TL;DR:
Passwords are easy to phish. Move to long passphrases now, and launch a passkeys pilot in 60 minutes for Microsoft 365 or Google Workspace—starting with your execs and finance.
Why this matters
Insurers and auditors keep pushing for phishing-resistant logins. Passkeys (FIDO2/WebAuthn) replace passwords with device-bound credentials—no code to type, nothing to steal in a phishing email. They’re faster for users and harder for attackers.
Start with what you can do today (10 minutes)
- Turn on long passphrases (e.g., “horse-battery-lake-sky”) and stop forced rotation on those long passphrases unless you suspect compromise.
- Require MFA for all remote access and admin actions.
- Make sure your password manager is standard across the company (Keeps human work low while you prep passkeys).
The 60-Minute Passkeys Pilot (Microsoft 365 or Google Workspace)
0–10 minutes: Pick scope and hardware
- Choose 5–10 users: CEO, CFO/Controller, AP/AR lead, IT admin.
- Decide on authenticator(s): platform passkeys (Windows Hello/Touch ID) and/or one hardware key per pilot user as backup.
10–25 minutes: Turn on the feature
- Microsoft 365 (Entra ID): Enable passkey/FIDO2 in authentication methods, restrict to the pilot group.
- Google Workspace: Turn on passkeys in Security → Authentication, pilot group only.
- Keep legacy password sign-in available during the pilot so no one gets locked out.
25–40 minutes: Enroll users
- Have each pilot user:
- Register a platform passkey (laptop/phone).
- Register one hardware key (kept in a safe place) for break-glass.
- Save backup codes in your approved password manager vault.
40–55 minutes: Test real workflows
- Sign in to M365/Google from a clean browser.
- Open email/calendars, cloud storage, and one sensitive app (payroll or banking).
- Confirm the “tap to sign in” experience works on laptop and phone.
55–60 minutes: Rollback plan + comms
- Document how to switch a user back to password+MFA if needed.
- Send a 1-page “How to use passkeys here” note with screenshots.
Good → Better → Best rollout ladder
- Good (Week 1): Execs + Finance + IT admins on passkeys; everyone else on strong passphrases + MFA.
- Better (Weeks 2–4): Expand to sales, HR, and anyone with external file sharing.
- Best (Quarter): Company-wide passkeys; passwordless on key systems (email, file storage, SSO).
Where passkeys move the needle first
- Email & Files: M365/Google (most phished entry point).
- Payroll & Banking: Reduces wire-fraud risk.
- SSO (Okta/Entra): One secure login for everything else.
Help desk & change management (copy-paste)
- “You won’t type passwords—instead you use a quick device prompt.”
- “If your laptop dies, use your backup hardware key or call IT.”
- “Traveling? Your phone can be your passkey; keep the hardware key separate.”
Break-glass & recovery
- Maintain 2 hardware keys per admin (primary + sealed spare).
- Store backup codes in a shared, access-controlled vault (finance & IT).
- Document the 3 ways to recover: platform passkey, hardware key, IT-assisted reset.
Measuring success
- Time to sign in (target: under 5 seconds).
- Fewer password reset tickets.
- Fewer phishing-related incidents and wire-fraud near-misses.
Common pitfalls to avoid
- Rolling out to everyone at once (creates edge-case chaos).
- Skipping hardware backup keys (one lost laptop shouldn’t nuke access).
- Not telling users what to expect (surprise = resistance).
What we’ll do with you in a 20-minute call
- Confirm your environment can support passkeys today.
- Provide the 60-Minute Passkeys Pilot checklist and the help-desk script.
- Set the “Good → Better → Best” rollout calendar.
Want a hand? We’ll run the pilot with you and train your admins in one session.