TL;DR: Passkeys reduce phishing exposure by keeping the private key on the device and using public-key cryptography, while passwords remain vulnerable to reuse, brute force, and user fatigue; Microsoft’s identity data cited in the article says password-based attacks account for over 99% of daily identity attacks. The real decision is not a swap of credentials, but how authentication fits lifecycle, PKI, SSO, and compliance without widening operational blind spots.
NHIMG editorial — based on content published by GlobalSign: Passkeys and passwords: what businesses need to know
By the numbers:
- Password-based attacks over 99% of daily identity attacks, according to Microsoft.
- 75% of US consumers would stop buying from a brand after a cyber incident, according to a current study cited in the article.
Questions worth separating out
Q: How should security teams roll out passkeys without breaking identity operations?
A: Start with applications that already support modern federation and have clear recovery workflows, then expand by risk tier.
Q: Why do passkeys reduce phishing risk more effectively than passwords?
A: Passkeys keep the private key on the device and never send the secret across the network, so attackers cannot steal a reusable credential from a fake login page.
Q: What do organisations get wrong when they treat passkeys as a complete security fix?
A: They often focus on login hardening and ignore account recovery, offboarding, and third-party access.
Practitioner guidance
- Map passkey readiness across applications and recovery flows Inventory which business applications support passkeys, which still require passwords, and where account recovery depends on help desk intervention or manual resets.
- Redesign enrolment and offboarding for device-bound credentials Define how new devices are trusted, how lost devices are handled, and how passkeys are revoked when a user leaves or a device is compromised.
- Align passkeys with PKI and federation controls Check that passkey adoption does not bypass certificate governance, SSO policy, or audit logging.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step comparison of password and passkey authentication flows across real enterprise use cases.
- Practical guidance on deciding where passkeys fit alongside SSO, PKI, and certificate-based authentication.
- Questions to use when planning migration timelines, user readiness, and support impact.
- Compliance considerations for regulated environments that must balance usability with stronger identity assurance.
👉 Read GlobalSign's analysis of passkeys versus passwords for enterprise authentication →
Passkeys vs passwords: where identity teams need to adapt now?
Explore further
Passwords are now a governance liability, not just a user inconvenience. The article correctly frames passwords as vulnerable to reuse, phishing, and predictable human behaviour. That matters because the control failure is not only technical weakness but the dependence on users to safely manage shared secrets at scale. For practitioners, the conclusion is that password-heavy programmes are increasingly expensive to defend and harder to justify in high-risk environments.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Should organisations replace passwords everywhere with passkeys immediately?
A: Not necessarily. The right approach depends on application support, user population, device coverage, and recovery maturity. Organisations should replace passwords first where phishing exposure and operational overhead are highest, then keep passwords only where the business still needs a fallback path and can govern it tightly.
👉 Read our full editorial: Passkeys and passwords: what changes for enterprise identity security