Passkeys, Passwordless, and the End of Excuses: Why This Time It's Actually a Good Thing
It’s finally happening. After years of half-baked password policies, ridiculous complexity rules, and every lazy MSP clinging to SMS-based MFA like it’s the last life raft on the Titanic, we are finally staring down the barrel of the passwordless revolution. And guess what? It's not some marketing stunt. This time, it’s the real deal.
Microsoft, Apple, Google ? the three tech giants who can barely agree on what day it is ? are now standing shoulder to shoulder, pushing passkeys and open standards like they've suddenly remembered what collective responsibility looks like. And frankly? It’s about bloody time.
Microsoft: Leading the Charge (Yes, Really)
Let’s start with the elephant in the server room: Microsoft. You might think Microsoft would try to pull the old lock-in trick, shoving some proprietary passwordless nonsense down everyone's throat. But no, they’ve actually gone all in on FIDO2 and open standards. I know, I had to double-check too.
As of 2025, new Microsoft accounts are passwordless by default. You don’t even get to set a password when you create one. You get passkeys, one-time codes, or MFA. That's it. No more stupid "Password123!" rubbish. And for existing accounts? Microsoft is giving you every opportunity to delete your password entirely.
They’re retiring password autofill from the Microsoft Authenticator app by August 2025. Not optional. Gone. The Authenticator will be for passkeys and MFA only. If you’re using it to store passwords? Tough. Move them to a proper password manager or Microsoft's Edge browser, because the app is cleaning house.
And it's not just a consumer play. Microsoft is cranking up the pressure on Azure admins too. Starting in 2024, they began enforcing mandatory MFA for all admin sign-ins, and by 2025 this spreads to CLI tools. If you’re still relying on passwords to get into your Azure environment? Yeah, you’re going to find yourself locked out sooner rather than later.
Microsoft’s push isn’t just about compliance theatre either. It’s measurable. Users with passkeys are successfully logging in 98% of the time, compared to just 32% with passwords. And they’re doing it eight times faster. Oh, and Microsoft is now fending off 7,000 password attacks per second. Per second. Think about that the next time you hear someone say “passwords are still good enough."
This is Microsoft’s line in the sand. Passkeys or get left behind.
Apple: Seamless and Actually Works
While Microsoft is bulldozing the road, Apple has been quietly paving it with gold. Apple integrated passkeys into iOS 16 and macOS Ventura back in 2022. And if you’re in the Apple ecosystem, using a passkey is now as frictionless as unlocking your phone.
Your passkeys sync across your iPhone, iPad, and Mac using iCloud Keychain, encrypted so tightly even Apple can’t read them. You log in with Face ID, Touch ID, or your device PIN, and the cryptographic handshake happens invisibly behind the scenes. No more fumbling with passwords or security questions about your first pet.
But here’s the kicker: Apple made sure passkeys work across platforms. Logging in on a Windows PC? Scan a QR code with your iPhone and authenticate over Bluetooth. Done. You’re not trapped in the Apple walled garden. Apple, Google, and Microsoft jointly committed to this interoperability through the FIDO Alliance back in 2022, and they’ve actually delivered.
Apple’s also made it dead easy for app developers to ditch passwords. They introduced an API that lets apps offer passkeys as the default login option from day one. No more password set-up screens. And now with Automatic Passkey Upgrade, if you sign in with a password, iOS will silently create a passkey behind the scenes. That’s slick, and it’s a nudge in the right direction whether users realise it or not.
Apple hasn’t yet forced passkeys for Apple IDs, but you can feel it coming. They're walking us there with velvet gloves while Microsoft is shoving us through the door.
Google: Quietly Winning the Game
Google, of course, is playing the long game. In 2023, they made passkeys available for all Google accounts. By the end of that year, passkeys became the default sign-in method.
When Google sets a default, the world tends to follow. And why not? Google’s stats show passkey logins are 40% faster than password logins, and passkey users are four times more likely to successfully sign in without giving up in frustration. That’s not just security; that’s improved customer experience.
Google’s real power move? They’ve made passkeys sync across platforms using Google Password Manager, not just within Android. If you save a passkey on your Android phone, it syncs to your Chrome browser on Windows, Mac, iOS, and more. You’re not pinned to a single device.
And yes, Google’s also quietly retiring SMS-based 2FA. It’s being phased out because SMS is about as secure as writing your password on the back of a soggy beer mat.
They’ve brought passkeys to Google Workspace too, so enterprises can roll this out to employees. No more excuses about legacy systems and admin portals clinging to passwords.
