Be honest. When was the last time you forgot a password and got stuck in the endless loop of reset emails, security questions, and temporary codes?
Password fatigue is real, and it ranks as one of the biggest frustrations for teams trying to get real work done.
That frustration explains why Microsoft’s latest update has drawn so much attention. Microsoft now allows passkeys to sync across devices using your Microsoft account in Edge. On the surface, this update sounds like the beginning of the end for passwords.
But as with most things in security, the details matter.
What Microsoft’s New Passkey Update Does
Passkeys let you sign in without typing a password. Instead, you use security built into your device, such as Face ID, fingerprint recognition, or a PIN. Behind the scenes, passkeys rely on the FIDO2 standard, which ties authentication to a specific device rather than to something you memorize.
Until recently, passkeys lived only on the device where you created them. If you lost a laptop or replaced a computer without backing it up properly, you could lose access to important accounts.
Microsoft’s update addresses that limitation.
Edge can now sync passkeys securely through your Microsoft account, using encryption and an additional PIN. In practical terms, this change reduces lockouts, cuts down on password resets, and makes it easier to move between devices.
From a convenience standpoint, this update is a meaningful step forward.
Where I’m More Cautious
This is where my perspective differs from some of the enthusiasm around passkeys.
In our work, we consistently advise clients not to store passwords directly in web browsers. Even trusted browsers operate inside large cloud ecosystems, and syncing credentials into those ecosystems creates another place where sensitive access data lives.
When you use passkeys this way, you trust the browser and the connected account to store and sync the keys that unlock your systems. That does not automatically make passkeys unsafe, but it does change the risk profile.
Attackers have targeted browsers for years.
Strong encryption helps, but breaches do not always happen the way vendors predict or design for. For most businesses, especially those handling sensitive data, convenience should never outrun control.
The Most Common Password Mistakes I See
When we review client environments, the same two mistakes appear again and again.
First, teams save passwords in browsers.
When an employee leaves, recovering or revoking access becomes difficult and time-consuming. Credentials often end up scattered in places no one can easily see or manage.
Second, teams rely on shared spreadsheets.
Passwords stored in Excel files, Google Sheets, or OneDrive documents are far more common than most people expect. Even when teams password-protect those files, attackers can target them easily, and administrators struggle to audit or control access.
Both practices create blind spots, and attackers actively look for blind spots.
What We Recommend Instead
For most local businesses today, a dedicated password manager offers the best balance of security and usability.
Tools like Bitwarden, 1Password, and Keeper exist specifically for this purpose. They use strongly encrypted vaults, support secure sharing, simplify onboarding and offboarding, and give businesses visibility into access without relying on individual browsers.
Passkeys still have a future, and that future looks promising. Over time, standards will mature, tooling will improve, and enterprise-level controls will continue to catch up.
Right now, though, rolling passkeys out broadly without a clear access strategy can introduce new risks while trying to solve old frustrations.
A Practical Way Forward
If your team wants to explore passkeys, start with limited, low-risk scenarios. That approach lets you learn without exposing critical systems.
For core business systems, especially anything tied to financial, legal, or client data, caution remains the smarter move.
Security works best when it stays boring, predictable, and well-managed. Flashy features grab attention, but consistency keeps businesses safe.
If you want help reviewing how your team manages passwords today, or deciding whether tools like passkeys make sense for your environment, that is exactly the kind of conversation we have every day.
Feel free to reach out. We are happy to walk through it with you.
