Passkeys at Work in 2026: How to Actually Roll Them Out
Passkeys have crossed the mainstream tipping point. Here's how Saint Louis SMBs are rolling them out to their teams without breaking helpdesk.
Passkeys aren't new — but 2026 is the first year they've been genuinely practical for SMBs. Every major browser supports them. Microsoft Entra ID, Google Workspace, Okta, and 1Password all sync them. And cyber insurance carriers are starting to reward phishing-resistant MFA with lower premiums. Here's how we're rolling them out.
Why bother when you already have MFA?
Because push-based MFA is being defeated in the wild. Attackers grab session tokens with adversary-in-the-middle phishing kits, spam users with MFA prompts until someone taps "approve," or SIM-swap the SMS fallback nobody remembered to turn off. Passkeys — real FIDO2 credentials bound to the origin — don't fall to any of those. That's why NIST, CISA, and every major insurer now put them at the top of the authentication pyramid.
What to roll out first
- Every privileged account. Domain admins, Entra global admins, tenant billing owners, break-glass accounts (paired with hardware keys). Non-negotiable.
- Finance and executives. The people attackers target for wire fraud and email compromise get passkeys before anyone else.
- General workforce, opt-in then required. Start voluntary, publish clear help docs, then set a cutover date and enforce with conditional access.
The rollout checklist we use
- Inventory devices first. iOS 17+, Android 14+, Windows 11, macOS 14+ all handle passkeys natively. Older hardware needs a hardware security key.
- Buy hardware keys for edge cases. YubiKey 5 series or equivalent — two per privileged user (one primary, one backup in a safe).
- Enable passkey registration in your IdP. In Entra, that's the FIDO2 security key and passkey authentication methods, with conditional access requiring phishing-resistant MFA for the admin roles you defined.
- Disable weaker methods after cutover. SMS off. Voice call off. Push MFA restricted to lower-risk applications. Otherwise attackers just downgrade the challenge.
- Document the recovery flow. How does a user who lost their phone and their hardware key get back in? Practice this before you need it.
What breaks (and how we handle it)
- Users share devices → each user needs their own passkey, or you use hardware keys.
- Cross-device sign-in from a shared kiosk → QR-code passkey flow works, but train the helpdesk on it.
- Line-of-business apps still on legacy auth → put them behind a modern SSO front-end or replace them.
Passkeys aren't a project you do "later." They're the single highest-impact security change most SMBs can make this year. If you want help scoping the rollout for your team, let's talk.