Passkeys are cryptographic credentials stored on a user's device or hardware security key that replace passwords entirely. For a small business, rolling out passkeys means employees sign in with Face ID, Touch ID, Windows Hello, or a hardware key instead of typing a password, and every sign-in is phishing-resistant by design. In 2026, every major identity platform your business uses already supports passkeys. The only remaining question is how you roll them out without disrupting your staff.
We help New Jersey businesses plan these migrations every month. The pattern below is what actually works, and it assumes you are a real company with non-technical employees, legacy line-of-business applications, and no appetite for a six-month identity project.
Why Passkeys Matter More Than Ever in 2026
Password-based authentication, even with SMS or authenticator-app MFA, is the single biggest foothold attackers use to breach small businesses. Token theft, adversary-in-the-middle phishing kits like Evilginx, and MFA fatigue attacks have made traditional MFA far less effective than it was three years ago. We wrote about this in our guide on token theft and session hijacking, and the trend has only accelerated.
Passkeys fix the root cause. A passkey is a public/private key pair. The private key never leaves the user's device. When they sign in, the device proves possession of the private key by signing a challenge from the real domain. If the user lands on a fake Microsoft 365 login page, the passkey simply will not work, because the domain does not match. There is no code to steal, no token to intercept, and no fatigue prompt to tap the wrong way.
The Cybersecurity and Infrastructure Security Agency (CISA), NIST SP 800-63B, and every major cyber insurance carrier now treat FIDO2-based authentication as the gold standard. Several insurers in the New Jersey market are offering premium reductions for organizations that deploy phishing-resistant MFA across privileged accounts.
The Two Kinds of Passkeys
Before you plan anything, get the terminology straight because the two flavors have very different operational implications.
Synced passkeys live in a cloud account, usually iCloud Keychain, Google Password Manager, or a password manager like 1Password or Bitwarden. They are convenient because they follow the user across devices, but they inherit the security of the cloud account they are synced to. For most general-purpose employee sign-ins, synced passkeys are the right choice.
Device-bound passkeys live on a specific device or hardware key (like a YubiKey) and never leave it. They are more secure because the private key is physically isolated, but they require a recovery plan because losing the device means losing the credential. Use device-bound passkeys for administrators, finance approvers, and anyone with privileged access.
A 30-Day Passkey Rollout for a Small Business
Most of the SMBs we support in Morris, Essex, and Passaic counties can complete a passkey rollout in about 30 days without stopping normal work.
Week 1: Inventory and Policy
Start with a short identity inventory. List every application employees sign into daily, group them by identity provider (Microsoft Entra ID, Google Workspace, Okta, or local accounts), and flag anything that still uses standalone passwords. For most NJ SMBs, 80 to 90 percent of daily sign-ins flow through Microsoft 365 or Google Workspace, which is why that is where the biggest wins are.
Then write a one-page policy that covers who is required to use passkeys, which passkey types are allowed for which roles, how lost devices will be recovered, and what happens when an employee leaves. If you do not have an AI and identity governance policy already, this is a good moment to consolidate.
Week 2: Pilot with IT and Leadership
Roll passkeys out first to the IT team and executive leadership. These are the accounts attackers target most and the people most capable of giving you honest feedback. In Microsoft 365, enable passkey (FIDO2) as an authentication method in Entra ID, configure the authentication strength policy, and require phishing-resistant MFA for all administrative roles via Conditional Access. In Google Workspace, enable security keys for your organization and enforce it for the admin console.
Have every pilot user enroll at least two authenticators: one primary (phone or laptop biometric) and one backup (hardware key or second device). The backup is non-negotiable. Lockouts are the single biggest reason rollouts stall.
Week 3: Phased Rollout by Department
Expand to one department at a time. Finance and operations first, sales second, general staff last. Do a 30-minute group enrollment session where someone walks them through setup on their actual work device. Self-service enrollment without a live walkthrough produces a 20 to 30 percent drop-off rate every single time. We have watched it happen.
Keep password sign-in available as a fallback during this phase, but start logging which accounts are still using passwords. You will turn off the fallback next week.
Week 4: Enforce and Decommission Passwords Where Possible
Flip the Conditional Access policy from "passkeys preferred" to "passkeys required" for any account that has enrolled at least one passkey. For the handful of stragglers, do a one-to-one outreach. Do not leave the migration half-finished. A mixed environment where half the staff uses passkeys and half uses passwords inherits the weaknesses of both.
For any account with admin privileges, disable password authentication entirely and require hardware-key passkeys plus compliant device checks.
Common Gotchas We See in the Field
Shared accounts. Some small businesses have a "frontdesk@" or "operations@" account that multiple people use. Passkeys do not play well with shared accounts because the credential is device-bound. The right fix is to replace the shared account with individual accounts plus a shared mailbox or shared group, which is a better practice anyway.
Legacy line-of-business apps. Older on-prem apps and some medical or legal software do not support modern authentication at all. You have three options: put them behind single sign-on through Entra ID or a Secure Web Gateway, replace them with a modern alternative on your normal technology refresh cycle, or quarantine them behind a VPN with strict conditional access and audit logging. Do not leave them exposed with password-only sign-in.
BYOD iPhones syncing to personal Apple IDs. If your users enroll a passkey on a personal iPhone, that passkey syncs to iCloud Keychain under the user's personal Apple ID, which your IT team cannot manage. Use Intune or an MDM to scope corporate passkeys to managed Apple accounts, or require a hardware key for corporate credentials on BYOD devices.
Recovery loops. The most common support ticket during a passkey rollout is a user who lost their only authenticator. Your helpdesk needs a documented, identity-verified recovery path. We typically use a video call with a manager plus a hardware key reissue. Do not email a temporary password. That defeats the entire project.
What Passkeys Do Not Replace
Passkeys stop credential phishing, but they do not replace endpoint protection, patching, backups, or security awareness training. An employee with a passkey can still approve a fraudulent wire transfer, install malware, or click "allow" on a malicious OAuth consent prompt. Passkeys raise the floor. They do not raise the ceiling.
They also do not replace your disaster recovery or business continuity plan. Identity compromise is one of many paths to a breach, and a resilient business prepares for all of them.
How to Tell If You Are Ready
If you use Microsoft 365 Business Premium or Google Workspace Business Plus, your tenant already supports passkeys. If your employees use managed laptops with Windows Hello or Mac Touch ID, the hardware is already in their hands. If you have Conditional Access or Context-Aware Access configured, the policy plumbing is already there.
The only missing piece is usually a project owner and a 30-day plan. That is the part we do with our clients as part of our managed IT engagements.
Do passkeys work with Microsoft 365?
Yes. Microsoft Entra ID supports passkeys as a first-class authentication method, including device-bound hardware keys (FIDO2) and synced passkeys through the Microsoft Authenticator app. You can require phishing-resistant MFA for specific roles or applications through Conditional Access authentication strengths.
What happens if an employee loses their phone?
Your recovery process depends on how you enrolled them. If they registered a second authenticator (like a hardware key or a second device) at enrollment time, they sign in with the backup and re-enroll a new passkey on a replacement phone. If they did not, your helpdesk performs identity-verified account recovery, which typically involves a manager verification and a temporary authentication method issued through Entra ID or Google Admin.
Are passkeys required by any New Jersey compliance framework?
Not by name, but HIPAA, PCI DSS 4.0, the NYDFS Part 500 rules that many NJ financial firms follow, and the FTC Safeguards Rule all require phishing-resistant MFA for privileged access or broadly encourage it. Cyber insurance underwriters are increasingly explicit that phishing-resistant MFA is a prerequisite for coverage of privileged accounts.