– By Gareth Shaw, Managing Director, Pera Prometheus
For non-technical leaders and small to medium enterprise (SME) owners, navigating the complexities of information & cybersecurity can feel daunting. Passwords have been the default way of protecting online accounts, but recently their reliability faces increasing challenges leaving businesses vulnerable. To counter it, Passkeys emerged, a modern, secure, and user-friendly alternative transforming how we safeguard our digital lives. In this blog, I’ll explain why passwords are problematic, what passkeys are, how they work, their benefits and challenges, and why your organisation should consider adopting them.
Why Passwords are a Growing Risk for Businesses?
Passwords have been the cornerstone of online security for decades, but they are increasingly unfit for purpose in today’s technically advanced world. For SMEs, where resources and time are often limited, the issues with passwords can pose serious risks to operations, finances, and reputation. Here’s why passwords are problematic:
Easily forgotten or reused: With the average person juggling dozens of online accounts, it’s tempting to reuse passwords or write them down, making it easier for criminals to gain access. A single reused password can compromise multiple accounts.
Vulnerable to attacks: Passwords are prime targets for phishing, where attackers trick users into revealing credentials, or brute-force attacks, where hackers use software to guess passwords. Microsoft confirmed in its 2024 Digital Defence Report that it was detecting 7,000 password attacks per second, a dramatic increase from previous years.
Time-consuming management: Creating, remembering, and updating strong, unique passwords for every account is a burden for employees and IT teams alike, leading to inefficiencies and potential security lapses.
Weak passwords: Despite warnings, employees still choose common passwords such as “password123” or “companyname2025, for ease. These are easily cracked leaving businesses exposed.
For SMEs, a single data breach caused by a compromised password can result in financial loss, legal issues, and damage to customer trust. The good news? There is a better way forward.
Passkeys: The Future of Secure Authentication
Passkeys are a revolutionary alternative to passwords, designed to make online access both simpler and more secure. Championed by tech giants like Apple, Google, and Microsoft, and endorsed by the UK’s National Cyber Security Centre (NCSC), passkeys are quickly gaining traction as the “future of authentication”. Unlike passwords, passkeys don’t rely on something you need to remember or type, they are tied to your device and verified using biometrics (like a fingerprint or face scan) or a PIN.
What Are Passkeys and How Do They Work?
Passkeys are based on public-key cryptography, a secure system used in cybersecurity for decades. Think of a passkey as a digital lock and key: one part (the public key) is stored by the website or service you’re accessing, while the other part (the private key) stays securely on your device, never shared online. Here’s how they work in simple terms:
Creation: When you sign up for a service that supports passkeys (like Google, PayPal, or gov.uk), your device creates a unique pair of cryptographic keys. The public key is shared with the service, while the private key remains locked on your device.
Authentication: To log in, you verify your identity using a fingerprint, face scan, or PIN. Your device uses the private key to unlock the public key held by the service, granting access without ever sending sensitive information over the internet.
Security: Because the private key never leaves your device and each passkey is unique to the service, hackers can’t steal or reuse it, even if they breach a website’s servers.
This process is seamless and eliminates the need to type credentials or handle two-factor authentication codes, making logins faster and more secure.
The Benefits and Challenges of Passkeys
Passkeys offer significant advantages for SMEs, but like any new technology, they come with some challenges. Understanding both will help you decide if they’re right for your business.
Benefits of Passkeys:
Enhanced Security: Passkeys are phishing-resistant because the private key never leaves your device, making them nearly impossible to steal remotely. This is a game-changer for protecting sensitive business data.
User-Friendly: No more remembering complex passwords. Passkeys rely on biometrics or PINs, which are quicker and easier for employees to use, reducing login stress and password fatigue.
Reduced IT Burden: 90% of businesses adopting passkeys report fewer helpdesk incidents, as employees no longer need assistance with forgotten passwords or locked accounts.
Faster Logins: Passkeys speed up the login process since there is no typing of username and passwords, saving time for employees and customers.
Future-Proof: With support from major platforms like Apple, Google, Microsoft, and even gov.uk, passkeys are becoming a standard, ensuring your business stays ahead of the curve.
Challenges of Passkeys
Adoption Lag: Not all websites and applications support passkeys yet, so you may need to maintain a mix of passwords and passkeys during the transition.
Device Dependency: Passkeys are tied to specific devices. If a device is lost or replaced, you’ll need robust recovery plans, such as backup keys or trusted contacts, to regain access.
Learning Curve: While passkeys are user-friendly, non-technical staff may need training to understand and adopt them confidently.
Despite these challenges, the benefits of passkeys far outweigh the drawbacks, especially as adoption grows and technology improves.
How Passkeys Work: A Simple Illustration
Imagine you’re logging into your business’s online banking platform:
1. Sign-Up: You visit the bank’s website, which supports passkeys. Your smartphone creates a unique key pair of keys, a public key for the bank and a private key stored on your phone.
2. Login: The next time you log in, the bank’s website sends a challenge to your phone. You verify your identity with a fingerprint scan or facial id.
3. Authentication: Your phone uses the private key to respond to the challenge, confirming your identity without sharing sensitive data.
4. Access Granted: You’re logged in instantly, with no passwords required.
Why Organisations Should Embrace Passkeys?
For SMEs, adopting passkeys is a smart move to enhance security, streamline operations, and stay competitive in a digital-first world. The NCSC’s push for passkeys, alongside their adoption by gov.uk, signals a major shift toward “passwordless” authentication. The transition may require some planning, but the long-term benefits make it a worthwhile investment. By moving to passkeys, your business can:
- Protect against rising cyber threats
- Save time and reduce IT costs by minimising password-related issues
- Build customer trust with secure, user-friendly authentication
- Future-proof your operations as passkeys become the industry standard
Can a Private Key Be Stolen via Remote Access?
In theory, no—but in practice, it depends on how the key is stored.
1. Secure Storage: Most modern devices store passkey private keys in hardware-backed secure environments like:
- TPM (Trusted Platform Module) on Windows
- Secure Enclave on Apple devices
- TEE (Trusted Execution Environment) on Android
These environments are designed to be tamper-resistant, meaning even if a threat actor gains remote access, they cannot extract the private key directly.
2. Biometric/PIN Gatekeeping: Accessing the private key typically requires local authentication, like a fingerprint, face scan, or PIN. Without that, the key remains locked.
3. Password Managers Caveat: If the passkey is stored in a software-based password manager, and that manager is compromised or left unlocked, then yes, remote access could expose the key. This is why hardware-backed storage is preferred for sensitive credentials.
What Happens If the Device Is Lost or Stolen?
Fortunately, passkey ecosystems are built with redundancy and recovery in mind:
1. Sync Across Devices:
- Services like Apple iCloud Keychain, Google Password Manager, and 1Password sync passkeys across your devices.
- If one device is lost, you can still access your passkeys from another device in the same ecosystem.
2. Recovery Options:
- Disable the passkey remotely: You can revoke access for the lost device via your account settings.
- Set up a new passkey: On a replacement device, you can re-authenticate using legacy methods (e.g. password + 2FA) and generate a new passkey.
- Escrow Recovery: Apple, for example, offers iCloud Keychain escrow, allowing recovery even if all devices are lost—protected by multi-step authentication.
3. If the passkey was device-bound and not synced, and the device is lost, you may need to re-register with each service manually.
