Passwords have been the foundation of digital authentication for decades, and they have been broken for nearly as long. Phishing, credential stuffing, password reuse, and weak user choices are all symptoms of the same root problem: passwords are shared secrets, and shared secrets get stolen. Passkeys eliminate the problem entirely — not by making passwords stronger or harder to guess, but by replacing the model altogether.
What Makes Passkeys Different
To understand passkeys, you first need to understand what is wrong with passwords. When you create a password, a hash of it lives on the server — and servers get breached. Credential stuffing attacks work because people reuse passwords across sites, so one breach unlocks dozens of accounts. Phishing works because there is nothing stopping a fake login page from accepting your password and passing it along to a real attacker.
Passkeys address all three of these problems at the root level.
No shared secret on the server. When you register a passkey, your device generates a public and private key pair. The public key goes to the website. Your private key never leaves your device. There is nothing useful to steal in a server breach — only a public key that is mathematically useless for impersonating you.
Immune to phishing. Passkeys are cryptographically bound to the exact domain they were created for. A fake login page at "paypa1.com" cannot request your PayPal passkey. The browser verifies the domain and refuses any mismatch. No security awareness training required. No user error possible. The protection is built into the protocol.
No weak credentials. Users cannot create "password123" with a passkey. The cryptographic key pair is generated by your device at full strength every time, using hardware-backed randomness. Password policy fatigue, complexity requirements, and rotation schedules become irrelevant.
How the Authentication Flow Works
The mechanics are straightforward once you understand asymmetric cryptography.
Registration: Your device generates a public/private key pair. The public key goes to the website. The private key is stored in your device's secure enclave — a tamper-resistant hardware chip such as a TPM on Windows, the Secure Enclave on Apple devices, or Android StrongBox.
Login: The website sends a random challenge. Your device signs it with your private key, but only after you authenticate locally via Face ID, fingerprint, or PIN. The signed response goes back to the server.
Verification: The server validates the signature against your public key. Authentication complete. No password was ever transmitted, stored, or put at risk.
This is not a better password. It is a fundamentally different authentication model.
Cross-Device: How Passkeys Follow You
A common concern about passkeys is recovery and portability. The ecosystem handles this well.
Cloud sync is the common case. Apple syncs passkeys across all your Apple devices via iCloud Keychain, end-to-end encrypted. Google does the same via Google Password Manager. Third-party managers like 1Password and Bitwarden sync passkeys across any combination of platforms. The private keys travel in encrypted form and are only decryptable by your other trusted devices — so even Apple and Google cannot read them.
Cross-device authentication handles the case where you are on a device that does not have your passkey — such as a shared Windows PC or a borrowed laptop. The browser displays a QR code. You scan it with your phone, authenticate locally via biometrics, and the signed challenge is relayed back over an encrypted Bluetooth proximity channel. Your private key never leaves your phone.
The Enterprise Picture: Microsoft Entra ID
For enterprise environments, passkey support in Microsoft Entra ID has matured significantly entering 2026.
Windows Hello passkeys for Entra entered public preview in early 2026, bringing phishing-resistant sign-in to Entra-protected resources directly from Windows devices, including unmanaged personal devices. Synced passkey support arrived in late 2025, enabling cross-device sync via iCloud Keychain and Google Password Manager without additional configuration.
Passkey profiles — group-based policy controls — allow administrators to enforce different authentication requirements per user group. Hardware-bound keys for privileged accounts, synced passkeys for the general workforce. This is exactly the right architecture for a layered security posture.
Registration campaigns starting in early 2026 let organizations proactively drive phishing-resistant credential adoption at scale rather than waiting for users to opt in.
The architecture is now mature enough to replace passwords entirely in most Entra-connected environments. The tools exist. The question is whether your organization has a plan to use them.
Choosing the Right Tool: Hardware Keys vs. Synced Passkeys
Hardware security keys such as a YubiKey and synced passkeys are not competing technologies. They share the same FIDO2 cryptographic foundation in different form factors. The right choice depends on your threat model.
Hardware security keys generate the private key inside a dedicated secure element that physically cannot be extracted — not by malware, not by the operating system, not by anyone. There is no cloud sync surface. They work on any device and any operating system with no account dependency. For high-value targets — executives, privileged administrators, finance teams — this is the right answer.
Synced passkeys are always with you, require no extra device, and offer a better recovery story. If you lose one device, your passkeys restore from iCloud or Google on a new one. Security depends partly on your cloud account security, but for most users and most workloads, synced passkeys are more than sufficient and represent a massive security improvement over passwords.
What About Devices Without a TPM?
Windows 11 requires TPM 2.0, so any Windows 11 device has the hardware required for passkeys. The TPM-less scenario is primarily a Windows 10 or legacy hardware concern. For those endpoints, the practical options are:
- Hardware security key: The key pair lives in the key's secure element, effectively a dedicated TPM you carry with you. Most enterprise-grade keys run $25–$70 and provide better security than a software TPM fallback.
- Microsoft Authenticator on a phone: The phone's secure enclave handles key storage. Most modern phones have this even when the associated PC does not have a TPM.
- Cross-device authentication via QR: Authenticate the Windows session using a passkey stored on a phone, using the proximity flow described above.
For organizations still running Windows 10 endpoints, the hardware security key is the cleanest path to phishing-resistant authentication today without requiring a device refresh.
What to Do Now
Passkeys are not a future technology. They are available now, supported by Apple, Google, Microsoft, and most major platforms. The ecosystem is mature. Entra ID support is production-ready. The cryptographic model is sound.
The practical deployment model for most organizations is this: synced passkeys for the general workforce, hardware security keys mandatory for privileged identities. That is exactly the model that Entra's passkey profiles are designed to support, and it is achievable without a major infrastructure overhaul.
Passwords represent a liability on your risk register. Passkeys are the remediation. The primary barrier at this point is not technical — it is organizational. Start by identifying your highest-risk accounts, implement passkeys there first, and build out from that foundation.
Need help understanding the right steps to reduce password dependence in your organization? Contact me to schedule a free 30-minute discovery call.