Passkeys are showing up in Microsoft, Google, and Apple account prompts with increasing frequency in 2026. If you've seen a "Sign in with a passkey" option and dismissed it as another tech thing to deal with later, this post explains what's actually happening, and why it matters for how your business handles authentication.
What a Passkey Actually Is
A passkey is a cryptographic credential that lives on your device and replaces a password entirely. When you authenticate, your device uses a private key stored on the device to prove your identity to the server, without ever sending the private key anywhere. The server stores only the corresponding public key, so there is nothing useful to steal from the server database.
Passkeys are:
- Device-bound or synced: Generated on your device. With platforms like Apple iCloud Keychain and Google Password Manager, they can sync across your devices within the same ecosystem.
- Site-specific: A passkey created for Microsoft cannot be replayed on a fake Microsoft site. The passkey is cryptographically bound to the legitimate domain. This is what makes them phishing-resistant.
- No shared secret: Unlike passwords, there is no passphrase that exists on both the server and your device. Even if a site's database is breached, there's no password to extract.
How Passkeys Compare to Passwords + MFA
You might think that passwords plus MFA is already secure enough. In most cases it is very good. But passwords with MFA have one remaining vulnerability: real-time phishing.
In a real-time phishing attack, the attacker runs a proxy between the legitimate site and the victim. When the victim enters their password and MFA code, the proxy forwards both to the real site in real time, establishing a legitimate session. The attacker then uses that session. This technique, sometimes called an adversary-in-the-middle (AitM) attack, bypasses most MFA implementations.
Passkeys are immune to this because the cryptographic response is bound to the legitimate domain's origin. The passkey will not authenticate to a proxy or a fake site, the origin check fails silently.
For most SMB use cases, this is a genuine security improvement over passwords + TOTP MFA. Phishing-resistant MFA (passkeys or FIDO2 keys) is also what many cyber insurance underwriters mean when they ask whether you have "phishing-resistant MFA."
Business Deployment Reality in 2026
Where are passkeys actually usable for BC businesses right now?
Microsoft: Microsoft Entra ID (formerly Azure AD) supports passkeys via the Microsoft Authenticator app and FIDO2 hardware security keys. You can enable passkey authentication for your M365 users today. Microsoft is actively pushing users toward passwordless sign-in.
Google Workspace: Passkey support is available for Google accounts and Google Workspace. Admin controls let you require passkeys for specific user groups.
Consumer accounts: Personal Microsoft, Google, and Apple accounts all support passkeys. If your staff use personal Microsoft accounts for any work purpose (not recommended, but common), they can use passkeys there.
Third-party SaaS: Adoption varies widely. Many SaaS platforms support FIDO2/passkeys for SSO via your identity provider (M365 / Entra ID), but may not yet support native passkey login. Check each platform individually.
What This Means for Your Current Setup
For most BC SMBs in 2026, the practical recommendation is:
- Don't disrupt a working MFA rollout to rush to passkeys. If your team is on Microsoft Authenticator with number matching, that's strong authentication. Finish the MFA rollout first.
- Pilot passkeys with technical users. Entra ID passkey support is production-ready. A small pilot with IT-savvy users builds familiarity before broader rollout.
- Require passkeys for admin accounts. Admin accounts at all organisations should use phishing-resistant authentication. FIDO2 keys or passkeys qualify. SMS MFA for admins should be blocked regardless.
- Plan for the transition. Passkeys will become the default for major platforms within the next few years. Building familiarity now reduces the disruption when it becomes standard.
Frequently Asked Questions
What if an employee loses their device, do they lose their passkeys? For synced passkeys (Apple/Google ecosystem), the passkey syncs across other signed-in devices. For device-bound passkeys (FIDO2 keys, or Authenticator without sync), a recovery process is needed. Microsoft Entra allows admins to register multiple authentication methods per user, a user can have both a passkey and an Authenticator app backup.
Are passkeys right for a 10-person office in Prince George with limited tech expertise? Not as a first priority in 2026, get MFA deployed across all accounts first. Passkeys are a meaningful upgrade after that foundation is in place. The setup process is intuitive for most users once the IT environment is prepared.
Talk to a Prince George-based IT team about modernising your authentication setup, call 672-983-1174 or book a free assessment at northstarit.ca.
Ready to modernise authentication for your business?
North Star can assess your current identity setup and build a roadmap from passwords to passkeys at a pace that fits your team. Start with a free assessment.
Get a Free Assessment Read more Insights