In late 2022, Microsoft announced that it was transitioning its customers to use passkeys for authentication instead of passwords. The reason is simple: passwords are insecure and get in the way of productivity.
In the ensuing months, other technology giants joined Microsoft in announcing they, too, would be supporting passkeys. Now, in the first half of 2025, Apple, Google, and Microsoft are all enabling passkeys in their software and services.
Together, these tech titans will have billions of users and hundreds of millions of organizations that use their technology. The implications for the world’s cybersecurity posture are immense.
Let’s explore the technology behind passkeys, understand why they are so much more secure than passwords, and look at how Apple, Google, and Microsoft are enabling them for their users.
What are passkeys?
A passkey is a digital credential that enables a user to log into an online service without having to enter a password. Instead, the user authenticates using the device-based authentication factor that is already unlocked on their device.
This works by using the Web Authentication (WebAuthn) standard that allows a user’s device to create a cryptographic key pair. The public key is shared with the website they are logging in to, while the private key remains on the user’s device.
When the user visits the website and wants to log in, their device will provide the private key, which is used to create a digital signature that proves the user is who they claim to be. This signature is sent to the website, which can then verify that it was created by an authentic user.
This is much more secure than traditional password-based authentication, which relies on users to choose and remember complex passwords, and then transmit those passwords over the internet in plain text whenever they want to log in.
Passkeys eliminate the need for users to remember passwords, and they also eliminate the ability for attackers to phish those passwords from unsuspecting users.
How passkeys differ from passwords and traditional MFA
Let’s explore some of the key differences between passkeys and passwords and traditional multi-factor authentication (MFA) methods.
Security: Passwords are easily phished, stolen in breaches, and reused across sites. Passkeys are phishing-resistant by design, because the authentication factors used to create a passkey are tied to a specific device, and cannot be phished.
User experience: Typing in passwords is cumbersome, and users often have to reset them frequently. Passkeys eliminate this problem by allowing users to log in with just a touch or a glance at their device.
Attack resistance: Weaknesses in passwords and MFA methods make them susceptible to man-in-the-middle (MitM) attacks, social engineering, and account takeovers. Passkeys are resistant to MitM and social engineering because the authentication factors are tied to the user’s device and are not transmitted over the internet.
These differences are critical, because they mean that passkeys are much more secure than passwords and traditional MFA methods, and they also make them much easier for users to use.
The major players driving 2024-2025 adoption
In 2024, Apple, Google, and Microsoft made significant commitments to enable passkeys for their users.
Apple: Apple’s iCloud Keychain has supported passkeys since iOS 16, which was released in the fall of 2022. By 2024, iCloud Keychain supported passkeys for all of its users, making it easy for them to log in to websites and apps using just their iPhone, iPad, or Mac.
Google: Google announced at its I/O conference in May 2024 that it would be enabling passkeys for its users. Google plans to enable passkeys by default for all new accounts, and for existing accounts that use its Password Manager.
Google’s move is significant because it has hundreds of millions of users and a massive ecosystem of websites and apps that use its authentication technology.
Microsoft: Microsoft has been enabling passkeys for its customers since 2023, and by 2024, 70% of Fortune 500 companies had started using them. Microsoft’s Passwordless Sign-in enables users to log in to websites and apps using just their Windows device, without having to enter a password. It also allows users to log in using their phone, as long as they have the Microsoft Authenticator app installed.
Microsoft’s Passwordless Sign-in is available to all users, and it works seamlessly across Windows, Android, and iOS devices. Is your company ready to move to passkeys? Contact us to learn more about planning your transition.
Real-world enterprise rollouts
Google Workspace is a cloud-based productivity suite that includes Gmail, Google Docs, Google Meet, and Google Drive. In 2024, Google Workspace began enabling passkeys for its customers.
Uber and Bank of America were among the early adopters, and both reported significant improvements in user sign-in times and a 99.9% reduction in phished credentials.
