Quick Tech Tip: Add A Passkey Before The Next Phishing Email Hits

Quick tech tip: if your email account supports passkeys, set one up today and keep at least one backup sign-in method. It is one of the best small upgrades regular people and small businesses can make against fake login pages, stolen passwords, and account lockouts.

A passkey lets you sign in with something like Windows Hello, Face ID, Touch ID, your phone screen lock, or a hardware security key. You are not typing a reusable password into a website. That matters because many account takeovers start with a convincing email or text message that sends someone to a fake Microsoft, Google, bank, shipping, or payroll login page.

Why This Is Worth Doing

Passwords can be reused, guessed, leaked, phished, or typed into the wrong page. Multi-factor authentication helps, but not all MFA is equal. Text-message codes and app prompts are still better than password-only sign-ins, but attackers often try to trick people into handing over codes or approving prompts.

Passkeys and FIDO2 security keys are designed to be more resistant to phishing because the sign-in is tied to the real website or app and to a device you control. CISA’s phishing-resistant MFA guidance points organizations toward stronger methods such as FIDO/WebAuthn-based authentication for accounts that need better protection.

The 15-Minute Setup

1. Start With Your Most Important Email Account

Do not try to fix every account at once. Start with the email account that can reset your other passwords. For many homes and small businesses, that means Microsoft 365, Outlook, Gmail, Google Workspace, or the owner/admin account tied to billing and domain services.

• For Microsoft personal accounts, review Microsoft’s passkey setup instructions.
• For Microsoft work or school accounts, use the security info page at mysignins.microsoft.com/security-info if your organization allows passkeys.
• For Google accounts, review Google’s passkey sign-in guidance and Google’s security key guidance.

2. Create The Passkey On A Device You Actually Use

Use a trusted phone, laptop, password manager, or hardware security key. During setup, pay attention to where the passkey is saved. Some passkeys live only on one device. Others sync through a credential manager such as iCloud Keychain, Google Password Manager, Microsoft Password Manager, 1Password, or another supported provider.

For a business owner or manager, I prefer at least two usable sign-in paths: one convenient daily method and one backup method that is stored safely. That might be a phone-based passkey plus a spare hardware security key in a safe, or a synced password manager passkey plus a documented admin recovery plan.

3. Keep MFA Turned On

Do not treat a passkey project as a reason to weaken the rest of your security. Keep multi-factor authentication enabled. Microsoft notes that MFA adds another layer of protection to Microsoft 365 sign-ins, and recommends authenticator apps over SMS for a faster and more secure experience in its Microsoft 365 MFA setup guide.

Google also explains that passkeys can be used as a simple, secure alternative to passwords and may satisfy the second step because they prove access to the device. That is useful, but it makes the next step important: backup access.

4. Add A Backup Method Before You Need It

Before you sign out, confirm you have a backup path that does not depend on the same single device. Good backup options include a second trusted phone, a hardware security key, printed backup codes, a properly protected recovery email, or a second protected admin account for business tenants.

This is where people get into trouble. They set up stronger sign-in, replace a phone, lose an authenticator app, wipe a laptop, or change jobs without updating recovery methods. Google warns that account recovery can take several business days when 2-Step Verification is involved and you do not have another second step available. Microsoft also cautions that removing security information can place an account into a restricted waiting period.

5. Test It From A Fresh Browser Window

After setup, open a private/incognito browser window or use another trusted device and test the sign-in. Confirm these three things:

• The passkey prompt appears only on the real Microsoft, Google, or service login page.
• You can complete sign-in without hunting for a code or password you do not have.
• You know what the backup path is if the phone, laptop, or security key is lost.

Small-Business Checklist

If this is for a business, do not roll it out randomly one employee at a time without a plan. Use this order:

1. Start with owner, admin, payroll, finance, email administrator, and domain registrar accounts.
2. Confirm there are at least two protected admin accounts, not one shared admin login.
3. Document where backup security keys or backup codes are stored.
4. Test sign-in from a new device before enforcing stricter policies.
5. Remove old phones, old employees, and unknown devices from account security pages.
6. Train staff that a real passkey sign-in should be started from the site they intended to visit, not from a random email link.

What Can Go Wrong

• You save the passkey to the wrong place. A passkey saved only to a single laptop may not help when that laptop dies.
• You lose the only trusted device. Add a second recovery method before depending on passkeys every day.
• Shared business accounts create confusion. Passkeys work best when each person has their own account. Shared logins make offboarding and auditing harder.
• Older apps may still need special handling. Some legacy email apps, scanners, accounting integrations, and mail clients may not support modern sign-in cleanly.
• SMS is better than nothing, but it is not the strongest method. Use an authenticator app, passkey, or hardware security key where possible.

When To Call An IT Professional

Call for help before changing tenant-wide settings if you use Microsoft 365, Google Workspace, shared mailboxes, device management, compliance rules, or business-critical apps. A technician can help you avoid locking out the owner account, breaking scanners or line-of-business apps, or leaving a former employee with a recovery method still attached.

For small businesses, the goal is not just “turn on more security.” The goal is stronger sign-in that your team can actually use, plus a recovery plan that still works on the bad day when a phone is lost, an employee leaves, or a phishing email hits the inbox.

Useful Sources

• CISA: Implementing Phishing-Resistant MFA
• Microsoft Support: Create and save a passkey
• Microsoft Support: What are passkeys and why they matter
• Microsoft Support: Set up Microsoft 365 MFA
• Google Account Help: Sign in with a passkey instead of a password
• Google Account Help: Use a security key for 2-Step Verification