Passkeys in 2025 – How to Replace Passwords Without Breaking the Business

Most breaches start with a login prompt and a tired human. Password reuse, dodgy reset links and rushed approvals keep paying attackers. Passkeys offer a cleaner route: cryptographic keys that live on your devices and prove you are you without sending secrets across the wire. In 2025 that shift has gone from theory to action. The UK’s National Cyber Security Centre is urging organisations to adopt passkeys and password managers as standard practice, with clear guidance published in June 2025 on using both in tandem to cut phishing risk. If you run a small or mid-sized firm, the choice is simple. Keep patching a leaky password boat, or start migrating to sign-ins that are quicker for staff and harder for criminals.

This article explains what passkeys are, where the pitfalls hide, and how to deliver a sensible rollout that fits real diaries and realistic budgets. You will also get a practical map for migrating accounts, training people and measuring progress, so the project survives beyond month one.

Passkeys in plain English

A passkey is a pair of keys created on a device. The private half stays with the user. The public half sits with the service. At sign-in, the device proves possession of the private key, often with Face ID, Windows Hello or a security key. No OTP codes, no copy-paste, no shared secrets for attackers to steal. Phishing fails because the passkey only works with the genuine website. Even a perfect clone of your sign-in page cannot use the key.

That sounds academic until you try it. Colleagues approve a prompt with a fingerprint and move on. Support teams field fewer resets. Finance no longer waits for text messages that arrive late, or never.

Why this matters in 2025

Three shifts make the timing right. First, cloud apps now support passkeys widely. Second, device platforms have matured in how they store and sync them. Third, regulators, insurers and large customers increasingly expect phishing-resistant authentication on accounts that touch sensitive data.

If you need a refresher on the wider risk picture, our article How to Protect Your Intellectual Property from Hackers explains how credential theft cascades into data loss and legal trouble. Passkeys strike at the root because they remove passwords from the equation.

Common myths you can drop

“We’ll have lockouts if people lose phones.” Passkeys can be stored in several places: a phone, a laptop TPM, or a hardware key. Account recovery flows support fallbacks the same way they do for MFA today, only with better logs.

“We need to re-engineer everything.” Most cloud suites already support passkeys under FIDO standards. The trick is less engineering and more sequencing and change management.

“It’s slower for staff.” In practice, it is faster. Approving with a fingerprint beats typing a complex string, then juggling a six-digit code that expires while you blink.

A 12-month migration plan

You do not need to flip a giant switch. Work in phases that de-risk the sharp edges.

Quarter 1 – Prepare and pilot

1. Pick two target systems that carry risk and are easy to change, such as Microsoft 365 and your CRM.

2. Decide your storage model. For most firms, a combination works well: platform passkeys on managed laptops for everyday sign-ins, plus a physical key for admins.

3. Set the policy baseline. Require phishing-resistant authentication for admin roles from day one. Keep a clear recovery process that a non-technical manager can follow.

4. Run a tiny pilot with a mixed group: finance, sales, operations and IT. Capture rough edges, like old browsers or remote users with unmanaged devices.

5. Write a one-page “how it works” explainer for staff, with screenshots. Keep jargon out. No one needs the cryptography.

Quarter 2 – Expand carefully

1. Add your top five SaaS apps, starting with those holding personal data or money.

2. Switch off SMS OTP for anyone with a working passkey. Text messages are a gift to attackers and a tax on patience.

3. Update joiner and leaver workflows. New starters should create a passkey on day one. Leavers must return hardware keys and have platform passkeys revoked.

4. Schedule short floor-walks during the first week of rollout. A friendly five-minute visit fixes more friction than another email.

Quarter 3 – Tidy the edges

1. Mop up legacy logins hiding behind single sign-on. Old dashboards love passwords. Give them a deadline.

2. Add secure recovery options. Store a break-glass admin key in a sealed envelope in the safe, and a duplicate with a director. Test both twice a year.

3. Revise your supplier questionnaire so every new tool supports passkeys and admin access with hardware tokens. Your future self will say thanks.

Quarter 4 – Measure, enforce, optimise

1. Turn on enforcement for all users except a small subset kept for edge-case testing.

2. Publish adoption metrics at the all-hands: percent of users on passkeys, number of password resets saved, phishing incidents blocked.

3. Refactor runbooks so incident response assumes passkeys are the norm. Password-only accounts should be treated as exceptions that need rapid retirement.

What it costs and where you save

You can move far without big spend.

• Licences: Native passkey support is built into the major platforms. Many firms pay nothing extra.

• Hardware keys: Budget roughly £40–£60 per key for admins and shared-kiosk users.

• Time: The biggest cost is planning and short training sessions. The payback is fewer help-desk tickets and less time wasted on reset codes.

Expect reductions in account-takeover investigations and fraud checks. Directors will care about that line on the monthly report.

