Passkeys

Britain’s cyber security authority has, for the first time, told the public to choose passkeys over passwords wherever they can. Here’s what that actually means for the businesses still running on “Summer2025!” and a sticky note.

Last week at CYBERUK 2026 in Glasgow, the National Cyber Security Centre — the part of GCHQ that issues the UK’s official cyber guidance — formally recommended that passkeys should be the default way of logging in to online services where they are available. It’s a striking departure from decades of advice telling us to pick longer, stranger, more memorable strings of characters, and it follows a similar move by the UK government to roll passkeys out across GOV.UK services in place of SMS verification, a change expected to save several million pounds a year.

The NCSC still recommends a good password manager paired with two-step verification for the many services that have not yet added passkey support. But where the option exists, the message is clear: take it.

For small business owners, that translates into something simple: if your suppliers, banks and cloud platforms support passkeys — and most of the big ones now do — it is time to start switching over.

This week’s passkey checklist

If you read no further, do these five things:

  1. Turn on passkeys for your Microsoft 365 or Google Workspace admin accounts first, then your standard user accounts.
  2. Register passkeys on at least two devices per account (typically a phone and a laptop).
  3. Set up a working fallback for every account — recovery codes where offered, a second registered passkey where they’re not, and a Recovery Key on your Apple ID if you use iCloud Keychain.
  4. Review the registered passkeys and sign-in methods on your critical accounts and remove anything you don’t recognise.
  5. Make sure your IT provider has documented the recovery process before someone loses a phone — not after.

The rest of this article explains why, and what to do when things go wrong.

So what actually is a passkey?

A passkey is a replacement for a password. Instead of a string of characters you type in (and that an attacker can phish, guess or buy on a forum), your device generates a pair of cryptographic keys when you set up the passkey. The public key gets sent to the website. The private key stays under the control of your device or credential manager — it is never typed in, sent to the website, or handed over to a fake login page. To prove who you are, your phone or laptop signs a challenge from the website using the private key, and the website checks the signature with the public one it already has on file.

If you use a synced passkey, the credential can be securely synchronised between your trusted devices by your credential manager (Apple Passwords, Google Password Manager, Microsoft’s tools, 1Password, Bitwarden or Keeper, for example), so it is available on your phone, laptop and tablet without you having to set it up separately on each one. If you use a device-bound passkey, such as one stored on a hardware security key, it stays on that single device.

The bit you actually see is much simpler: when you sign in, your device asks for your fingerprint, your face, or your Windows Hello PIN, and a moment later you’re in. There is no password to remember, nothing to type, and crucially nothing to leak in a breach. Your biometric data also stays on your device — the website never sees it.

Because the credential is bound cryptographically to a specific website domain, passkeys are phishing-resistant by design in a way that even the best passwords paired with SMS or app-based 2FA simply are not. A fake “Microsoft 365 login” page can ask you to type a password and a one-time code; it cannot trick your device into signing a cryptographic challenge for the real microsoft.com.

Why now?

The technology has been around for a couple of years, but several things have changed in 2026 that make this the right moment for small businesses to act rather than wait.

The ecosystem has matured. Windows, macOS, iOS, Android, ChromeOS and every mainstream browser now support passkeys natively. Microsoft has made passkey profiles generally available in Entra ID, giving Microsoft 365 administrators meaningful control over device-bound and synced passkeys, including the ability to set different policies for admin and standard users. Apple, Google, eBay, PayPal, GitHub, AWS and many other major online services now support passkeys for sign-in. Banking support is improving too, but availability still varies considerably between providers — worth checking each of yours individually.

Adoption is no longer fringe. UK users currently lead the world: just over half of active Google account holders in Britain already have a passkey registered. Larger enterprises have moved fastest, but the platforms and tooling are now well within reach for small businesses too.

And the threat landscape has moved. The overwhelming majority of breaches affecting small businesses still begin with a stolen or phished credential. AI-generated phishing pages are now indistinguishable from the real thing to most users. Passkeys remove the typeable credential from the equation entirely, which is why the NCSC has shifted from cautious neutrality to active endorsement.

Where to start

You do not need to flip everything to passkeys overnight. The sensible approach is to enable them on the accounts that would hurt most if they were compromised, and then expand from there. For most small businesses that ordering looks something like:

  • Microsoft 365 or Google Workspace — the master keys to your email, files and identities.
  • Online banking and payment platforms — anything that moves money, where supported.
  • Domain registrar and DNS host — losing these can be catastrophic.
  • Accounting software (Xero, QuickBooks, Sage), CRM and any system holding client data.
  • Admin accounts before regular user accounts, every time.

Keep your existing password manager — passkeys do not replace it for the long tail of services that do not yet support them, and most modern password managers can store and sync passkeys alongside passwords.

How to make sure you don’t lose your passkeys

This is the part most articles gloss over, and it is the question every business owner asks first. The risk of being locked out is real but very manageable if you set up properly from the start.

