Passwords remain one of the weakest points in business security. Despite years of guidance, password managers, complexity rules and multi-factor authentication, the same problems keep appearing: passwords can be stolen, reused, guessed, phished and leaked through third-party breaches.
Passkeys and FIDO2 authentication work differently. They do not rely on a shared secret that a user types into a login page. Instead, they use cryptographic credentials that are tied to the legitimate service and unlocked locally on a trusted device. That makes them far more resistant to phishing than passwords and many traditional MFA methods.
For businesses working towards Cyber Essentials accreditation, or those that have already achieved it and want to go further, passkeys and FIDO2 credentials represent one of the most meaningful improvements in everyday account security that most UK organisations can make right now.
If your business is working with a managed it support services company london provider, they should be advising you on where passkeys and FIDO2 fit into your current environment and what a realistic migration looks like. If that conversation has not happened yet, this article will help you understand the options and the questions worth asking.
Why Passwords Keep Failing UK Businesses
The problem with passwords is not only that people choose weak ones, although that still happens. The deeper problem is structural.
A password is a shared secret. When you authenticate with a password, that secret has to be checked by the service you are logging into. If a user is tricked into entering it on a fake login page, the attacker gets it. If the same password has been reused elsewhere, a breach of one service can put another service at risk. If malware captures keystrokes or a phishing proxy relays a login session in real time, even a strong password may not protect the account.
This is why phishing remains such a persistent threat for UK businesses. The latest UK Cyber Security Breaches Survey still identifies phishing as the most common type of breach or attack experienced by organisations that reported incidents.
Our post on password best practices covers what good password hygiene looks like as a baseline. But the honest reality is that even excellent password discipline cannot fully remove the structural weaknesses of password-based authentication. Our posts on what to do if your company credentials appear on the dark web and employee credentials on the dark web explain the practical consequences when credential compromise has already occurred.
What Are Passkeys?
A passkey is a login credential that uses public-key cryptography instead of a password. When you create a passkey for a service, your device generates a pair of mathematically linked keys:
- A private key, which stays on your device or inside a secure passkey provider.
- A public key, which is registered with the service you are logging into.
When you sign in, the service sends a challenge. Your device signs that challenge using the private key and returns the signed response. The service verifies the response using the public key. No password is typed, transmitted or stored by the website.
Two properties of this approach matter significantly for security.
First, there is no reusable password for an attacker to steal from the service. A public key on its own is not enough to log in.
Second, passkeys are bound to the legitimate website or application they were created for. A passkey created for a genuine Microsoft, Google or banking login cannot simply be used on a convincing fake site with a similar-looking address. This makes passkeys phishing-resistant by design.
Passkeys are unlocked using a device PIN, fingerprint, facial recognition or a hardware security key. Depending on the setup, they may be stored on a device, synced through a trusted account such as Apple, Google or Microsoft, or held on a separate FIDO2 security key.
What Is FIDO2?
FIDO2 is the technical standard that underpins modern passkeys and phishing-resistant authentication. It was developed through the FIDO Alliance and the World Wide Web Consortium to provide a standardised way for browsers, operating systems and authenticators to support secure passwordless login.
FIDO2 includes two key parts:
- WebAuthn, which allows websites and applications to use public-key authentication.
- CTAP, which allows external authenticators, such as USB or NFC security keys, to communicate with a device.
The distinction that matters most for UK businesses is between synced passkeys and device-bound credentials.
Synced passkeys are designed for convenience. They can be backed up and used across a user’s devices through a provider such as Apple, Google or Microsoft. For most everyday staff accounts, this can provide a strong balance of security and usability.
Device-bound credentials are stored on a specific device or hardware security key and cannot normally be exported or synced. For high-privilege accounts, such as administrators, senior executives and finance users, this can provide a higher level of assurance.
Our post on why your business should upgrade to Windows 11 is relevant here because Windows 11, Windows Hello for Business and Microsoft Entra ID now provide strong passwordless and FIDO2-based options for organisations that want to reduce reliance on passwords.