Google’s approach is softly, softly, set the defaults, make it easy, and the users will move. And so far? They are.
FIDO Alliance: Finally, an Industry Club That Works
Normally when you hear about an industry alliance, it’s just a smoke-filled room where vendors agree to delay progress until next year. But the FIDO Alliance has actually delivered.
They’ve spent the last decade building the technical backbone for this passwordless world: WebAuthn, CTAP2, cross-device passkeys. And they forced Apple, Google, and Microsoft to play nice together. No proprietary lock-ins, no exclusive club. Just open standards that work everywhere.
Thanks to FIDO, I can use my iPhone to log into a Windows PC. I can use Google Password Manager to sync passkeys across an iPhone and a Windows laptop. This isn’t marketing guff, it actually works.
The FIDO Alliance even replaced World Password Day with World Passkey Day in 2025. That’s not just rebranding, that’s the industry saying, "Passwords are dead. Move on."
Real-World Proof: This Isn't Just Hype
This isn’t theory. Real companies are already seeing real benefits.
TikTok hit 97% login success rates with passkeys. Google saw sign-in completions jump fourfold. eBay dropped account takeovers by 93%.
Microsoft has a million passkeys registered every day. And the UK government? They’re rolling out passkeys across gov.uk services and NHS logins, with expected savings of millions per year by dumping SMS codes and reducing fraud.
Even the NCSC, those sensible, straight-faced security folk, are pushing hard. They’ve flat out said passkeys are the future and are strongly advising UK organisations to implement them wherever possible.
But Passwords Won't Die Quietly
Of course, some people will cling to passwords like a toddler with a broken toy.
Legacy systems aren’t going to vanish overnight. There will be some stubborn holdouts who insist on using the same password they’ve had since 2008 because "I can remember it."
And account recovery is still a tricky beast. If you lose all your devices with passkeys, we’re still working out the best, secure ways to get you back in.
But the excuses are evaporating. The big three are aligned. The standards are mature. The real-world deployments are working. There’s simply no reason for new systems to build for passwords anymore.
The UK: Leading by Example (Seriously)
Shockingly, the UK is actually ahead of the curve. The Cabinet Office has committed to rolling out passkey logins across major government services by the end of 2025. The NHS is already on board.
The NCSC is not mincing words. They’re telling organisations to ditch passwords and get on with it. They’re backing passkeys not just as a nice-to-have but as basic cyber hygiene.
For SMBs, this is your wake-up call. You don’t have to wait for the government to make this law. You can start now. Passkeys are supported in all modern browsers. They work with all current phones and laptops. There are no expensive licensing traps. The ecosystem is ready. Are you?
So, Where Does This Leave You?
If your IT provider is still banging on about complex password policies and ignoring passkeys, it’s time to question whether they’re actually protecting your business or just coasting.
If your MFA relies on SMS, you’re skating on thin ice. And if you’re still using the same password across multiple accounts? Well, frankly, you’re a walking GDPR violation.
Microsoft, Apple, and Google have done their bit. They’ve built the tools. They’ve made them free. They’ve made them interoperable.
The industry isn’t asking you to pay extra. They’re asking you to stop being lazy.
Passwords have been the open sewer of cybersecurity for decades. Passkeys don’t just cover the smell, they dig up the pipe and replace it.
So the question isn’t "when" this change is coming. It’s already here.
The question is: are you going to keep dragging your feet, or are you finally going to pull up a chair and join the grown-ups?
Smoke, meet exit.
| Source | Details |
|---|---|
| Microsoft Security Blog | Pushing passkeys forward: Microsoft’s latest updates |
| Microsoft Security Blog | Microsoft introduces passkeys for consumer accounts |
| Microsoft TechCommunity | Update on MFA requirements for Azure sign-in |
| Samuraj-CZ Tech Blog | Passkeys in Microsoft Authenticator (Entra ID) |
| Tech Monitor | Microsoft to phase out Authenticator autofill by August 2025 |
| eMarketer Brief | Microsoft embraces a passwordless future with passkeys by default |
| Google Keyword Blog | Passwordless by default: Make the switch to passkeys |
| FIDO Alliance | Reducing Reliance on Passwords / Passkeys Benefits |
| Corbado Blog | Passkey Revolution: Google Syncs Passkeys to Apple & Windows |
| Apple Newsroom | Apple, Google, and Microsoft commit to expanded FIDO passwordless standard |
| Computer Weekly | UK government websites to replace passwords with passkeys |
| NCSC UK | Passkeys: they’re not perfect but they’re getting better |
