Are Passwords Finally Being Replaced?

Let’s start with a raw fact: phishing accounts for 19 out 20 cyberattacks. For small and mid-sized accounting firms, it is in no way a theoretical concern - it's a constant, existential threat.

That’s why cybersecurity leaders are advocating for a move away from traditional logins toward passkeys - a passwordless authentication method built specifically to neutralize phishing risks. Major players like Microsoft, Amazon and Google are actively pushing for their use.

Yet, most accounting firms still default to the old email-and-password routine. Why? Because it’s familiar. It’s what they’ve always done.

But are passkeys actually more secure than passwords? Are they worth the shift? Increasingly, the answer is yes. What usd to be an emerging concept is now maturing fast. Passkeys promise seamless, secure login experiences and that’s not just tech talk. It’s quickly becoming the new normal.

What Is a Passkey?

A passkey is a new way to log in to your accounts without using a password.

Instead of typing anything, you simply unlock your device (using your face, fingerprint, or a PIN), and the passkey confirms it's really you. It’s fast, secure and eliminates the need to remember or manage passwords.

Here’s how it works:

When you create a passkey, your device creates two digital “keys.” One stays on your device (private), and the other goes to the website or app you’re logging into (public). When you log in, your device uses its private key to prove your identity without actually sending that key anywhere. The site checks the public key and lets you in.

Because there’s no password to steal, phishing attacks aimed at stealing your password won't work. And since the private key never leaves your device, your login details stay secure even if the website gets hacked.

Think of it like having a digital house key stored safely in your phone. Only your device can use it, and only you can unlock it.

Why Passwords Are Still a Problem

Passwords have been a standard part of working life for decades—but they’ve become a serious security liability. They’re easy to forget, often written down or saved in browsers, and regularly reused across multiple accounts.

The numbers paint a clear picture:

• 60% of Americans reuse passwords.

• Only 6% of passwords are truly unique.

• “1234” shows up in over 700 million leaked credentials.

• “Password” and “admin” were used by 56 million and 53 million users.

• Millions more relied on words like “love,” “God,” or “Hell” as if they’d somehow offer protection.

It’s easy to laugh at these stats until your firm becomes the next victim. How likely is it that the same practices aren't also happening in your own firm? One exposed login could lead to serious reputational and financial damage.

Why isn’t everyone using passkeys yet?

Passkeys fix majorproblems with passwords like people reusing the same password for different accounts, which is one of the main causes of security breaches. They also make phishing scams almost impossible.

But adoption is slow. A recent report found that:

• 76% of businesses think passkeys are too complex or expensive to set up.

• 24% say connecting passkeys to old systems would take a lot of work.

• 56% don’t have the staff or skills to manage the change.

• 24% already use other strong security methods.

Best Practices for Moving to Passkeys in Your Firm

If you’re thinking about replacing passwords with passkeys, these tips will help you make the change without disrupting your workflow:

• Start Small – Begin with one or two logins, such as your accounting software or client portal. Once you’re comfortable, expand passkeys to other accounts.

• Use Biometrics for Faster, Safer Logins – Unlocking with your face or fingerprint means no more typing long passwords. It’s also far more secure, because biometric data is extremely difficult to copy or steal.

• Set Up Passkeys on More Than One Device – If your phone or laptop is lost, stolen, or damaged, having passkeys on a backup device ensures you can still access your systems and client files.

Making the switch gradually, using biometrics, and having a backup plan will help your firm adopt passkeys smoothly boosting both efficiency and security.

Best Practices for Creating Strong Passwords and Passphrases

If you’re still using passwords, make them long, unique, and hard to guess.

CISA recommends at least 16 characters of either a random string or a passphrase of 4–7 unrelated words.

NIST requires a minimum of 8 characters for user-created passwords and advises checking passwords against lists of known-compromised credentials.

Passphrases are an excellent option: they’re easier to remember than random strings but just as strong when they’re long and unique. For example:

✅ coffee-planet-violin-train

❌ Summer2024! (too predictable)

Don’t change passwords on a set schedule - only after a suspected or confirmed compromise.

The easiest way to meet these standards: use a password manager like 1Password, LastPass or BitWarden which can instantly generate long, random passwords or passphrases that follow NIST and CISA guidance and store them securely so you never have to remember them.

The takeaway for accountants: Passkeys offer stronger protection for client data and can help prevent costly breaches. They’re worth considering as part of your security plan, especially when you handle sensitive financial information every day.