These improvements are critical because phished credentials are the leading cause of account takeovers. By eliminating the ability of attackers to phish credentials, passkeys make it much harder for attackers to gain unauthorized access to accounts.
Seattle-Tacoma SMB Example
Local firms like Premera Blue Cross (healthcare) transitioned via Microsoft Entra in 2024, aligning with HIPAA. The transition to passkeys can be made easier with the right managed IT services.
These improvements are critical because phished credentials are the leading cause of account takeovers. By eliminating the ability of attackers to phish credentials, passkeys make it much harder for attackers to gain unauthorized access to accounts.
Phishing attacks drop dramatically
FIDO Alliance reports that passkeys block 100% of remote phishing attacks, since credentials will not work on fake sites.
These improvements are critical because phished credentials are the leading cause of account takeovers. By eliminating the ability of attackers to phish credentials, passkeys make it much harder for attackers to gain unauthorized access to accounts.
Implementation challenges for Seattle-Tacoma SMBs
Switching from passwords + basic MFA isn’t seamless:
- Legacy App Compatibility: Older apps lack WebAuthn support; use SSO gateways like Okta or Entra ID proxies (80% of SMBs need this).
- User Training: Employees resist change; 20-30% initial friction until biometrics feel natural, pilot with IT first.
- Device Requirements: Needs modern devices (post-2020 smartphones/laptops); 15-25% of SMB workforces may need upgrades, especially in Tacoma’s mixed fleets.
These challenges are significant, but they are not insurmountable. For example, Apple, Google, and Microsoft all have resources to help organizations transition to passkeys. And many third-party tools are available to help with compatibility and user training issues. Passkeys help meet compliance goals.
Step-by-step transition roadmap
- Audit Current Auth: Inventory apps/users with tools like Microsoft Entra or FIDO verifier; identify password-reliant systems (1-2 weeks).
- Pilot with IT: Enroll 10-20 IT staff using platform authenticators (free, e.g., Windows Hello); test SSO integration (1 month).
- Expand to High-Risk Users: Roll out to finance/HR (e.g., HIPAA-regulated in Seattle healthcare SMBs); enforce device-bound for compliance (2-3 months).
- Full Rollout: Automate via group policy; hybrid with passwords as fallback, monitor via attestation logs (3-6 months total).
These steps will help organizations transition to passkeys in a way that is both secure and manageable.
Cost Considerations
| Option | Cost per User/Year | Pros | Cons | Best for SMBs |
|---|---|---|---|---|
| Hardware Keys (e.g., YubiKey) | $20-50 | Highest security, attested device-bound | Lost key recovery, per-user purchase | High-risk (e.g., CMMC defense contractors in Tacoma) |
| Platform Authenticators (e.g., Phone Biometrics) | Free | No extra hardware, synced | Device dependency | Most SMBs, start here for 90% coverage |
| Hybrid (Synced + Device-Bound) | $5-15 (cloud mgmt) | Backup flexibility | Synced weaker (no attestation) | Seattle IT managers balancing usability/security |
Total SMB rollout: $10-30/user initially, ROI in 6 months via reduced breaches (average $4.5M cost).
These costs are not insignificant, but they are a small price to pay for the improved security and productivity that passkeys enable. And many organizations will be able to take advantage of free platform authenticators, like Windows Hello or the Google Authenticator.
Compliance Implications
Passkeys meet or exceed HIPAA, CMMC, and cyber insurance mandates for phishing-resistant MFA. HIPAA requires strong authentication for PHI; passkeys qualify as biometric MFA without passwords. CMMC 2.0 Level 2 favors FIDO2 (device-bound attested) for DoD contractors in Puget Sound. Insurers like Seattle’s Chubb now discount premiums 20-30% for passkey adoption, citing zero phishability.
This shift is genuinely positive: simpler logins, unbreakable phishing defense, and compliance edge make passkeys essential for SMB security in 2025. Start small for quick wins.
Need help with passkeys? RainCity Techworks provides Seattle IT support and Tacoma IT support for Seattle-Tacoma businesses. Schedule a free consultation today.