Comparing Authentication Methods
| Authentication Method | Phishing Resistant | Credentials Can Be Stolen Remotely | Requires Additional Hardware | Suitable for Most Staff |
|---|---|---|---|---|
| Password only | No | Yes | No | No longer recommended as a standalone method |
| Password plus SMS one-time code | No | Partially | No | Minimum fallback only |
| Password plus authenticator app code | No | Partially | No | Better than SMS, but still phishable |
| Password plus push notification approval | No | Partially | No | Useful, but vulnerable to push fatigue and real-time phishing |
| Synced passkey via Apple, Google or Microsoft | Yes | No reusable password to steal | No | Yes, for many users |
| Windows Hello for Business | Strong phishing resistance when properly configured | No reusable password to steal | No, uses existing supported hardware | Yes, in managed Windows environments |
| FIDO2 hardware security key | Yes | No reusable password to steal | Yes | Best for privileged and high-risk users |
| Certificate-based authentication | Can be phishing resistant when properly deployed | No reusable password to steal | Sometimes | Useful in managed environments |
The table makes clear that most of the MFA methods businesses currently rely on, while meaningfully better than passwords alone, are not fully phishing-resistant. They can still be bypassed through real-time phishing, session hijacking or device-code attacks. Our post on anti-phishing controls explains how these attack techniques work against standard MFA and why phishing-resistant methods address them at a technical level rather than relying only on user vigilance.
What Cyber Essentials Says About Authentication
Cyber Essentials and Cyber Essentials Plus focus on five technical control areas: firewalls, secure configuration, security update management, user access control and malware protection.
Authentication sits within the user access control theme. The April 2026 Cyber Essentials v3.3 requirements tightened the position on cloud services. For assessment accounts created from 27 April 2026, multi-factor authentication must be enabled for cloud services where MFA is available. Organisations that do not enable MFA on in-scope cloud services can fail the assessment.
Cyber Essentials does not currently require every organisation to use passkeys or FIDO2 across all accounts. However, the direction of travel is clear. Standard MFA is now a baseline expectation, and phishing-resistant MFA is a stronger next step for organisations that want to reduce real-world account compromise risk.
For businesses that have already achieved Cyber Essentials and are asking what to do next, moving to passkeys, Windows Hello for Business or FIDO2 hardware keys for the highest-risk accounts is one of the most practical improvements available. Start with administrators, finance staff, executives, remote workers and anyone with access to sensitive systems.
Our post on why your business should become Cyber Essentials accredited explains the full scope of the scheme and what it covers, and our post on why IT compliance matters covers the regulatory context in which authentication decisions sit, particularly for businesses operating in regulated industries.
Microsoft 365 And Passkey Support
Microsoft 365 is the dominant productivity platform among UK SMEs, so Microsoft’s support for passkeys and passwordless authentication is directly relevant to many London businesses.
Microsoft Entra ID supports FIDO2 security keys, passkeys in Microsoft Authenticator, Windows Hello for Business and other passwordless methods. Microsoft has also been expanding passkey support across Windows, including the ability to create and use passkeys with Windows Hello in supported Entra environments. Exact availability can depend on tenant configuration, licensing, operating system version and whether features are generally available or still being rolled out.
Windows Hello for Business allows users to sign in using a PIN, fingerprint or facial recognition, backed by cryptographic credentials rather than a reusable password. Where supported hardware is available, the credential can be protected by the device’s security features.
Conditional Access policies in Microsoft Entra can also be configured to require stronger authentication for specific users, groups or applications. This means you can enforce phishing-resistant MFA for priority accounts first, without forcing an organisation-wide change on day 1.
If you have not had a structured review of your Microsoft 365 authentication configuration, our post on what is an Office 365 assessment explains what a thorough review covers and why it matters for businesses at this stage. Our post on five benefits of using Office 365 also provides broader context on the platform’s security capabilities.
