Passwords are the weakest part of almost every business we look at. Not because anyone is careless, but because the design asks something unreasonable of people: invent dozens of long, unique, meaningless strings, never write them down, never reuse one, and correctly tell a real login page from a very good copy of it while you are busy. Nobody manages that. Passkeys are the technology built to stop asking.
What makes them unusual is that they are the rare security improvement that also makes life quicker. Most of what we recommend adds a step. This removes one.
What a passkey actually is
A passkey lets you sign in with whatever already unlocks your device: a fingerprint, a face scan, or the PIN you use on your phone. No password is typed, because none exists.
Underneath, setting one up creates a matched pair of cryptographic keys. The private one is locked into your device and never leaves it, not when you sign in, not ever. The public one is handed to the website, which is welcome to it, because on its own it is useless. When you come back to log in, the site poses a mathematical question that only the private key can answer. Your device answers it the moment you confirm with your fingerprint, and you are in. This is a published standard called FIDO, which Apple, Google and Microsoft have all built into their platforms.
A password is a secret you hand to a website every single time you sign in. A passkey never leaves your device at all.
Why they cannot be phished
This is the part worth understanding, because it is not a matter of degree. A passkey is cryptographically bound to the real website it was created for. Put a user in front of a flawless replica of the Microsoft 365 login page and the passkey will simply refuse to work. There is no judgement call, no moment where a tired person squints at a domain name and decides it looks close enough. There is nothing to hand over.
Compare that with how most break-ins actually begin. A convincing email, or a QR code on a poster that leads somewhere it should not, as we wrote about in quishing, the QR code scam your email filter cannot see. Every one of those attacks depends on a person typing a secret into the wrong box. Take away the secret and the attack has nothing to collect.
Two more things follow from the same design. There is no password list to steal when a vendor is breached, because the vendor never held one. And passkeys are generated per site, automatically, so reused and recycled passwords stop being a category of problem.
It is also worth being blunt about the multi-factor authentication most businesses are running today. SMS codes can be intercepted or socially engineered out of someone on the phone. Push approvals can be spammed at midnight until a half-asleep person taps yes. Both are far better than nothing. Neither is phishing-resistant.
The Essential Eight has already moved on this
This is the part most of the international coverage misses, and it matters more to an Australian business than anything else on this page.
The Australian Signals Directorate and the ACSC updated the Essential Eight so that Maturity Level 2 requires phishing-resistant multi-factor authentication for privileged user accounts, sensitive data repositories, and actions that use elevated privileges. In the same movement, SMS codes and ordinary Authenticator push approvals are treated as legacy methods rather than the standard to aim at.
So if you are working toward the Essential Eight, or a customer or insurer has started asking harder questions about how your administrators sign in, passkeys are not a speculative upgrade. They are the direction the guidance has already taken. It is the same reason the multi-factor question keeps appearing on cyber insurance renewal forms, and the answers there are getting more specific each year.
Phishing-resistant sign-in is no longer the gold standard. For privileged accounts under Essential Eight Maturity Level 2, it is the baseline.
Where passkeys already work
Further than most people assume. Microsoft, Google and Apple accounts all accept them, alongside a lengthening list of banks, password managers and business applications. The phone in your pocket and the laptop on your desk can already store and use them, because support is built into the operating systems and browsers rather than bolted on.
There are two flavours, and the difference matters when you plan a rollout.
- Synced passkeys are backed up to your Microsoft, Apple or Google account. They follow you across your devices, and losing a phone is an inconvenience rather than a crisis.
- Device-bound passkeys live on one device only, such as a hardware security key you carry on a keyring. This is the most locked-down option, and the usual choice for administrator and finance accounts.
If you run Microsoft 365, you already have this
Passkeys are available through Microsoft Entra at no extra cost, including on the free tier. Your team can hold a passkey in the Microsoft Authenticator app, on a security key, or on the device itself via Windows Hello, Face ID or Touch ID. Google Workspace supports them too. For most of our clients this is a configuration change and a rollout plan, not a purchase.
