What Passkeys do
Passkeys fundamentally change how users authenticate. Unlike traditional multi-factor authentication (MFA) which often relies on SMS codes or authenticator apps using a shared secret, passkeys use cryptographic keys. These keys are stored securely on a user’s device, such as a smartphone or laptop, or within a password manager. Authentication involves verifying the presence of the private key, often coupled with biometric verification like fingerprint scanning or PIN entry, creating a much stronger and phishing-resistant authentication factor. This eliminates the risk associated with password compromise.
Passkeys in Australian tenants today
Australian organisations deploying Microsoft 365 should consider passkeys as a key component of their security posture, aligning with the ACSC Essential Eight and OAIC guidance. Currently, passkey support is available through Microsoft Authenticator, iCloud Keychain, Google Password Manager, and Windows Hello. A phased rollout is recommended, starting with pilot groups to assess user experience and compatibility. Prioritise users with high-risk access profiles, and ensure comprehensive user training to minimise disruption and maximise adoption, keeping APRA CPS 234 and CPS 230 requirements for data security in mind.