Your employees probably reuse the same password across multiple accounts. At least one of those accounts has almost certainly already been compromised. And the one-time code your authenticator app sends? Attackers have figured out how to intercept it in real time. Passwords — and traditional MFA — have a ceiling. Passkeys blow through it.
The password problem is worse than you think
The numbers from 2026 are hard to ignore. According to credential security research published this year, 89% of small and mid-sized businesses have at least one compromised credential actively circulating on the dark web right now. Many owners don't know about it until after a breach has already occurred.
The average data breach for a U.S. business with fewer than 500 employees costs $3.31 million — and that's before accounting for reputational damage, lost customers, and regulatory fines. For childcare centers holding sensitive family records, a breach can also trigger mandatory reporting obligations under California's data breach notification law (AB 1130), COPPA, and CCPA.
Most of these breaches start with a single stolen password. The attacker doesn't need to hack your firewall — they just buy credentials from a previous breach elsewhere, try them on your Microsoft 365 login page, and walk in the front door. Traditional MFA (the kind that sends a 6-digit code to your phone) slows this down, but it doesn't stop it. Sophisticated attackers now use real-time phishing kits that capture your MFA code the moment you type it and use it immediately before it expires.
What is a passkey, exactly?
A passkey is a replacement for your password, built on a technology called FIDO2 (developed by an industry alliance that includes Apple, Google, and Microsoft). Here's how it works in plain English:
When you create a passkey for a service, your device generates two mathematically linked keys — a private key that never leaves your device, and a public key that gets sent to the website or app. When you sign in, the website sends a challenge, your device signs it with your private key, and the website verifies it with the public key. Your actual credential — the private key — is never transmitted over the internet. There is nothing for an attacker to steal from the server side, and the sign-in can only be completed on your actual device.
To unlock the passkey, you use whatever biometric or PIN is set up on your device: Face ID on an iPhone, Windows Hello on a laptop, a fingerprint reader on an Android phone. This means sign-in requires both something you have (the device) and something you are or know (your biometric or device PIN). The result is strong two-factor authentication built into a single, fast gesture — no separate code to type, no app to open.
Passkeys vs. passwords vs. traditional MFA at a glance
| Password only | Password + MFA | Passkey | |
|---|---|---|---|
| Phishing-proof | ❌ | Partially | ✅ |
| Credential stuffing immune | ❌ | ❌ | ✅ |
| No shared secret to steal | ❌ | ❌ | ✅ |
| Sign-in speed | Slow | Slower | 8x faster |
| Sign-in success rate | 32%* | ~50–60% | 98% |
*Password sign-ins fail more than two thirds of the time due to forgotten passwords, lockouts, and resets — per FIDO Alliance data.
Why 2026 is the year this becomes urgent for small businesses
Passkeys have been around since 2022, but adoption was mostly limited to consumer services. That changed significantly in early 2026. Microsoft began automatically enabling passkey profiles across all Microsoft Entra ID tenants in March 2026 — which means if your business uses any edition of Microsoft 365, the infrastructure is already in your account waiting to be turned on. Microsoft Authenticator added passkey storage on both iOS and Android in late 2025, and Windows Hello now serves as a passkey authenticator on any Windows 11 device.
The timing matters because the threat landscape is also shifting. The same AI tools that are making business more efficient are making credential attacks more scalable. Attackers can now run automated phishing campaigns targeting thousands of small businesses simultaneously, personalizing each message with company-specific details scraped from LinkedIn and your website. Traditional MFA is increasingly the only thing standing between those attacks and your accounts — and as noted above, it can be defeated in real time.
Research published in March 2026 put 87% of U.S. and UK businesses in the process of deploying passkeys. That number signals a real shift: passkeys are no longer a future consideration. They are the current standard that most organizations are actively moving toward. Small businesses that wait will find themselves isolated on older authentication methods that the broader ecosystem is leaving behind.
How passkeys work in Microsoft 365
For businesses running Microsoft 365, passkeys are implemented through Microsoft Entra ID (the identity platform that handles all sign-ins). There are two main approaches:
1. Microsoft Authenticator app (synced passkeys)
The easiest path for most small businesses. Employees download or update the Microsoft Authenticator app on their smartphone, register a passkey tied to that account, and from then on sign in with a face scan or fingerprint. The passkey syncs across devices via their Microsoft account, so losing a phone doesn't mean losing access. This approach works for any device — Windows, Mac, iPhone, Android — and requires no additional hardware purchases.
2. Windows Hello for Business (device-bound passkeys)
On Windows 11 devices, Windows Hello stores a passkey directly in the device's Trusted Platform Module (TPM) chip — a dedicated security processor that cannot be read by software. Employees unlock their laptop with a PIN or fingerprint and are simultaneously signed into Microsoft 365 with no separate authentication step required. This is the highest-security option and is ideal for shared-use devices or situations where you want credentials to be non-transferable.
3. Hardware security keys (FIDO2 security keys)
Physical USB or NFC keys from manufacturers like Yubico provide the strongest possible protection. They're particularly suited to high-privilege accounts — IT admins, anyone with access to financial data, or anyone whose account being compromised would be catastrophic. A key costs $25 to $60 and lasts for years. For a small business with a handful of privileged accounts, this is a low-cost, extremely effective safeguard.
What a real rollout looks like
The technical side of enabling passkeys in Microsoft Entra ID takes under an hour for a prepared IT admin. The harder part is the human side: getting every employee to actually register and use their passkey, managing the transition period while some users are on passkeys and others are still on passwords, and handling edge cases like shared devices, part-time staff, and employees who resist change.