For most small businesses, the safest practical setup is to use a reputable credential manager that can sync passkeys across trusted devices — Apple Passwords, Google Password Manager, Microsoft’s tools, or a third party like 1Password, Bitwarden or Keeper. That way, losing one phone does not automatically mean losing access to every account. The synced passkey is encrypted end-to-end, and the underlying credential is not visible to Apple, Google or your password manager — it is encrypted with keys only your account can unlock. The NCSC is, however, clear that the security of your sync setup matters: protect the credential manager account itself with strong, phishing-resistant authentication.

For the most sensitive accounts — your Microsoft 365 global admin, your bank, your domain registrar, your finance systems — consider adding hardware security keys as an extra, device-bound backup. A pair of FIDO2 keys (YubiKey or similar, around £40–£60 each), with one enrolled and the spare locked in a safe or off-site, gives you a recovery path that is independent of any cloud account. Hardware keys are not inferior to synced passkeys; they trade convenience for stronger isolation, which is exactly what you want behind the most valuable accounts.

Beyond that, build in redundancy. Most services will let you register more than one passkey on an account, and you should treat this as standard practice. Register passkeys on your work laptop and your phone at minimum, and ideally on other devices too.

Finally, make sure each account has a working fallback. Some services (Google, GitHub, Microsoft personal accounts and others) issue one-time recovery codes when you enable strong authentication — print them and store them somewhere physically secure, treating them with the same respect you’d give a cheque book. Apple’s iCloud Keychain works differently: there is no per-passkey recovery code, but you can — and should — generate a Recovery Key in your Apple ID settings, and consider adding Recovery Contacts as well. For Microsoft 365, Google Workspace and other business cloud accounts, the equivalent is having multiple authentication methods registered and an administrator who can reset them. The principle is the same in every case: don’t rely on a single passkey on a single device.

One thing that is not worth doing: screenshotting any QR code that appears during passkey setup or sign-in. Those QR codes are short-lived, one-time handshakes, not the passkey itself — the actual private key is generated by your device’s secure hardware and never appears in a QR, screenshot, email or anything else you can capture and store yourself. There is nothing visual you can save to recreate it later. Real backups mean synced credential managers, multiple registered devices, hardware keys, and the fallback options above.

What to do if a passkey is lost or stolen

The first thing to understand is that a “lost” passkey on a stolen phone is not the same as a stolen password. To use the passkey, an attacker would still need to defeat your phone’s screen lock and biometric. That is a meaningfully high bar, and unlike a password, an attacker cannot simply type, reuse or replay it.

That said, you should always assume the worst and act quickly:

  1. Sign in from another trusted device — your laptop, tablet or a colleague’s machine where you’re already authenticated.
  2. Go to the security settings of each affected account and delete the passkey tied to the lost device. On Microsoft 365, this is in My Sign-Ins; on Google, Security → Passkeys; most other services follow the same pattern.
  3. Sign out all other sessions — every major service offers a “sign out everywhere” option that invalidates existing logged-in sessions.
  4. Rotate any passwords or recovery methods that could be used as a fallback — including the email account those services use for password reset, since that is now the weakest link.
  5. For Microsoft 365 / Entra ID tenants, an administrator can revoke the user’s authentication methods and force re-registration from the Entra admin centre. This should be a documented step in your incident playbook before you need it.
  6. If a phone or laptop is lost, use the platform’s remote-wipe tools (Find My iPhone, Google Find My Device, Microsoft Intune) to wipe the device. A wiped device cannot present its passkeys.

The same logic applies when an employee leaves. Removing their account from Microsoft 365 or Google Workspace invalidates the passkeys tied to it. For shared services, delete their registered passkey from the account immediately as part of your offboarding checklist.

A note on the things passkeys don’t fix

Passkeys are not a silver bullet, and it is worth being honest about the gaps. Once you are signed in, passkeys do nothing to protect the live session — an attacker who steals an authenticated session token, via malware on the device for example, can still cause damage. They are also not a substitute for backups, patching, or staff training on social engineering, which now increasingly aims to trick a real authenticated user into making a transaction rather than to steal their login.

There is one specific behaviour worth watching for: an attacker who briefly compromises an account can sometimes register their own passkey as an additional credential, giving themselves long-term access even after you change the password. Periodically reviewing the list of registered passkeys, sign-in methods and connected devices on your critical accounts — and removing anything you don’t recognise — is a habit worth building into a monthly routine.

The bottom line

Passkeys are not a futuristic idea any more. The standards are settled, the platforms support them, the government’s cyber authority has just told the country to use them where available, and the cost of switching is essentially zero. For a small business, the practical step this week is to enable passkeys on your Microsoft 365 or Google Workspace admin account, your bank, and your domain registrar; register them on at least two devices; set up a working fallback for each account (recovery codes, a second passkey, or your Apple ID Recovery Key); and put “review registered passkeys” on next month’s diary.

It is, genuinely, the most significant improvement to everyday account security in a generation — and unlike most cyber security advice, this one makes life easier rather than harder.

If Trichromic manages your Microsoft 365, device estate, we can review which accounts are ready for passkeys, set sensible policies for admin users, and document the recovery process before anyone loses a phone. Get in touch and we’ll talk you through what’s involved.