Back to blog

19/06/2025

Author

{hs_id=185837870111, hs_child_table_id=0, linkedin_profile_link=https://www.linkedin.com/in/cameron-o-meara-ab4046193/, hs_updated_at=1738848082603, hs_published_at=1738848084478, company_link=https://www.linkedin.com/company/texaport/, profile_picture={url=https://8102708.fs1.hubspotusercontent-na1.net/hubfs/8102708/Cam%20Author.jpg, width=1016, height=947, altText=Cam Author, fileId=185840940394, type=image}, hs_initial_published_at=1738847991904, job_description=Senior Engineer @ Texaport, hs_created_by_user_id=47686684, hs_created_at=1738843184029, hs_is_edited=false, hs_deleted_at=0, name=Cameron O'Meara, company=Texaport, hs_updated_by_user_id=47686684}
Cameron O'Meara

Senior Engineer @ Texaport

Texaport

Passkeys explained: A simpler, safer way to sign in

Soon, if you want to go online and submit VAT returns, register a new business, apply for apprenticeship funding or complete any of a range of routine business or personal tasks, you won’t need a password. Why?

The UK government’s official website gov.uk is swapping passwords for passkeys. The National Cyber Security Centre (NCSC) has called this shift a “major step in strengthening the nation’s digital security”.

In the wake of the recent hacks on household-name retailers by the notorious cybercrime group ‘Scattered Spider’, increased security certainly sounds like a good idea. So, what is a passkey?

 

Table of contents
  1. What is a passkey?
  2. Why should my organisation use passkeys?
  3. What can passkeys do for your organisation?
  4. Passkey options for businesses
  5. Considering moving to passkeys?

What is a passkey?

A passkey is a substitute for a password. Users log in to services using digital credentials in their device, such as a smartphone, and cryptographic tokens. It’s simple, fast and secure.

Here’s how passkeys work. When you create an account, your device generates a secure pair of cryptographic keys, one public and one private. The public key is shared with the service, while the private key remains on your device and is protected by your chosen method, such as a password, PIN, or biometric.

Your device uses your passkey application to sign that challenge and send a value back to the site or service. Only someone with the private key can successfully do this.

The private key never leaves your device. It’s not possible for it to be stolen using a phishing email or tricked out of you by someone pretending to be technical support.

 To sign in on another device, the website generates a QR code. Scan it with your original device to authenticate and gain access. Most passkeys use the FIDO2 cryptographic standard. Accepted by Microsoft, Google, Apple and Amazon, FIDO2 ensures that your passkey will work across all devices.

With Microsoft Authenticator, Windows Hello, Google Password Manager or the Apple Passwords app, using passkeys is easy. These cover most major operating systems: Android, Windows, macOS or iOS.  

 

Why should my organisation use passkeys?

Passkeys solve several problems that make systems protected using passwords both less secure and more difficult to use and manage.

Ninety per cent of businesses that adopt passkeys report that it has reduced the volume of helpdesk incidents, and 82% say it has improved security.

  • Spend less time resetting lost passwords. Users don’t have to ‘remember’ the passkey; the device does that for them.
  • Harden your business security. Because the private key is encrypted and never transmitted across the network, passkeys provide stronger security all around.
  • Protect your user credentials. Hackers can’t steal a passkey as part of a data breach because private keys are never stored on the server, only on the device.
  • Phishing and spear-phishing attacks target passwords. Passkeys render these tactics ineffective.
  • Improve user experience. Signing in with passkeys is faster than authenticating with a username and password, as if moving from one device to another.
  • Eliminate business risks associated with poor user password management. Passkeys are unique to each service, so they eliminate the security weaknesses caused by password reuse.

 

What can passkeys do for your organisation?

These benefits make passkeys a strong choice for a range of business uses. If your team is on site, remote or a mix of both, passkeys can help keep your company’s data safer.

Here’s how passkeys can support your business:

Safely log in to critical services:

  • Secure login for sensitive internal platforms (HR, finance etc.).
  • Authentication for retail point-of-sale systems.
  • Give students secure access to online learning platforms.

Authorising sensitive transactions:

  • Securely authenticate and authorise financial transactions.
  • Protect development platforms against unauthorised access.
  • Ensure only authorised engineers can initiate system changes.

Protecting sensitive or critical data:

  • Secure sign-on to customer or technical support platforms.
  • Protected, authenticated access to sensitive legal documents.
  • Safe citizen access to sensitive government digital services.

In all these cases passkeys offer a fast, secure, and user-friendly way to sign in. Of course, passkeys aren’t a security ‘fix all’ and they aren’t the best answer in every use case. You also need a robust implementation with good contingency plans.

Limitations to consider when planning your migration to passkeys include:

  • Managing device dependency: Establish clear steps for regaining access if a user loses the device needed to access key systems or data.
  • Lack of centralised control: many passkey systems do not yet have the centralised control, traceability and auditability of full Identity and Access Management platforms.
  • Cross-platform compatibility: Don’t assume every passkey will work across all the platforms; compatibility should be checked.
  • Migration complexity: Over time, users will change devices, platforms and authentication managers. Taking passkeys with them can be complicated.
  • Adoption lag: Some SaaS and other systems have not yet adopted passkeys, so you may have to maintain mixed password-passkey authentication.
  • Platform compatibility: Support for specific passkeys may vary depending on the platform and browser. Careful planning is required before you choose a passkey.

To create the right passkey strategy, work with a cyber security partner who understands your business needs.

 

Passkey options for businesses

With the right expertise and planning, you can overcome these limitations and benefit from the advantages of passkeys while eliminating or mitigating them.

The most important part of developing a successful passkey strategy is choosing the right type of passkey for your business or organisation. Options include:

  • A hardware passkey, such as Yubikey: in most scenarios, this hardware passkey works without having to install anything on the employee’s phone or other devices.
  • Authenticator apps, such as Microsoft Authenticator: : if enabled by an administrator, adding passkeys is simple and fast for any user with a Microsoft 365 account.
  • Windows Hello for Business: Set up a passkey in Windows, using the Windows Hello sign-in service. Use a QR code to migrate that key to your other devices.
  • Synced passkeys: These cloud-based passkeys are linked to a user’s secure online identity and automatically sync across devices that use that identity.

 

Considering moving to passkeys?

Because they can’t be stolen, compromised or guessed in the same way a password can, passkeys offer enhanced security for businesses and public-sector organisations. With the right expertise, you can begin migrating to passkeys immediately.

Texaport is one of the UK’s leading managed cyber security providers. Our experts can help you train your staff and bolster your cyber security stature.

Contact us to start your passkey migration today.

Power your progress

Join forces with us to build a stronger IT infrastructure, protect your data, and focus on your future.

Talk to our experts