Two years ago, passkeys were a curiosity. In 2026 they are quietly becoming the default: Microsoft, Google and Apple have converged on FIDO2 / WebAuthn standards, the major browsers handle them natively, and most modern phones, laptops and security keys can act as a passkey device. For SMEs deciding what to do next, the question is no longer whether to adopt passwordless, but which approach to take in what order.
What a passkey actually is
A passkey is a cryptographic credential stored on a device — your phone, laptop or a hardware security key — that authenticates you to a website or app using the same standard as a physical security key. There is no password to type, no second factor prompt to approve, and the credential is phishing-resistant by design: it will only authenticate against the genuine site, never a fake one.
The three flavours of passwordless an SME will meet
- Microsoft passwordless sign-in via the Authenticator app — the entry point most SMEs will use first. Number-matching prompt replaces the password, with the phone as the second factor. Easy to deploy; no extra hardware.
- FIDO2 security keys (YubiKey, Feitian and equivalents) — a small USB-A, USB-C or NFC key that registers with the identity provider and authenticates on tap. Phishing-resistant by design. Recommended for admins, executives and anyone handling payments.
- Platform passkeys stored in iCloud Keychain, Google Password Manager or Windows Hello — the most user-friendly experience, increasingly the default for third-party SaaS applications.
What it replaces in your estate
Passkeys replace the password, not MFA. The passkey itself is already two factors. For most users this means the daily sign-in prompt becomes a fingerprint or a tap on a security key, with no password to forget and no second prompt to approve. The fall-back — what happens when the user has lost their phone — still has to be designed, but in practice it is rarely needed because the credentials are synced across the user’s own devices.
Practical advice for getting started
- 1. Roll out Microsoft Authenticator passwordless to general users first. It needs no hardware and removes the weakest factor (the password) from the daily sign-in.
- 2. Issue FIDO2 security keys to admins, executives and any user with payment authorisation. This is the smallest population with the highest target value.
- 3. Make platform passkeys the default for new third-party SaaS applications you adopt. Most modern providers now offer passkey sign-in alongside traditional passwords.
- 4. Keep a recoverable account (a managed password, in a vault, with brief time-limited access) as a last-resort fallback for break-glass scenarios. Test it once a year.
- 5. Monitor sign-in telemetry for users still relying on passwords, and gently migrate them away.
The honest limits
Some legacy applications do not support passkeys. For most SMEs these are now the minority, but they exist — old VPNs, line-of-business apps written ten years ago, and a handful of legacy cloud services. The right answer is usually to replace them; the next-best answer is to wrap them in conditional access with compensating controls. There is no scenario in which a shared or weak password on a legacy app should remain the only defence.
We help SMEs across Hertfordshire, Bedfordshire and London deploy passwordless sign-in in a way that genuinely improves the workday, not just the policy document. If you would like a scoping conversation, get in touch.

