TL;DR:
- Passkeys replace passwords with cryptographic keys stored on your device — they can’t be phished, guessed, or stolen in data breaches because there’s no password to steal
- Microsoft 365, Google Workspace, and most major SaaS platforms used by small businesses now support passkeys as of 2026
- Rollout for a small team takes an afternoon; the main friction is staff training, not technical complexity
Passwords have been the primary vulnerability in small business security for decades. Not because businesses don’t use good passwords — most now use password managers and multi-factor authentication — but because even good passwords can be phished. A convincing fake login page captures the password and the MFA code together, and the attacker is in. This is not a theoretical risk: business email compromise, which almost always starts with a phished credential, caused £1.3 billion in losses to UK businesses in 2025 alone.
Passkeys solve this at the root. There is no password to phish. There is no MFA code to intercept. Here’s what that means in practice and how to actually deploy them.
What a Passkey Is (Without the Jargon)
When you set up a passkey for an account, your device generates a pair of cryptographic keys: a private key that never leaves your device and a public key that’s stored on the service’s server. When you log in, the service sends a challenge to your device, your device signs it with the private key, and the service verifies the signature with the public key. The whole thing happens in the background while you authenticate with Face ID, fingerprint, or your device PIN.
What this means for security:
It can’t be phished. Passkeys are bound to the specific website they were created for. A fake login page at microsoΓt.com will never receive the correct response because your device knows it’s not microsoft.com. The cryptographic binding is automatic — it requires no judgement from the user.
It can’t be leaked in a data breach. The server only ever has the public key. Even if the service’s database is compromised, there’s nothing useful to steal — you can’t derive the private key from the public key.
It doesn’t require a separate second factor. The biometric check on your device is the authentication. You’re simultaneously proving you have the device (something you have) and biometric match (something you are). For most threat models this is stronger than password + SMS code.
Which Business Accounts Support Passkeys in 2026
Coverage has expanded rapidly. The accounts that matter most for small businesses:
Microsoft 365 — Passkeys supported for personal Microsoft accounts since 2023; business accounts (Entra ID) added support in 2024/2025. If your team uses Microsoft 365 for email and Office apps, you can enable passkeys now through Entra ID’s authentication methods policy.
Google Workspace — Passkeys are the default login for new Google accounts and can be enabled for Workspace accounts via the Admin Console. Google reports that passkey sign-ins are faster than password + MFA and have a lower support burden.
Xero and QuickBooks — Both accounting platforms support passkeys as of their 2025 updates. Given that these hold financial data, this is a high-value target to protect.
1Password, Bitwarden — The irony of passkeys in a password manager isn’t lost on anyone, but both now support passkey authentication to protect the vault itself. This matters: compromising the password manager is the highest-leverage attack on a business that uses one.
Stripe, Shopify, WooCommerce admin — E-commerce and payment platforms have rolled out passkey support, though rollout has been phased and some features are still in beta depending on your plan.
Cloudflare, AWS, Azure — Cloud and infrastructure providers now support passkeys for console access. If you run any cloud infrastructure, this should be a priority.
How to Roll Out Passkeys to a Small Team
The process is simpler than most security upgrades. There’s no software to install, no infrastructure to configure beyond enabling the feature in your admin console.
Week 1: Enable and test yourself. Before rolling out to the team, enable passkeys on your own accounts. Start with your Google Workspace or Microsoft 365 admin account — the highest-value credential you hold. Register a passkey, test that login works on your primary device and a backup device (or recovery key).
Week 2: Prepare for the team. Write a one-page guide for your specific platforms showing exactly how to register a passkey. Screenshots help. Set up a 30-minute slot where everyone can do it together — it’s faster with someone to answer questions.
Week 3: Team rollout. Prioritise email and cloud admin accounts first. Don’t try to do everything at once. Give staff a week to get comfortable with the new login flow before adding more accounts.
Week 4–ongoing: Expand and enforce. Add passkeys to more platforms as they’re needed. Once the team is comfortable, you can enforce passkey-only login for critical accounts through your admin console if desired.
Common Questions
What if someone loses their device? Passkeys sync across devices through iCloud Keychain (Apple), Google Password Manager, or a password manager like 1Password. If a device is lost, the passkey is still on other enrolled devices. Revoke the passkey for the lost device from your account settings. Account recovery processes exist for the case where all devices are lost simultaneously.
Do staff need compatible devices? Any iPhone running iOS 16 or later, Android 9 or later, or Windows 10 PC with Windows Hello supports passkeys. That covers essentially all business hardware from the last five years.
What about shared accounts? Passkeys are per-device and per-person. If multiple people need access to a shared account (a social media account, a shared email inbox), shared access tools like 1Password Teams handle this through a passkey stored in a shared vault.
Passwords had a good run. For accounts worth protecting, passkeys are strictly better — more convenient, more secure, and increasingly expected by the platforms your business depends on.