Your microsoft 365 support services london provider should be able to review your current authentication methods, enable stronger passwordless options, configure Windows Hello for Business where appropriate, and set up Conditional Access policies as part of a planned migration. Our post on why businesses should consider Microsoft Intune explains how Intune device management integrates with these authentication controls to create a more coherent and enforceable security posture across your device fleet.
Practical Steps To Moving Beyond Passwords
Step 1: Map Your Current Authentication Landscape
Before making changes, catalogue which services your business uses, how users currently sign in, which services support MFA, which support passkeys or FIDO2, and which accounts carry the highest risk.
An account used by a finance director with payment approval authority carries a very different risk profile to a read-only reporting account. This assessment is the starting point for a sensible migration plan.
Our post on endpoint hardening steps that reduce real-world attacks covers how authentication hardening fits alongside other endpoint security controls as part of a broader security review.
Step 2: Prioritise Your Highest-Privilege Accounts
Administrators, executives, finance staff and IT managers should be your first priority. These accounts have the broadest access and cause the most damage when compromised.
For these users, consider FIDO2 hardware security keys, Windows Hello for Business, Entra passkeys or another phishing-resistant method that fits your environment. Our post on dark web monitoring for executives explains why senior staff are disproportionately targeted and what additional protections they should have in place alongside stronger authentication.
Step 3: Enable Passkeys Across Your Cloud Services
Work with your IT team or managed service provider to enable passkey support in Microsoft Entra ID and other cloud services where it is available. This may include:
- Enabling FIDO2 security keys.
- Enabling Microsoft Authenticator passkeys where supported.
- Rolling out Windows Hello for Business.
- Configuring device compliance rules through Intune.
- Applying Conditional Access policies to require phishing-resistant MFA for selected users.
You do not need to complete the whole organisation in one go. Start with a controlled pilot, learn from it, then expand.
Step 4: Roll Out To Staff Progressively
Once tested with higher-privilege accounts, plan a phased rollout to the rest of your organisation. Clear communication about why the change is happening and simple guidance on how to set up a passkey will reduce resistance and the volume of support requests.
Some users may need more help than others, especially if they use older devices, shared devices, personal phones or a mix of Windows, macOS, iOS and Android. Our post on endpoint security for remote teams covers the additional considerations for staff who work outside the office and may be setting up stronger authentication away from central IT support.
Step 5: Block Legacy Authentication
As you roll out passkeys, monitor for legacy authentication attempts. These are sign-in attempts using older protocols that do not support modern MFA properly.
Blocking legacy authentication in Microsoft Entra is essential for making your passkey deployment effective. Otherwise, an attacker with stolen credentials may try to bypass stronger controls by using an older login path.
Step 6: Maintain Dark Web Monitoring Throughout
Even after deploying passkeys widely, monitoring for compromised credentials remains important. Some systems may still rely on passwords, and credentials exposed in older breaches may still be used in phishing, impersonation or password-spraying attempts.
A dark web monitoring services london service gives you early warning of any exposure across your business accounts. Our posts on dark web monitoring explained and the crucial role of dark web monitoring for stolen login credentials explain how the monitoring works and what actions to take when alerts fire.
Passkeys Within Your Wider Anti-Phishing Programme
Passkeys are one of the strongest technical controls available against phishing, but they work best as part of a complete programme rather than as a standalone change.
Staff still need to recognise phishing attempts targeting services where passkeys have not yet been deployed. They also need to understand why they should never approve authentication requests they did not initiate, why QR-code login prompts need caution, and why payment process checks remain essential even when account security improves.
Our posts on anti-phishing basics, how to create an anti-phishing policy, and how to run phishing simulations cover the awareness and procedural side of phishing defence that complements the technical protection passkeys provide.
Working with an anti phishing company london that understands both the technical and awareness dimensions of phishing defence gives you coverage across both the human and the authentication layer. Our post on business email compromise explained is also relevant, because BEC attacks often target financial processes that bypass authentication controls entirely and require procedural safeguards as well as technical ones.
