Passkeys Could Help Organizations Go Password-Free

• Passkeys are local cryptographic keys stored securely on a user’s device, such as a mobile phone.
• Passkeys offer more secure access to applications than user-created passwords, while also effectively eliminating phishing.
• Organizations should test passkeys to ensure users can use them to access the applications they need.

To help users and organizations improve their security, Microsoft has added passkey support to its range of applications and both business- and consumer-focused identities. Passkeys—which are usually locked in secure storage on a phone, laptop or security key—replace user-chosen passwords with cryptographically secure credentials that transparently grant the user access to the Web sites and applications that issued them. Unlike passwords that rely on simple strings of characters, passkeys are locked to a device and cannot be shared intentionally or accidentally, which helps make passkeys more secure and eliminates the risks of poorly chosen, repeated, or compromised passwords. Microsoft’s implementation of passkeys began in 2024 and is still in early phases with some feature development remaining. However, users and organizations should be adopting them now for applications that need increased security against phishing or similar attacks. Organizations working toward a password-free future should begin testing passkeys within their IT organization soon to assess how well the capability might work for their end users, and what enhancements may still be needed within the core design.