Microsoft recently announced a major shift in its approach to account security: a move away from passwords and toward passkeys. This decision comes as the company reports blocking an unprecedented 7,000 password-related attacks every second. The numbers reveal a clear conclusion—passwords are no longer a reliable defense against cyberattacks.
In this article, we’ll explain Microsoft’s decision, introduce passkeys and why they’re a better solution, show how users and businesses can adopt them, and provide an update on how passkeys are being used today.
Why is Microsoft replacing passwords with passkeys?
Microsoft’s decision is a response to the dramatic rise in password-based attacks. The company’s data shows that phishing attempts, brute-force attacks, and other forms of credential theft have reached alarming levels. Cybercriminals exploit human error, weak passwords, and outdated security methods to steal account access, leading to data breaches and financial losses.
By adopting passkeys, Microsoft aims to reduce these risks while making account access simpler for users. Passkeys provide stronger protection against common threats and eliminate the vulnerabilities associated with passwords, such as reuse and poor complexity.
What are passkeys, and why are they a better solution?
Passkeys are a secure alternative to passwords, based on public-key cryptography. They work by creating a pair of keys:
- A private key, stored securely on your device, and
- A public key, shared with the service you want to access.
When you log in, the private key remains on your device and is used to verify your identity, while the public key interacts with the service. This process makes passkeys immune to phishing, as they cannot be stolen or tricked out of a user like passwords can.
Why passkeys are better:
- Stronger security: Passkeys cannot be guessed, reused, or exposed in data breaches.
- Simpler logins: With passkeys, users can authenticate with built-in options like a fingerprint, face scan, or PIN.
- Protection of the private key: The private key never leaves the device, ensuring it cannot be extracted or stolen, even if the targeted application is compromised – contrary to leaked passwords or TOTP seeds.
- Phishing resistance: Native, built-in mechanisms in most operating systems and browsers are in place to prevent attackers from tricking users into revealing sensitive credentials, such as on fake websites or via fraudulent emails.
- Cross-device usability: Passkeys are designed to work across devices and platforms, offering seamless access to accounts.
Microsoft’s move to passkeys aligns with global security standards such as FIDO2, which are designed to reduce dependency on passwords and protect against evolving cyber threats.
Where are passkeys already being used?
Passkeys are not new. They’ve already been adopted by major companies and platforms:
- Apple: Introduced passkeys via iCloud Keychain, enabling users to log in securely across iOS and macOS devices.
- Google: Integrated passkeys into Google Password Manager, making them available on Android and Chrome.
- PayPal: Allows customers to authenticate with passkeys on supported devices.
- Dropbox: Offers passkey support for secure access to its services.
How you can start using passkeys:
- On iPhones and Macs: Enable passkeys through iCloud Keychain in your device settings.
- On Android: Use Google Password Manager to manage and activate passkeys.
- On Windows: Leverage Windows Hello to authenticate with biometrics.
More apps and websites are adding passkey support every day. To check if a service supports passkeys, look for FIDO2 or passkey options in its account settings.
Passkey adoption in businesses: What’s next?
The shift to passkeys is gaining momentum in the business world, as organizations see the benefits of reducing password-related risks. However, adoption is still in its early stages for many companies.
Current landscape:
- Large tech companies like Microsoft, Google, and Apple are leading adoption efforts.
- Small and medium-sized businesses are starting to explore passkeys, often driven by the need to comply with security regulations like GDPR, DORA, and NIS2.
Challenges for businesses:
- Technical integration: Legacy systems may require updates to support passkeys.
- User education: Employees and customers need clear instructions to transition smoothly.
- Regulatory compliance: Businesses must ensure that passkey adoption meets industry and legal standards.
Opportunities:
- Reduced password-related support requests, saving time and IT resources.
- Improved user satisfaction due to faster, simpler authentication methods.
- Enhanced security, minimizing the risk of breaches caused by weak or stolen passwords.
Solutions like Secfense can simplify the process for businesses by enabling passkey adoption without replacing existing systems. With tools that integrate passwordless authentication into current applications, organizations can transition to passkeys quickly and securely.
Make the move to passkeys
Talk to a Secfense expert: Ready to enhance your security with passkeys? Contact us today for guidance on adopting passwordless authentication in your business.
Learn more in our webinar: Find out how passkeys work and why they’re the future of authentication. Watch our webinar for insights and actionable steps to start your passwordless journey.