Our security services page gives an overview of how authentication hardening sits within a broader security programme, and our IT consulting team can help you build a realistic roadmap for moving beyond passwords across your entire environment.
For Businesses With Multiple Locations
For organisations operating across multiple countries, deploying passkeys consistently across all locations requires coordination. Staff in different offices may use different devices, operating systems, cloud services and identity providers. Each of these variables affects how passkey support is configured and rolled out.
A provider offering multinational it support services can manage a passkey deployment across all your offices and help ensure authentication standards are consistent regardless of where a user is working. Our post on global IT support for hybrid workforces covers the specific authentication challenges that arise when staff are working across multiple locations and devices.
For businesses with European offices, a provider experienced in european it services can ensure authentication changes are documented appropriately and implemented in line with local data protection requirements.
If your business is planning a platform change or has recently completed one, a platform migration services provider should factor passkey and FIDO2 configuration into the migration project plan from the outset, so that stronger authentication is in place on the new platform from day 1 rather than retrofitted later.
For businesses considering bringing in external support to manage this transition, our post on the benefits of outsourcing your IT to an MSP explains what specialist managed support delivers beyond day-to-day helpdesk service, and why it is particularly valuable when implementing changes that touch authentication infrastructure across an entire organisation.
Frequently Asked Questions
Are passkeys safe if a staff member loses their device?
They can be, provided recovery is planned properly. Synced passkeys stored through Apple, Google or Microsoft can often be recovered on a new device through the user’s account, subject to the provider’s recovery process. Device-bound passkeys on hardware security keys cannot usually be recovered if the key is lost. Organisations using hardware keys for high-privilege accounts should issue backup keys and maintain a documented recovery process.
Can passkeys work across different operating systems and devices?
Increasingly, yes. Apple, Google and Microsoft all support passkeys, and the FIDO2 standard is designed to be interoperable. Staff using a mix of Windows, macOS, iOS and Android can often use passkeys across those platforms, although the setup experience varies by device, browser, application and identity provider.
Will deploying passkeys increase our IT helpdesk workload?
There may be a short-term increase in support requests during setup, especially during the first rollout phase. Over time, passkeys can reduce password reset requests and some authentication-related tickets. The key is to pilot the process first, produce clear internal guidance, and avoid rolling the change out to every user at once without support.
What do we do about services that do not yet support passkeys?
Not all services support passkeys yet, although adoption is growing across major platforms. For services that do not support passkeys, use the strongest available MFA option, such as an authenticator app or managed SSO with Conditional Access. Legacy services that cannot support modern authentication at all should be flagged for replacement, isolation or migration as a security risk.
Does moving to passkeys affect our Cyber Essentials certification?
Moving to passkeys does not automatically change your certification status mid-cycle, but it can strengthen your position at renewal. Cyber Essentials now expects MFA on cloud services where available, and passkeys or FIDO2 can help meet that authentication objective in a stronger way. They are not mandatory for every account under the scheme, but they are a sensible next step for higher-risk users.
Should every employee use a hardware security key?
Not necessarily. Hardware security keys provide strong protection, but they add cost, logistics and recovery requirements. Many businesses start by issuing hardware keys to administrators, executives and finance users, while using synced passkeys or Windows Hello for Business for most staff. The right mix depends on your risk profile and how your teams work.
Start Your Move Beyond Passwords Today
Passwords have been the primary authentication method for business systems for decades, and for just as long they have been one of the main ways attackers gain access. Passkeys and FIDO2 authentication offer a practical, increasingly well-supported alternative that removes many of the weaknesses attackers exploit.
Northern Star helps London businesses assess their current authentication posture, plan and deliver passkey deployments across Microsoft 365 and other platforms, and build the monitoring and controls needed to keep accounts secure as authentication standards continue to evolve.
Get in touch with our team today or call us on 0800 319 6032. You can also visit our Why Us page to learn more about how we work with London SMEs to strengthen their security in practical, proportionate ways.
