If you have been reading about passkeys, you have seen the consumer story: sign in to a shopping site with Face ID instead of a password. For businesses, the same technology is much more interesting. Passkeys are built on open standards (FIDO2 and WebAuthn), bind credentials to your domain and the user’s devices, and are inherently resistant to phishing in a way that SMS and many app-based MFA flows are not.
This article is a practical overview for IT and security owners: what passkeys are, how they fit next to conditional access and legacy MFA, and what to plan for before you ask the whole company to enroll.
TL;DR
- Passkeys replace shared secrets with cryptographic key pairs; the private key stays on the device (or security key)
- They strongly reduce phishing because there is no code to type into a fake login page
- Microsoft Entra ID, Google Workspace, and major platforms support FIDO2 passkeys or security keys as authentication methods
- Recovery and break-glass matter more than the demo: plan for lost devices and help desk load
- Passkeys complement policy; they do not replace EDR, email security, or user training overnight
What Is a Passkey, Really?
A passkey is a FIDO2 credential that your organization’s identity provider treats as a
sign-in method. The user unlocks it with something they have (phone, laptop TPM, YubiKey) plus
usually something they are (biometric) or know (PIN). The important part is what happens on the wire:
the browser or OS proves possession of a private key that was registered for yourcompany.com.
A clone of your login page on yourcompany-support.ru cannot complete that proof the same way a
user typing a TOTP code can.
That property is why vendors and regulators increasingly talk about phishing-resistant MFA. Passkeys and hardware security keys sit in that bucket. SMS, voice codes, and many push-based flows do not.
Why This Matters After Years of “Just Turn On 2FA”
Two-factor authentication was a huge upgrade over passwords alone. It is also routinely defeated by real-world attacks: adversary-in-the-middle kits, MFA fatigue, help desk social engineering, and legacy protocols that bypass modern controls. Passkeys do not fix every abuse case, but they remove an entire class of “steal the second factor at login time” attacks against web and supported native apps.
If you have already read about business email compromise and why traditional 2FA is not enough, think of passkeys as one of the technical answers that actually matches how modern phishing operates.
Microsoft Entra ID and the Ecosystem
In a Microsoft-heavy shop, you will typically combine Entra ID authentication methods (FIDO2 security keys, Windows Hello for Business, and platform passkeys where supported) with Conditional Access: require compliant devices, block legacy auth, and require phishing-resistant methods for privileged roles first. Google Workspace offers a similar trajectory with security keys and passkeys for work accounts.
Rollout is rarely “flip a tenant-wide switch on Friday.” It is staged: pilot group, support scripts, clear guidance for iOS versus Android versus Windows, and monitoring of sign-in logs for unexpected failure modes (especially hybrid and line-of-business apps that still expect passwords).
Operational Gotchas IT Should Plan For
- Account recovery: If the only factor is a passkey on one phone, a broken phone is a lockout. You need backup methods or a documented recovery path that is not weaker than your primary login.
- Shared workstations and kiosks: Passkeys tied to personal biometrics do not map cleanly. Often you still use smart cards, security keys, or separate profiles.
- Break-glass accounts: Keep long, stored-offline credentials for emergency admin with extreme care and monitoring.
- Help desk: Reset flows that relied on “send me a code” need redesign so attackers cannot impersonate users through the same channel.
Bottom Line
Passkeys are not magic, but they are one of the best-aligned technologies we have for stopping phishing at the front door without asking users to parse URLs every time they log in. Pair them with conditional access, device health, email security, and the same operational discipline you use today. Then expand coverage methodically so recovery and support stay as strong as the cryptography.