughout the day, that friction reduction adds up to some serious savings.
If your team is on Microsoft 365 and using MFA already, you're in a good position to begin. A few practical first steps:
The shift away from passwords doesn't need to happen overnight, but the tools are available and the advantages are clear. Starting with one account type and building from there is enough to make a real difference.