Passkeys: Security without a password

Traditional password systems are increasingly reaching their limits in modern cloud environments. Companies today manage hundreds of digital identities – often with complex login procedures and outdated security mechanisms. Passwords are considered one of the biggest security risks. Passkeys are a phishing-resistant alternative that could replace passwords in the long term.

According to our Cloud Monitor 2025 study, 68 percent of companies continue to rely on password-based authentication. Although 61 percent also use multi-factor authentication (MFA), modern methods such as passkeys or biometric authentication are currently only used as a supplement. Complete replacement often fails due to technical legacy issues and a lack of integration into existing systems.

Verizon's 2025 Data Breach Investigations Report shows that stolen access data is the main cause of security incidents. In 2024, over 2.8 billion passwords – encrypted or unencrypted – were offered for sale on criminal platforms or shared publicly. In so-called basic web application attacks (BWAA), 88 per cent of incidents can be traced back to compromised access data. MFA alone is not enough – the password remains the weak point.

This is exactly where passkeys come in: they enable password-free authentication that is cryptographically bound to devices and resistant to phishing.

Passkeys are cryptographic keys that are stored on a device and linked to biometric data or a PIN. They are based on the FIDO2 (Fast Identity Online 2), WebAuthn (Web Authentication) and CTAP (Client to Authenticator Protocol) standards. Passkeys cannot be guessed or stolen through phishing. Each passkey is unique to the user and the service used.

When logging in, the device generates a key pair:

• A private key is stored securely on the device (e.g. TPM on Windows, Secure Enclave on Apple).
• A public key is stored with the service; it does not contain any sensitive data.

Authentication is performed biometrically or via device PIN. This allows the user to log in directly to online services such as PayPal. During login, the current domain (website) is compared with that of the passkey, and only if they match is the process continued. This prevents malicious use on other websites and thus phishing. Passkeys are also permanently linked to the respective device and can only be used with it. 

Passkeys help prevent phishing attacks and meet compliance requirements such as ISO 27001 and NIS2, while also improving user convenience. Major providers such as Microsoft, Google and Apple already support passkeys in their cloud and identity systems. 

In combination with zero-trust architectures, passkeys offer a future-proof basis for secure authentication in cloud environments.

We support companies in the strategic and technical integration of password-free procedures into existing cloud and identity management systems – from concept development and piloting to secure implementation. In doing so, we take regulatory requirements into account, define recovery processes and train your teams.

Passkeys are more than just a replacement for passwords – they are a central component of modern security strategies. Companies that adopt password-free procedures early on strengthen their cyber resilience, improve the user experience and comply with legal requirements.