What is a passkey and why run a 2-user pilot?

A passkey is a phishing-resistant sign-in based on FIDO2 public-key cryptography. A 2-user pilot lets you validate setup, enrollment, device compatibility, and recovery—without risking broad disruption.

Does this work with Microsoft 365 (Entra ID) and Google Workspace?

Yes. Both support passkeys/FIDO2. In Entra ID use Authentication Methods and Conditional Access (Authentication strengths). In Google Workspace use Security ▶ 2-Step Verification and allow passkeys/security keys.

Which passkey types should we use: platform, synced, or hardware keys?

Start with platform passkeys on managed devices for speed, add a hardware security key for recovery or high-risk roles, and avoid consumer synced passkeys for shared workstations.

Who should be in the pilot?

Pick two Finance/Payroll users—they’re high-value targets with predictable workflows. Confirm they have managed laptops and supported browsers (Chromium, Edge, Safari).

How do we handle account recovery without passwords?

Use Microsoft’s Temporary Access Pass (time-limited) or Google’s admin-issued recovery options plus a spare hardware key in a locked cabinet. Document a 2-step recovery SOP.

Will passkeys break older apps or VPNs?

Legacy protocols may still need a password/app password. Keep scoped fallbacks only where required and plan a phased deprecation as systems modernize.

What policies should we enable for the pilot?

In Entra ID: enable FIDO2/passkeys, require phishing-resistant auth via an Authentication strength CA policy, and exclude break-glass accounts. In Google: allow passkeys/security keys and enforce 2-Step Verification for the pilot OU.

How long does enrollment take?

About 10 minutes: admin enables, users add a passkey on their device, verify sign-in to Microsoft 365/Google, then test a second factor (backup key) and a recovery flow.

What’s the cost and ROI?

Platform passkeys are typically included; add ~$40–$70 per user for a hardware key. ROI comes from fewer phishing resets, less help-desk time, and lower breach risk.

What do we measure to call the pilot successful?

Track enrollment success, sign-in success rate, help-desk tickets, recovery time, and user feedback. Success = 100% enrollment, zero lockouts, and stable daily sign-ins.

October 1, 2025

Goodbye Passwords: A 10-Minute, 2-User Passkey Pilot (Microsoft 365 & Google Workspace)

Run a 10-minute, 2-user passkey pilot for Microsoft 365 or Google Workspace—enable, enroll, test sign-ins, and ship with a simple recovery plan.

TL;DR:

Passkeys let people sign in with a fingerprint/face or device PIN, no passwords, and far less phishing risk. In 10 minutes, you can pilot with two users in Finance/Payroll: turn on passkeys for a small group, have each user add a passkey on their device, then test day-one sign-ins. We include exact admin steps and a simple recovery plan. (Bonus: they’re built into Microsoft Entra ID and Google Workspace.)

Why passkeys? (in plain English)

Passkeys replace passwords with cryptographic keys stored on a user’s device (computer/phone or a hardware key). They’re phishing-resistant, quick, and can be either synced across a user’s devices (via iCloud/Google/Microsoft managers) or device-bound (stays on one device or security key).

Great first use case: Finance/Payroll logins (highest risk, frequent sign-ins). Start small, learn, then expand.

What you need (5 checks)

Microsoft 365 (Entra ID) or Google Workspace admin access.
Modern devices/browsers with screen lock enabled (Windows Hello, Touch ID, Face ID, Android screen lock all work).
Two pilot users (Finance/Payroll).
One “break-glass” admin account excluded from new policies.
A recovery method (see plan below).

The 10-Minute Pilot Plan (2 users)

Option A — Microsoft 365 (Entra ID)

1) Enable passkeys for a small pilot group

In Entra admin center: Protection → Authentication methods → Policies.Enable Passkeys (FIDO2/device-bound) and/or Passkeys in Microsoft Authenticator; Target: your Finance/Payroll pilot group only. Save.

2) (Recommended) Prep Temporary Access Pass (TAP) for onboarding/recovery

Authentication methods → Temporary Access Pass: Enable for the pilot group. You can issue a short-lived TAP if a user can’t complete setup.

