Passkeys in the real world

Passwords represent one of the weakest forms of security that we continue to rely on. They are easy to forget, easy to steal, and costly to manage. Every phishing breach, every instance of credential stuffing, and every password reset request serves as a reminder of a broken system we have come to accept.

Passkeys offer a transformative change in how we approach authentication. By replacing shared secrets with cryptographic proof, users no longer need to enter anything. Their devices authentically verify who they are using public and private keys. The private key remains securely stored on the device, accessible only through biometrics or a PIN that never leaves the device. This innovative approach eliminates the need for typed secrets, significantly reducing the risk of phishing attacks and other human-related vulnerabilities.

By removing the password from the authentication process, we close off a key pathway exploited by attackers. If information is not shared, it cannot be intercepted. For years, multi-factor authentication acted as a temporary fix, while passkeys represent a comprehensive redesign for a secure future. By their very nature, they are resistant to phishing, making security easier and more effective.

Passkeys have been around for a while; they are not a new or emerging technology. Companies like Microsoft, Apple, and Google have already embraced passkeys at a global scale. Microsoft Entra ID now supports device-bound passkeys, and Windows Hello for Business stands as a powerful authenticator. The infrastructure is ready, and now it's time for decisive action.

Password managers do little to resolve this issue; instead, they centralise risk. Every password stored in a vault is still vulnerable to reuse, phishing, or theft. Many organisations have created a more expensive version of the same vulnerability.

The success of implementing passkeys depends on ownership. This initiative is an opportunity for growth and efficiency. The COO needs to champion productivity gains, the CFO should monitor ROI and insurance benefits, and the CISO must define control strength, recovery, and exception paths. HR plays a crucial role in managing training and communication. At the same time, the Service Desk is tasked with onboarding, recovery, and measurement.

If no one takes ownership, discussions will go in circles. But with shared responsibility, we can drive meaningful delivery and transformative change.

Passkeys align beautifully with ISO 27001's objectives for strong authentication and meet Cyber Essentials' requirements for phishing-resistant multi-factor authentication. They simplify compliance reporting and reduce audit friction. But the reason to embrace passkeys goes beyond compliance; it's an essential step towards achieving operational clarity and financial efficiency, paving the way for a more secure future.

The financial case: fewer resets, fewer incidents, higher success rates

Every password reset is a tiny productivity tax. Multiply it by a thousand users and a year's worth of lockouts and forgotten credentials, and you have a hidden line item your finance team never approved.

Industry benchmarks place the hard cost of a password reset between $70 and $80, excluding lost time. Add two resets per user, per year, and a thousand users silently burn around £110,000 annually on something that produces zero business value. That doesn't include the opportunity cost of downtime or the frustration cost of lost minutes.

Passkeys erase that cost. Users can't forget what they never had to remember. They sign in using the same gesture they already use to unlock a device. Sign-in success rates rise, failed authentication events fall, and support demand drops.

Now we factor in incident response. Phishing remains the dominant entry vector for ransomware. Passwords and weak MFA factors feed that funnel. Remove the shared secret, and you remove the easiest attack surface. Less time on breach remediation, less data exposure, less reputational risk.

Then consider insurance. Underwriters are increasingly explicit: phishing-resistant MFA is a precondition for favourable terms. Presenting a passkey adoption roadmap changes that conversation. It signals maturity, not minimal compliance. Premiums and conditions can reflect that.

This is the kind of return on investment most security programmes can't articulate. It's not hypothetical risk avoidance—it's tangible cost reduction.

Here's a conservative model.

Assume 1,000 users, two password resets per year at £55 each. That's £110,000 in annual reset cost. A 50% reduction in resets delivers £55,000 in savings. Add even a modest decrease in phishing-led downtime, and you're looking at six figures, all without buying another licence or tool.

How to implement across Microsoft 365 and a mixed SaaS portfolio

Begin with a focused approach and expand rapidly. You can illustrate tangible value within ninety days.

Phase One: Building a Strong Foundation

Start by enabling passkeys in Entra ID to establish a foundation of security. Take the time to review and enhance your Conditional Access policies. Implement phishing-resistant multi-factor authentication (MFA) wherever possible and configure Windows Hello for Business effectively. It's essential to evaluate your critical SaaS applications for passkey or FIDO2 support, prioritising those that are high-risk and high-value. Additionally, consider designing your recovery processes with the same diligence as your sign-in methods, as attackers are increasingly targeting recovery paths.

Phase Two: Pilot Program

Choose a diverse group of 50 to 100 users from operations, finance, and IT, ensuring that administrators are included. Enforce the use of platform passkeys for regular users and hardware-backed keys for admins. Monitor key metrics, including success rates, login times, and helpdesk inquiries, to assess the effectiveness of the pilot. Share your findings with the COO every week and provide monthly updates to the CFO.

Phase Three: Scaling Up

As you gather insights from the pilot, begin to expand the initiative across departments and application clusters. Work towards phasing out password dependencies as your coverage grows. Retain hardware keys for those with privileged access to maintain a high standard of security. In situations where SaaS support is still developing, rely on robust MFA solutions and set specific review dates to evaluate progress and make adjustments as needed.

Governance must be explicit.

• COO: Own adoption metrics and productivity gains.
• CFO: Track ROI, insurance impact, and operational savings.
• CISO/Head of IT: Own policy, recovery, and technical assurance.
• Service Desk: Manage support and exceptions with measurable SLAs.
• HR: Drive communication and behavioural change.

Training must be practical and empowering. Users should confidently know what to expect when they first log in, how to add a new device, and how the recovery process unfolds. If a password prompt still appears, that is a defect, not a fallback.

By embedding passkeys into Entra ID and modern SaaS, we can eliminate entire categories of attacks. This not only simplifies compliance with ISO 27001 but also strengthens your Cyber Essentials position, making cyber insurance conversations more manageable.

This is where security and productivity unite:

• Less friction
• Less risk
• Less waste

The cost of doing nothing

Every day you keep passwords alive, you pay for their failures. You fund helpdesk strain, you underwrite risk, you accept inefficiency as normal.

There is no longer a strategic defense for that. The platforms are prepared, and the standards are established. The return is clear.

Speak to a Conosco identity specialist. Size the ROI, set the targets, and deliver a passkey rollout that pays for itself inside a quarter.