Passwords have been causing problems for as long as I’ve been in IT — and that’s over 15 years. The same issues, year after year. Staff reusing the same credentials across multiple services, weak passwords slipping through, reset requests eating up support time, and every twelve months another breach report confirming that stolen passwords are still the number one way businesses get compromised.
Passkeys are the most practical answer I’ve seen to that problem. Not because they’re new technology for technology’s sake, but because they actually solve the core issue — and they’re already supported by the platforms most Melbourne businesses use every day.
Here’s what you need to know.
Why Passwords Keep Failing Your Business
The fundamental problem with passwords is structural. A password is a shared secret — your staff know it, the service stores it, and that means it can be stolen from either end.
Multi-factor authentication (MFA) helped, and I still recommend it as a baseline for every business I work with. But the most common form — a six-digit code sent by SMS — has a known weakness most people aren’t aware of. Modern phishing kits can capture both a password and an SMS code in real time, using a convincing fake login page that forwards credentials to the real site before the session expires. By the time your staff member realises something was off, the account is already compromised.
I’ve seen this play out with clients. It’s fast, it’s convincing, and standard MFA doesn’t stop it.
What a Passkey Actually Does Differently
A passkey replaces the shared secret entirely.
When you register with a service using a passkey, your device generates two cryptographic keys — a private key that stays on the device and never leaves it, and a public key that goes to the service. When you log in, your device uses biometrics (Face ID, a fingerprint, or Windows Hello) or a PIN to sign a challenge from the server. The server verifies the signature. No password is ever created or transmitted.
The result is that a passkey can’t be phished — a fake login page can’t trigger authentication on your real device. It can’t be reused across services. And it can’t be exposed in a server-side breach because the private key never exists anywhere but your device.
Passkeys are built on open standards (FIDO2 and WebAuthn) backed by Apple, Google, and Microsoft. This isn’t a proprietary solution that locks you into one vendor — it’s an industry-wide shift that’s already well underway.
What Migration Actually Looks Like
The good news for most businesses I work with is that the infrastructure is already there.
If your team runs Microsoft 365, passkeys are supported through Entra ID and have been the default for new accounts since May 2025. Google Workspace has supported them since 2023. For the majority of Melbourne SMBs I work with, passkey migration can start today without purchasing anything new.
Migration isn’t a single cutover — and treating it like one is the most common mistake. The practical approach is:
Start with your highest-risk users first
Begin with administrators, finance staff, and anyone with access to sensitive systems. They have the most to gain from phishing-resistant authentication and will give you honest feedback before rollout reaches the wider team.
Map your current tools against passkey support before communicating any change. Platforms like Microsoft 365, Google Workspace, GitHub, and most major identity providers already support passkeys fully. Start with those. Leave unsupported tools for a later phase.
Run passwords and passkeys in parallel
The most common migration mistake is treating it as a full cutover. Users can authenticate with passkeys on enrolled devices and fall back to a password on any device not yet enrolled. Running both methods simultaneously gives time for adoption without locking anyone out mid-project.
Plan for platforms that aren’t ready yet
Not every tool supports passkeys today. For those, a password manager generating unique credentials per service is the right bridge — it eliminates password reuse risk immediately, and when those platforms add passkey support the transition becomes a single enrollment step.
The Practical Benefits Beyond Security
Security is the main reason to do this, but the operational benefits are real.
Fewer failed logins means fewer helpdesk calls and fewer interruptions to your team’s day. No more reset requests for accounts people haven’t logged into for three months. No more staff reusing the same password across twelve services because remembering different ones is impractical.
For businesses working toward compliance frameworks, NIST’s updated guidance (SP 800-63-4, 2025) now requires phishing-resistant authentication as a mandatory option for high-assurance access. Passkey migration moves you toward that standard as a byproduct of something you’d be doing anyway.
Is Your Business Ready to Make the Move?
If your team is running Microsoft 365 or Google Workspace, the short answer is probably yes.
I help Melbourne businesses work through exactly this kind of transition — mapping which platforms are ready, identifying the right rollout order, and making sure nothing breaks along the way. If you want to understand what a passkey migration would look like for your specific environment, get in touch for a no-obligation conversation.
0 Comments