Microsoft's own figures put a synced passkey sign-in at roughly three seconds, against about sixty-nine seconds for a password plus a traditional multi-factor code. That is fourteen times faster. Spread across every person in the business, every day, for a year, it stops being a rounding error. It is not often that the safer option is also the one your staff will thank you for.
How to roll them out without locking anyone out
The technology is the easy half. Almost every passkey rollout that goes badly goes badly for the same handful of reasons, so plan for these.
- Start where an attacker would. Administrators, finance, and anyone who can move money or change systems. That is also precisely the group Essential Eight Maturity Level 2 names.
- Let everyone else opt in alongside their existing login. There is no need for a big-bang cutover, and there is no prize for one.
- Register a backup before anyone needs it. A second device, or a security key in a drawer. The lockout stories almost always trace back to a single registered device and no plan.
- Turn the weak fallback off. This is the step people miss. If SMS codes remain enabled as a backup, an attacker will simply choose the backup, and you have bought yourself very little. Phishing-resistant only means something when the phishable route is closed.
- Deal with shared devices and shared logins. A passkey belongs to a person and a device. Shared accounts need their own plan, and in most cases they need to stop existing.
What to watch out for
Passkeys are not magic, and it would be a poor advertisement for us to pretend otherwise.
Account recovery is the real one. Someone who loses their only registered device, with no backup, is going to have a bad morning and so is whoever supports them. Synced passkeys and a second registered device solve it, but only if you set that up in advance.
Coverage is still uneven. The major platforms are there, but plenty of older line-of-business systems and smaller vendors have not arrived yet, so you will run passwords alongside passkeys for a while. That is fine. It is not a reason to delay protecting the accounts that matter most.
Where we land on this
For most businesses across Melbourne and the Mornington Peninsula, the answer is yes, and the answer is start small. Not everything, not overnight. Turn passkeys on for the handful of accounts that would do the most damage in the wrong hands, register the backups properly, close the weak fallback, and let the rest of the business adopt them because they are faster.
That last part is genuinely unusual in cyber security. Most of what we ask people to do costs them a few seconds and some patience. This one gives the seconds back. If you would like it switched on properly, that is the sort of work AgileSECURE exists to do, and if you are earlier in the journey the cyber security basics are the right place to start.
Frequently asked questions
What is a passkey, in plain English?
It is a way of signing in using the fingerprint, face scan or PIN that already unlocks your phone or laptop, with no password anywhere in the process. Your device proves who you are to the website directly, so nothing is typed in and nothing is stored on the far end that could be stolen.
Are passkeys genuinely safer than passwords?
Yes, and the difference is structural rather than incremental. A passkey cannot be handed to a fake login page, because it only ever works on the real domain it was created for. There is no password sitting in the website's database to be stolen in a breach, and nothing to reuse across accounts. The Australian Signals Directorate and the ACSC now expect phishing-resistant sign-in of this kind for privileged accounts under Essential Eight Maturity Level 2.
What happens if I lose the device that holds my passkey?
If it was a synced passkey it is backed up to your Microsoft, Apple or Google account and is still there on your other devices. If it was device-bound and you registered no backup, you fall back on account recovery, which is slow and occasionally painful. This is why registering a second device or a security key before you need it is the step nobody should skip.
Does Microsoft 365 support passkeys, and does it cost extra?
Yes, and no. Passkeys are available through Microsoft Entra at no additional cost, including on the free tier. Staff can sign in with a passkey held in the Microsoft Authenticator app, on a hardware security key, or on the device itself through Windows Hello, Face ID or Touch ID.
Do passkeys replace multi-factor authentication?
A passkey is already multi-factor. Using it requires the device (something you have) and the fingerprint, face or PIN that unlocks it (something you are, or something you know). That covers two factors in a single step, which is why it can replace the old password-plus-SMS-code routine rather than sit on top of it.
Do passkeys satisfy the Essential Eight?
Passkeys are one of the accepted ways to meet the phishing-resistant multi-factor authentication requirement that Essential Eight Maturity Level 2 applies to privileged users, sensitive data repositories and elevated privilege actions. They are not a whole compliance programme on their own, and leaving a weaker fallback such as SMS enabled can undo the benefit, so the configuration matters as much as the technology.