March 27, 2025

SMBs—Is It Time to Start Moving from Passwords to Passkeys?

The rise of AI-powered fraud is making phishing attacks and other credential-based social engineering threats more personalized, convincing, and difficult for users to detect than ever before. Passkeys are a true password replacement technology that minimizes phishing risks and threats, eliminates password management effort, and is easier and more convenient for users than conventional multifactor authentication

So, what’s not to like about phishing-resistant passkey logins for SMBs? Is now the time to start adopting passkeys? What are the SMB use cases for passkeys, as well as benefits and barriers to adoption?

Passkey benefits for SMBs

As a new and better way to authenticate users, the benefits of passkeys for SMBs include:

  • Reduced sign-on time with higher sign-on success rates.
  • Overall productivity improvement.
  • Positive impact on digital transformation goals, including a usage reduction in legacy (hence often less secure) authentication methods.
  • A safer online experience with reduced risk to personal and business data.
  • Reduced costs for cybersecurity monitoring, password resets and other account management tasks, and controls to bolster password authentication.
  • Potential for improved regulatory compliance, especially where there is pressure to adopt more secure authentication mechanisms (e.g., to secure affordable cyber liability insurance).
  • Peace of mind and greater stakeholder trust knowing the organization is prioritizing cybersecurity and privacy enhancements.

For SaaS providers, retailers, and other SMBs that offer B2C or B2B products and/or services, the business benefits of offering passkey authentication to customers can further include:

  • A better customer experience leading to higher conversions, more repeat purchases, and improved customer retention/loyalty.
  • A reduced cyber attack surface with lower risk from credential misuse.
  • Reduced customer support requirements, especially around account recovery.
  • Reduced cart abandonment rate for sellers.

How ready are most SMBs to adopt passkeys?

Research from the FIDO Alliance indicates that most SMBs are aware of how passkeys can help them with cybersecurity and operations. Many are beginning to implement passkeys for workforce sign-ons—especially for users with access to sensitive data.

SMBs that don’t currently have active passkey projects report facing hurdles like implementation complexity, undesirable costs, and lack of clarity and direction. Specialized developer skills might also be lacking in-house. Another challenge can be a significant need for user education. 

Do we need passkeys if we have MFA?

Passkeys are a type of MFA as they require multiple forms of authentication. One of these is always a private cryptographic key generated by the passkey protocol. The other can be:

  • A biometric check like a facial scan, fingerprint, or voice key associated with a smartphone or other specific device.
  • The numeric PIN used to unlock a specific device.
  • A hardware security key, e.g., a YubiKey.

Unlike password-based MFA systems, passkeys smoothly combine the authentication factors to improve security without added verification steps. Passkeys can fit well into a multi-layered, zero-trust cybersecurity approach because they provide robust, “continuous” identity verification for each service being accessed. 

Conventional MFA is much more secure than password authentication alone, and can significantly reduce an SMB’s authentication related risk. But passkeys are even more secure, as well as easier and quicker for users. 

SMBs that already have MFA in place for critical systems can consider transitioning to passkeys as part of their MFA upgrade cycle. SMBs still working on MFA could find passkeys a faster, easier and more cost-effective next step beyond passwords.

How can SMBs start rolling out passkeys?

As emerging technology, rolling out passkeys can initially seem intimidating. But with more service providers building passkey support into their platforms, many SMBs can get started with third-party systems first (e.g., Microsoft 365) and then implement passkeys on proprietary/in-house systems as they gain experience. 

Tips for SMBs to get started with passkeys include: 

  • Prioritize where passkeys can yield “quick wins” that most significantly improve cybersecurity and user experience among your business systems. These could include higher-risk SaaS offerings like email, CRM, and online payment gateways. Employee portals, B2B webstores, and other in-house systems can also present high risk from credential fraud that passkeys can quickly lessen.
  • Leverage third-party platforms that are already passkey compatible, like within the Google, Microsoft, and Apple ecosystems. Third-party integrations that offer passkey authentication are also available. 
  • Start building a “passkey culture” by training employees on how passkeys work and how to use them, including how they rely on biometric data or device-dependent hardware. Articulating best practices for device management and “passkey resets” are important early steps.
  • If you give your customers the option to deploy passkeys for their user logins, be sure to highlight the cybersecurity and usability benefits. You will probably also need to offer support to help customers get comfortable with passkeys. 

What are passkey implementation considerations?

Passkeys are built on public key cryptography, so the secret element of the credential is never shared with the associated service, and no secrets are transmitted between the user’s device and the server. 

An authenticator, such as a mobile phone or one of the many password managers that now support passkeys, generates the public and private cryptographic keys for each account you create. The former is stored on the account site and the latter is stored in the authenticator itself. When you login to a passkey-enabled account, your authenticator and the service authenticate you without exchanging any data a hacker could exploit. 

You can either tie passkeys to devices or sync them between devices. Convenient tools for device-centric passkeys are physical hardware keys, such as a YubiKey. Synced passkeys are most easily managed within a supported password manager—making it simple to create passkeys on any of your devices that support the password manager.

Passkeys are inevitable.

Another passkey consideration for SMBs is simply that passkeys are here to stay as the new standard for secure and convenient user authentication. Having rendered them obsolete, they will eventually replace most of your passwords. 
So why continue using passwords and accepting all the risks and hassles they present? By moving forward with passkeys now, SMBs can gain a competitive edge, build stakeholder trust, and nullify some of the most prevalent and dangerous cyberattack vectors.

What’s next?

For more guidance on this topic, listen to Episode 149 of The Virtual CISO Podcast with guest Anna Pobletts, Head of Passwordless at 1Password.