Passkeys: The Future of Access Control, or Just Another Risk?

Passwords have been the weak link in digital security for decades. They get reused, guessed, phished, and stolen. That’s why the security industry has long looked for alternatives. Today, passkeys are being touted as the future. Apple, Google, Microsoft and major password managers are all rolling them out. But are passkeys as secure as they sound, and what should SMEs be thinking about before making the switch?

What Are Passkeys, Really?

Think of passkeys as a digital keyring. Instead of remembering dozens of passwords, your device holds unique keys for each service you use. When you log in, the website checks your key fits the lock, but the actual key itself never leaves your device.

This idea isn’t new. IT teams have used similar methods for decades to secure servers and networks. What’s new is that companies like Apple, Google, and Microsoft are now making this technology simple enough for everyday use. Passkeys turn a proven security approach into something practical for anyone logging in to apps, websites, or cloud systems.

Why They’re a Big Improvement

Passkeys fix some of the major problems with passwords:

• The secret never leaves your device: Instead of sending a password over the internet, your device proves it holds the right key using cryptography. Nothing reusable is handed over, so attackers can’t capture it like they do with stolen passwords. 

• Stored in secure hardware: The secret key is kept in a protected area of your phone or computer (such as a secure enclave or trusted module) and is encrypted locally. 

• Stronger by design: Keys are long, random, and mathematically stronger than anything a human could create. 

For SMEs, this means far less risk of stolen credentials, fewer password resets, and a sharp reduction in phishing attacks that rely on tricking staff into revealing login details.

The Catch: Synchronisation

Here’s where things get tricky. Most people don’t just use one device. They log in from their phone, laptop, office desktop, and sometimes a tablet. To make passkeys practical, the big players such as Apple, Google, Microsoft, and the major password managers synchronise your private keys across devices. 

On paper, this sync is end-to-end encrypted. The keys are generated securely, stored in hardware where possible, and encrypted before being copied to another device. In theory, no one, not even Apple or Google, can see them. 

So why does it still feel uncomfortable?

The Trust Question

One of the long-standing principles of secure systems is that private keys should never leave the device where they were created. Passkeys challenge that principle by allowing copies to be synchronised across devices, even though they are protected with strong encryption.

For those who worked in IT security in the 1990s, this feels instinctively risky. The old rule was simple: never let the private key leave the machine. Watching keys being duplicated, even with layers of protection, triggers the concern that every extra copy is another potential way in.

This raises the issue of trust. Businesses must place confidence in Apple, Google, Microsoft, and password manager providers to handle the process correctly, to keep encryption strong, and to avoid design flaws. Most of the time that trust is justified, but experience shows that no system is completely immune to failure.

Practical Considerations for SMEs 

So, should your business adopt passkeys? The answer is probably yes, but with eyes open. 

• Check your ecosystem: If your company relies heavily on Apple or Google devices, passkeys will integrate smoothly. In mixed environments, test carefully before rollout. 

• Don’t ditch MFA yet: Passkeys cut phishing risk, but layered defences like MFA and device management still matter. 

• Think about account recovery: Imagine an employee who loses both their work phone and laptop on a business trip. Without a clear recovery process, they may be completely locked out of company systems until IT intervenes. Have a plan in place for these “all devices lost” moments. 

• Vendor lock-in: Passkeys are synchronised within each vendor’s cloud. If your business ever decides to move from Apple devices to Windows, for example, those passkeys may not transfer smoothly. Plan ahead so that a change of ecosystem doesn’t leave you stuck. 

• Shared accounts: Passkeys are tied to individuals, not groups. If your business still relies on shared logins, you’ll need to rethink how those accounts are managed. 

• Compliance and audit: Some industries require tracking who accessed systems and when. Make sure your chosen passkey solution provides the right level of logging and reporting.

So, Are Passkeys Secure? 

On balance, yes. Passkeys are a huge step forward compared to passwords. The cryptography is proven, and adoption by Apple, Google, Microsoft, and others makes them practical for everyday use. 

That said, anyone who has worked with similar security technologies over the years may feel a lingering unease. The long-standing principle of “never let the private key leave the machine” is being bent in ways that feel uncomfortable. Even with end-to-end encryption, every additional copy of a key is another place where something could go wrong.

For SMEs, the key point is that passkeys are more secure than passwords, but they are not a silver bullet. No single measure eliminates all risk. A layered defence still matters. Passkeys should be used alongside multi-factor authentication, strong device management, and clear recovery processes. That way, even if one layer is bypassed, others remain in place to protect the business.

Next Steps for Your Business 

If you’re curious about passkeys but unsure how they fit your business, it’s worth having a conversation. At Heimdall Infosec, we specialise in helping SMEs understand new technologies and turn them into practical, cost-effective security improvements.

Contact us for a no-obligation discussion on how passkeys and other modern security tools can work for your organisation. Together, we’ll make sure you’re protected without overcomplicating your IT.