Passwords have been part of working life for so long that most people accept the frustration as normal, which means regular resets, forgotten logins and the quiet worry about whether a breach will land in their inbox. Over the last couple of years, passkeys have been positioned as the replacement, often described as more secure and easier at the same time, which sounds appealing but also raises sensible questions for SMBs trying to work out what’s real and what’s marketing noise. This article is about cutting through that noise and explaining what passkeys actually are, where they genuinely help, where they still cause friction, and how UK SMBs can approach them without breaking day‑to‑day work.
Passwords were never designed for the way modern businesses work, which means they struggle under the weight of cloud services, remote access and dozens of logins per person. The theory was simple, remember a secret and prove it when asked, but in practice people reuse passwords, write them down or choose something predictable because the alternative is constant lockouts. Attackers have taken advantage of this reality rather than fighting it. Phishing emails, fake login pages and credential stuffing attacks all rely on the same weakness, which means if a password is stolen once, it’s often useful in more than one place. Even when SMBs add complexity rules, the core issue remains that a password is something that can be copied and reused without the owner knowing. This is the gap passkeys are designed to close.
A passkey replaces a password with a cryptographic key pair, which means there’s one part stored securely on the user’s device and another part held by the service they’re signing into. When someone tries to log in, the device proves it has the right key without sending anything secret over the internet. In practical terms, this usually looks like unlocking a phone with Face ID, Touch ID or a device PIN, or approving a sign‑in on a laptop using Windows Hello. There’s no password to type, remember or steal, which removes a whole category of attacks. Another important detail is that passkeys are tied to the website or service they were created for, which means they can’t be reused on a fake login page. If someone is tricked into clicking a phishing link, the passkey simply won’t work, which quietly stops the attack before it starts.
Passkeys aren’t theoretical anymore, which means they’re already supported across the main platforms most UK SMBs rely on. Microsoft, Google and Apple all support passkeys for consumer accounts, and Microsoft has been rolling out passkey support for work accounts through Microsoft Entra ID, which is the identity platform behind Microsoft 365. On modern iPhones, iPads, Android devices and Windows PCs, passkeys integrate with built‑in security features, which means there’s no extra hardware to buy for most users. For people who already unlock devices with biometrics, the experience often feels simpler than passwords plus codes. For high‑risk accounts, such as administrators or finance users, passkeys can significantly reduce the chance of account takeover, which is why many security teams are starting there rather than attempting a company‑wide switch on day one.
Despite the benefits, passkeys aren’t a silver bullet, which means there are practical challenges SMBs need to understand before diving in. One common issue is device dependency. Because a passkey lives on a device, losing that device without a recovery plan can lock someone out, which means account recovery processes become more important, not less. In a busy SMB, that needs to be simple and well documented. Shared accounts are another sticking point. Passkeys are designed for individuals, which means any system that still relies on shared logins, such as a generic finance or operations account, will need to change first. That’s often a positive forcing function, but it can feel disruptive if it’s not planned. There’s also the reality of mixed environments. Contractors, older devices, legacy applications and third‑party services may not support passkeys yet, which means passwords won’t disappear overnight. Most SMBs will run a hybrid approach for some time, and that’s normal.
It’s helpful to think of passkeys as an evolution of multi‑factor authentication rather than a completely separate idea. Traditional MFA combines something you know, a password, with something you have, such as a phone, which improves security but still leaves the password as a weak point. A passkey effectively builds the second factor into the sign‑in itself, which means there’s no standalone password to protect. In many cases, a passkey sign‑in is considered phishing‑resistant MFA, which is why it’s gaining traction in regulated and higher‑risk environments. For SMBs already using MFA through Microsoft 365, passkeys don’t replace that work, which means they build on it. The groundwork around identity, device management and access policies still matters.
For SMBs using Microsoft 365, passkeys sit within Microsoft Entra ID, alongside existing sign‑in methods like passwords, authenticator apps and hardware keys. Microsoft’s direction of travel is clear, which means passwords are being de‑emphasised, not removed overnight. A sensible approach is to enable passkeys as an option first, then target specific groups. Administrators are an obvious starting point, followed by users with access to sensitive data or payment systems. This allows teams to learn what support issues crop up before rolling anything out more widely. Conditional access policies still apply, which means passkeys can be combined with location checks, device compliance and risk‑based controls. That layered approach is what actually reduces incidents in the real world.
Trying to move everyone to passkeys in one go usually creates friction, which means a phased approach works better. The first step is understanding current sign‑in methods and cleaning up basics, such as enforcing MFA everywhere and removing shared accounts where possible. Without that foundation, passkeys won’t deliver their full benefit. Next comes a pilot group, ideally people who are comfortable with change and have modern devices. Their feedback helps refine support processes and documentation, which means fewer surprises later. Only once recovery processes, device policies and user guidance are clear does it make sense to expand further. Even then, keeping passwords as a fallback for a period is normal, especially while third‑party services catch up.
Passkeys reduce the risk of stolen credentials, but they don’t stop someone approving a malicious action if they’re convinced it’s legitimate, which means social engineering and invoice fraud still need controls beyond sign‑in security. They also don’t replace the need for monitoring, backups or clear joiner and leaver processes. Identity is just one part of a wider picture, which means passkeys should be seen as a strong component rather than a complete solution.
The appeal of passkeys isn’t just security, it’s that they acknowledge how people behave at work, which means fewer secrets to remember and fewer opportunities for attackers to exploit fatigue or distraction. For UK SMBs, that balance between protection and usability matters because anything that slows work down tends to be bypassed. Passkeys aren’t a switch that gets flipped, but they are a clear signal of where authentication is heading. Approached gradually, with the right expectations, they can reduce risk and friction at the same time, which is something passwords were never very good at doing.