People and comms make this land

Technology changes fail when people do not know what is happening. Treat this like a small product launch.

• Explain the why. Password theft drives incidents. Passkeys fix the root cause.

• Keep the message human. “Tap your fingerprint to sign in” beats “adopt FIDO2 asymmetric cryptography”.

• Use champions. Recruit one volunteer in each department to answer quick questions and collect feedback.

• Train by doing. Five-minute desk-side demos and short videos beat long webinars.

Keep tone supportive. Curious questions deserve friendly answers even when the fix is obvious.

What to do about shared devices and contractors

Kiosks, lab machines and partner logins can be tricky.

• For shared devices, prefer hardware keys checked out to roles rather than people. Store them in a locked cabinet and track with a simple sign-in sheet.

• For contractors, insist on passkeys in their own tenant accounts or issue temporary identities under your control. Avoid sharing a single generic account with a password taped under a keyboard.

Tying passkeys into identity governance

Passkeys touch several parts of your security stack. Align them with access reviews, conditional policies and device health.

• Access reviews: When managers certify access each quarter, include a check that the user’s authentication method is phishing-resistant.

• Conditional access: Require passkeys for risky conditions such as new locations or unmanaged browsers.

• Device signals: Pair passkeys with device posture so sensitive apps open only on healthy, encrypted hardware.

Proving the business case

Boards like proof. Fortunately, the data is moving your way. The FIDO Alliance’s 2025 research reports rising awareness and adoption, with a majority of respondents who know passkeys rating them as both safer and easier than passwords. Internally, you can track wins that matter to finance and operations:

• Password resets avoided this quarter

• Time saved per login for frontline teams

• Phishing attempts that failed because the account had no password to steal

• Reduced spend on SMS

When a finance leader sees fewer reset tickets and a drop in spoofed-login incidents, support grows naturally.

Pitfalls to sidestep

Account recovery that nobody owns. If a device breaks on payroll day, who resets access and how fast? Write it down, practise it and time it.

Browser dead ends. Old versions may not support WebAuthn properly. Keep a short list of approved browsers and versions.

Unmanaged personal devices. Allow passkeys to sync only to devices you can wipe or block. If you enable personal-device sync, document the risk and apply data-loss controls.

Shadow accounts. Audit for stray admin users created years ago. Migrate or kill them. Unknown logins undermine progress.

What changes for support and audits

Help-desk work shifts from “I forgot my password” to “I replaced my phone”. That is a better problem. Support scripts should cover:

• Enrolling a new device without exposing recovery secrets

• Revoking a lost device’s passkeys and checking for suspicious sessions

• Issuing a temporary hardware key with a clear expiry date

Auditors will ask different questions too. Expect interest in how you recover accounts, how you provision keys for privileged users and how you validate that high-risk apps cannot fall back to passwords quietly.

Where the tech is heading

Vendors are leaning in. In May 2025 Microsoft described how passkeys and phishing-resistant authentication defeat modern identity attacks, and how default experiences are shifting to favour those methods by design. Expect better admin dashboards, clearer recovery prompts and simpler hardware-key enrollment over the next year.

How to measure success

Aim for a set of plain metrics that can sit in the monthly pack:

• Percentage of users with at least one passkey enrolled

• Percentage of privileged accounts protected by a hardware key

• Number of password-only accounts remaining by department

• Phishing-related incident count quarter-on-quarter

• Average time to recover a broken device for a payroll user

Publish these figures widely. Visibility keeps momentum high.

A short case study

A Bristol ecommerce firm moved customer-service staff to passkeys first, then expanded to finance and operations. The pilot cut login times on chat terminals by fifteen seconds per session, saving hours per week without any retraining cost. One month later a convincing invoice-change email failed because the attacker had no way to satisfy the passkey requirement on the accounts that controlled bank details. Confidence grew, support tickets fell, and adoption spread without heavy pushing.

For a broader perspective on risk themes across the business, see Top 5 Cyber Risks Faced by Businesses and How to Solve Them. Reducing password exposure improves several items on that list at once.

Final checks before you enforce

• All admins carry a hardware key and a platform passkey

• Recovery steps have been tested with a real broken device

• Legacy password backdoors are closed or scheduled for closure

• Supplier contracts for new tools require passkey support

• Staff know who to call when something odd happens

If these are true, you are ready to enforce passkeys for daily work. Start with the departments that feel the most pain from passwords and expand steadily.

Passkeys are not a silver bullet. They do, however, remove the easiest prize in cybercrime. With clear comms, a tidy recovery plan and steady sequencing, you can retire passwords without breaking the day job. The result is calmer support queues, fewer breaches to explain, and staff who sign in with a thumbprint and get on with their work.

Ready to plan your migration and cut password risk for good? Contact the Mustard IT team and we will map a phased rollout, train your champions and help you measure wins from the first month.