Are Passkeys the Holy Grail of Business Security?

ByNeil Richardson 5 minute read
Picture of a key

We’ve all heard it before: “Passwords are the weak link in digital security.” And yet, most systems still rely on them.

Despite the rise of password managers, Multi-Factor Authentication (MFA), and all sorts of tools designed to help us “do passwords better”, the core problem hasn’t changed: passwords are easy to phish, guess, or reuse.

And yes, the most common password in use is still “123456”. (However, I truly hope this is just because throwaway accounts are the ones that get leaked). 

So when a new method comes along, it’s natural to ask: is this the fix we’ve been waiting for?

Why Do We Still Use Passwords?

It’s not because they’re good. It’s because they’re easy.

Passwords are simple to set up. Every device has a keyboard. Everyone knows how to type one in. No special hardware required. No onboarding needed.

But as smartphones have become the standard, newer (and better) ways to authenticate are simply just more practical. Phones have given rise to more secure forms of authentication like Multi-Factor Authentication (MFA), and password managers make it easier to generate unique, secure passwords.

Still, lots of these methods tend to add on to passwords, rather than replace them entirely. That’s where passkeys stand out.

What Exactly Are Passkeys?

A passkey is a cryptographic key stored on your device, usually your phone or a hardware token (Yubikey), that replaces your password entirely. 

You don’t type anything in. You just approve a login, often on your phone, with Face ID, a fingerprint, or your device PIN.

Because the key never leaves your device, it becomes extremely difficult for hackers to steal or phish, overall it’s much harder to compromise.

It’s fast, easy, and far more secure. In theory.

So why isn’t everyone using Passkeys?

Passkeys are still pretty new. Tech giants like Google are already calling them the “simplest, most secure” way to log in – but in practice, most people are still typing in a password and waiting for a code to arrive by text.

So, while the tech behind passkeys is promising, the real-world rollout can be a bit messier.

Here are the top 5 challenges to watch out for:

1. Human Resistance to Change

Most users are used to passwords. They’ve been trained to think in terms of logins, password resets, and typing something in.

Introducing passkeys means changing that mindset. And if you’ve been through an MFA rollout, you’ll know: getting people on board isn’t always quick or easy.

2. The Setup

A seamless login sounds great. But a login that pops up on your phone every time you try to access something? That also opens the door to accidental approvals.

One wrong tap and an attacker is in.

Security hinges on how you implement passkeys: should approval require Bluetooth? Biometrics? A physical tap? Each option affects both the risk and the user experience.

3. Recovery Risks

Here’s the classic scenario: someone loses their phone. It’s got their passkeys on it. 

What now?

If your recovery process is too relaxed, attackers could exploit it. Too strict? The user’s locked out permanently.

Backup strategies are essential, but too often overlooked.

4. Phishing Resistance, Not Proof

Passkeys can’t be easily stolen like passwords. But that doesn’t mean attackers won’t try.

Social engineering is still a risk. A convincing message could trick someone into approving a login request they didn’t initiate.

So while they reduce risk, they don’t remove it.

5. Hybrid Authentication is Inevitable

Some platforms support passkeys. Others don’t. So, most businesses will have to deal with a mix of passwords, MFA, and passkeys for the foreseeable future.

That means juggling multiple systems, training users on each one, and updating your policies to cover every base.

Image 5 - are passkeys the holy grail of business security?

Is there a catch?

There’s no doubt passkeys are a big improvement over traditional passwords. 

They’re far harder to phish, can’t be reused across multiple sites, and don’t rely on users coming up with (and remembering) something secure.

But they bring their own challenges, such as:

  • Device management: Who owns the device storing the passkey?
  • Recovery processes: How will you handle lost devices or keys?
  • Education and support: Will your users know what to do if something goes wrong?

For businesses, this means additional infrastructure, training, and support are essential.

If you’re considering rolling out passkeys for your users or customers, think carefully about:

1. Device Management: Who’s actually holding the keys?

In most cases, passkeys are stored on the user’s device, often a smartphone or a hardware token. That’s great for convenience, but it raises a tricky question: who owns the device?

If you’re letting employees use personal phones, you’ll need to consider whether that fits within your security policies. Not everyone will be happy mixing personal and work data, we’ve seen this before with MFA. And if something goes wrong, where does the responsibility fall?

You might need to think about issuing work devices, or at the very least, putting some clear guidelines in place for how personal devices can be used securely.

2. Recovery: What happens when a device goes missing?

Lost devices, broken phones, forgotten credentials, it’s going to happen. And when it does, you need a clear, secure process for helping users recover access.

This is where many passkey setups can fall down. If recovery is too relaxed, it opens the door to attackers. If it’s too strict, users get locked out completely.

Striking the right balance is key. Think about backup devices, account recovery procedures, and what kind of support your team will need to provide when users inevitably run into issues.

3. Education and Support: Do your users know what to do?

New login methods mean new questions, and a fair bit of confusion.

People are used to passwords. Take those away and you’ll need to help them understand what’s changing, why it’s safer, and what to expect.

That might mean in-house training, onboarding materials, or a support desk that’s ready to handle questions like “What if I lose my phone?” or “Can I use this on my laptop too?”

If your users don’t understand how passkeys work, they’ll either avoid using them, or use them in insecure ways.

Passkeys are an exciting development in authentication, a real improvement over passwords, and a smart step toward a more secure future.

But they won’t eliminate all your risks.

To make them work, you’ll need the right infrastructure, clear policies, proper training, and solid support in place.

That’s where we come in.

At Cyber Alchemy, we help businesses take the guesswork out of modern authentication.

Whether you’re just starting to explore passkeys, or already planning a rollout, our team can support you with strategy, implementation, staff training and long-term management.

If you’re serious about strengthening your authentication approach, contact us today. We’ll help you do it properly, and securely.

Avatar of neil richardson

I am the co-founder and partner of Cyber Alchemy LTD and an associate lecturer in the computing department at both Sheffield Hallam University and The University of Warwick.

Similar Posts