Passwords have been the foundation of digital authentication for decades — and they have been broken for nearly as long. Phishing, credential stuffing, password reuse, and weak user choices are all symptoms of the same root problem: passwords are shared secrets, and shared secrets get stolen. Passkeys eliminate the problem entirely.
They can't be stolen from servers
When you create a password, a hash of it lives on the server — and servers get breached. With passkeys, the server only stores a public key. Your private key never leaves your device, so there is nothing useful to steal in a breach. This single property eliminates credential stuffing attacks at the root.
They are immune to phishing
Passkeys are cryptographically bound to the exact domain they were created for. A fake login page at "paypa1.com" cannot request your PayPal passkey. The browser checks the domain and refuses requests that don't match. No awareness training required. No user error possible. The protection is built into the protocol.
No weak passwords
Users cannot create "password123" with a passkey. The cryptographic key pair is generated by your device at full strength every time. Password policy fatigue, complexity requirements, and rotation schedules become irrelevant.
How passkeys actually work
The mechanics are straightforward once you understand asymmetric cryptography:
- Registration: Your device generates a public/private key pair. The public key goes to the website. The private key is stored in your device's secure enclave — typically a tamper-resistant hardware chip (TPM).
- Login: The website sends a random challenge. Your device signs it with your private key, but only after you authenticate locally via Face ID, fingerprint, or PIN. The signed response goes back to the server.
- Verification: The server validates the signature with your public key. Authentication complete. No password ever transmitted, stored, or at risk.
The private key is mathematically useless without the corresponding public key, and the public key is mathematically useless for impersonating you. This is not a better password — it is a fundamentally different model.
Cross-device: how passkeys follow you
One of the most common objections to passkeys is recovery and portability. Here is how the ecosystem handles it.
Cloud sync (the common case)
Apple syncs passkeys across all your Apple devices via iCloud Keychain, end-to-end encrypted. Google does the same via Google Password Manager. Third-party managers like 1Password and Bitwarden sync passkeys across any combination of platforms. The private keys are synced in encrypted form and are only decryptable by your other trusted devices — so even Apple and Google cannot read them.
Cross-device authentication
When you are on a device that does not have your passkey — say, a shared Windows PC — the browser shows a QR code. You scan it with your phone, authenticate locally via biometrics, and the signed challenge is relayed back to the PC over an encrypted Bluetooth proximity channel. Your private key never leaves your phone.
The enterprise picture: Microsoft Entra ID
For enterprise environments, passkey support in Microsoft Entra ID has matured significantly in 2025 and into 2026:
- Windows Hello passkeys for Entra entered public preview in March–April 2026, bringing phishing-resistant sign-in to Entra-protected resources directly from Windows devices, including unmanaged personal devices.
- Synced passkey support arrived in November 2025, enabling cross-device sync via iCloud Keychain and Google Password Manager without extra configuration.
- Passkey profiles (group-based policy) allow admins to enforce different authentication requirements per user group — for example, hardware-bound keys for privileged accounts, synced passkeys for the general workforce.
- Registration campaigns starting April 2026 let organizations proactively drive phishing-resistant credential adoption at scale.
The architecture is now mature enough to replace passwords entirely in most Entra-connected environments. The tools exist. The question is whether your organization has a plan to use them.
Hardware security keys vs. synced passkeys: choosing the right tool
Hardware security keys (YubiKey, etc.) and synced passkeys are not competing technologies — they are the same FIDO2 cryptographic foundation in different form factors. The right choice depends on the threat model.
Hardware security keys
The private key is generated inside a dedicated secure element and physically cannot be extracted — not by malware, not by the OS, not by anyone. There is no cloud sync surface. They work on any device, any OS, with no account dependency. For high-value targets such as executives, privileged admins, and finance teams, this is the right answer.
Synced passkeys
Always with you, no extra device required, better recovery story. If you lose one device, your passkeys restore from iCloud or Google on a new one. Security depends partly on your cloud account security, but for most users and most workloads, this is more than sufficient — and orders of magnitude better than passwords.
What about devices without a TPM?
Windows 11 requires TPM 2.0, so any Win11 device has one unless the device registry was changed to allow the install. The TPM-less scenario is primarily a Windows 10 or legacy hardware concern. For those endpoints, the options are:
- Hardware security key: The key pair lives in the key's secure element — effectively a dedicated TPM in your pocket. ~$25–$70 per key, and provides better security than a software TPM fallback.
- Microsoft Authenticator on a phone: The phone's secure enclave (Apple Secure Enclave or Android StrongBox) handles key storage. Most modern phones have this even if the PC does not have a TPM.
- Cross-device auth via QR: Authenticate the Windows login using a passkey stored on a phone, using the proximity flow described above.
For organizations still running Win10 endpoints, the hardware security key is the cleanest path to phishing-resistant auth today — without a device refresh.
The bottom line
Passkeys are not a future technology. They are available now, supported by Apple, Google, Microsoft, and most major platforms. The ecosystem is mature. Entra ID support is production-ready. The cryptographic model is sound. The primary barrier is organizational inertia.
For most organizations, the practical deployment model is this: synced passkeys for the general workforce, hardware security keys mandatory for privileged identities. That is exactly the model Entra's passkey profiles are designed to support.
Passwords are a liability on your risk register and balance sheet. Passkeys are the remediation. The question is not whether to make the transition — it is how fast you can get there.
Need help understanding the right direction and steps needed to reduce the use of passwords in your organization? Contact me to schedule a free 30-minute discovery call to discuss strategy.