3) Users add a passkey (takes ~1 minute)

Each pilot user goes to aka.ms/mysecurityinfo → Add sign-in method → Passkey (or Security key) and follows prompts (Windows Hello, security key, or Authenticator passkey).

4) Test sign-in flows

Have each user sign out of M365 in Edge/Chrome, then sign back in and choose Use a passkey. Confirm they can access Outlook/SharePoint without a password.

Tip: If you want to enforce passkeys only on Finance/Payroll apps, use Conditional Access → Authentication strengths and require phishing-resistant methods for those apps.

Option B — Google Workspace

1) Allow “Skip passwords” for a small pilot OU/group

In Admin console: Security → Authentication → Passwordless.Turn on Allow users to skip passwords at sign-in for the pilot OU/group only.

2) Users add a passkey

Each pilot user goes to g.co/passkeys (or myaccount.google.com → Passkeys) and clicks Create a passkey, they’ll use fingerprint/face/PIN or a hardware key.

3) Test sign-in flows

Have each user sign out and back into Gmail/Drive. At the prompt, choose Use a passkey instead to confirm passwordless sign-in.

What to expect on Day One

Users will be asked for their device biometric/PIN (that unlocks the local passkey; biometrics aren’t shared with Microsoft/Google).
Sign-in is fast (no SMS codes).
If you enable synced passkeys, the credential may also work on a user’s other signed-in devices; for stricter controls, prefer device-bound (e.g., security key or platform passkey bound to that device).

Simple Recovery Plan (don’t skip this)

Microsoft: Keep TAP enabled for the pilot group so admins can issue a time-limited code if a user loses a device. Exclude a break-glass admin from new requirements.
Google: Leave backup options available during pilot. Admins can generate backup verification codes for a user who’s temporarily locked out; you can still require phishing-resistant methods after the pilot.

Synced vs Device-Bound (which should Finance use?)

Synced passkeys (e.g., managed by Google Password Manager / iCloud / Microsoft) are easy to recover across devices.
Device-bound passkeys (including hardware security keys) stay on one device, best for sensitive roles where you don’t want credentials syncing. Many orgs choose device-bound for Finance/Payroll.

Expand after a week

Roll to HR and Leadership next; add Conditional Access/Auth Strengths (Microsoft) or 2-Step/Passkey policies (Google) for high-risk apps first.
Track: enrollment success percentage, help-desk tickets, fallback usage, and sign-in time saved.

FAQs

Do passkeys replace MFA?Passkeys are phishing-resistant and already combine “something you have” (device) and “something you are/know” (biometric/PIN). Many orgs treat them as their strongest factor and use policies to require them for sensitive apps.

Will they work on our mix of Windows, macOS, iOS, Android?Yes, modern OS/browsers support passkeys. Users add a passkey on each device or use a hardware key.

Where do users create Google passkeys?At g.co/passkeys or myaccount.google.com → Passkeys.

How do Microsoft users register?At aka.ms/mysecurityinfo (look for Passkey / Security key).

What if a user loses their phone/security key?Use TAP (Microsoft) or backup verification codes (Google) to get them back in, then add a new passkey.

Copy-Paste: Pilot Checklist

Before

Create a pilot group/OU with 2 Finance users
Enable Passkeys for that group (Entra or Workspace)
Enable TAP (Microsoft) or ensure Backup codes (Google) are available
Exclude break-glass admin account

During

Each user adds a passkey (aka.ms/mysecurityinfo or g.co/passkeys)
Test sign-in to Outlook/SharePoint or Gmail/Drive with Use a passkey
Record any issues

After (Week 1)

Review help-desk tickets/fallbacks
Decide synced vs device-bound for Finance long-term
Expand to HR/Leadership; apply app-specific enforcement

Need help?

Stamm Tech can set this up (and hand you a 1-page rollout + recovery playbook you can keep). Hit the button below!

Interested?

Let's Meet and Talk