A structured rollout typically follows this sequence:
- Audit your app landscape. Before you turn anything on, identify which of your business apps authenticate through Entra ID and which don't. Apps connected through Entra (Teams, SharePoint, most SaaS tools with "Sign in with Microsoft") will benefit immediately. Legacy apps with their own username/password fields need a separate plan.
- Enable passkeys in Entra admin center. Turn on the FIDO2 security key and Microsoft Authenticator passkey policies for a pilot group — typically IT staff and early adopters — before enabling them org-wide. This lets you troubleshoot any friction points before they affect everyone.
- Use registration campaigns. Microsoft Entra's registration campaign feature lets you prompt users to register a passkey the next time they sign in, rather than sending a blanket IT announcement that gets ignored. This drives adoption organically without requiring a mandatory cutover deadline.
- Establish backup and recovery procedures. Document what employees should do if their primary device is unavailable. For Authenticator-based passkeys, this means ensuring employees know how to sign in from a secondary device. For hardware keys, this means purchasing and registering backup keys for critical accounts before you need them.
- Disable password sign-in for enrolled users. Once an employee has a passkey registered, you can enforce passkey-only sign-in through Conditional Access policies. This removes the fallback path that attackers could exploit even after passkeys are available.
Special considerations for childcare centers
Childcare centers face a specific authentication challenge that most small businesses don't: high staff turnover. When a staff member leaves, their Microsoft 365 account should be disabled immediately — but in practice, this step is often missed or delayed. A former employee retaining access to parent contact lists, children's records, or payment information is both a security and a compliance problem under CCPA and Title 22.
Passkeys make offboarding cleaner because credentials are device-bound or Authenticator-bound to the employee's personal device. Disabling their Entra ID account immediately revokes all passkey sign-ins, and there is no recoverable password for them to have written down or shared with a colleague. Combined with a Conditional Access policy that blocks sign-ins from unmanaged devices, this gives childcare directors meaningful control over who can reach sensitive data even with a rotating staff roster.
Shared devices — a front desk tablet used by multiple staff throughout the day — require a different approach. Each staff member should have their own Entra ID account, and the shared device should be enrolled in Microsoft Intune (MDM) with Windows Hello configured. Staff sign in with their own PIN or fingerprint, work within their own Microsoft 365 session, and the next person who sits down signs in with their own credential. No shared passwords, no ambiguity about who accessed what.
How EDCON helps businesses make the transition
The technical configuration of passkeys in Microsoft Entra ID is well-documented, but the path from "we should do this" to "every employee is actively using it" is where most small businesses get stuck. Without a structured rollout, adoption stalls. Staff use the old method when the new one feels unfamiliar. Edge cases don't get handled. The security gain doesn't materialize.
EDCON's managed IT service handles every step: auditing your current authentication setup, identifying all the apps connected to your Entra ID tenant, configuring the passkey policies correctly for your specific mix of Windows, Mac, iOS, and Android devices, rolling out registration campaigns, and training your staff so they understand what's happening and why. We also configure Conditional Access policies to make sure that once a user has a passkey registered, passwords are actually removed from their sign-in path rather than left as a fallback for attackers to find.
We've run this rollout for childcare centers that needed to solve the staff turnover problem, and for small businesses whose owners were concerned after learning that credentials had appeared in data breach monitoring alerts. In both cases, the transition was completed without disruption to daily operations and resulted in measurably faster sign-ins for staff who had previously dealt with password reset requests on a regular basis.
If you're not sure whether your Microsoft 365 tenant already has passkeys partially enabled (Microsoft's March 2026 rollout may have turned on some settings without your knowledge), that's the right place to start. An IT audit will tell you what's active, what's misconfigured, and what still needs attention before you can call your authentication posture secure.
Frequently asked questions
What is the difference between passkeys and regular multi-factor authentication (MFA)?
Traditional MFA adds a second step — usually a one-time code sent by text or an authenticator app — on top of a password. The password itself can still be phished or stolen. Passkeys replace the password entirely with a cryptographic key pair stored on your device. There is no shared secret for an attacker to steal, and the sign-in cannot be replayed on a fake website, which makes passkeys fundamentally more secure than any password-plus-MFA combination.
Do I need to pay extra for passkeys in Microsoft 365?
No. Passkeys (FIDO2) are available in every tier of Microsoft Entra ID, including the free edition. If your business already uses Microsoft 365 Business Basic, Standard, or Premium, passkey support is already included in your license. The Microsoft Authenticator app — which stores synced passkeys on iOS and Android — is also free.
What happens if an employee loses the device their passkey is stored on?
Synced passkeys (the kind stored in the Microsoft Authenticator app or iCloud Keychain) are backed up to the cloud and restore automatically when the employee signs into a new device. Device-bound passkeys on hardware security keys require registering a backup key. In either case, your IT admin can remotely revoke the lost passkey from Microsoft Entra ID and issue a new one through a verified temporary access pass — no password reset required.
Will passkeys work with all the apps my business uses?
Any app that uses Microsoft Entra ID for sign-in — including Microsoft 365, Teams, SharePoint, Outlook, and thousands of third-party SaaS apps connected through Entra — supports passkeys once you enable them in your tenant. Legacy apps that use only usernames and passwords may not support passkeys yet. An IT audit can identify which of your tools are passkey-ready and which need alternative approaches in the meantime.
Ready to move your business beyond passwords?
EDCON helps small businesses and childcare centers in Southern California enable passkeys, configure Microsoft Entra ID correctly, and train staff so the transition sticks. Book a free consultation to find out where your authentication posture stands today and what it would take to close the gaps.
Book a Free Consultation