You can't get phished if you don't have a password.

Phishing is still the most reliable way to break into an Australian business. The Australian Signals Directorate’s Annual Cyber Threat Report 2024-25 recorded phishing in 60% of every cyber security incident it responded to over the year, with stolen account logins close behind. The average cost of cybercrime per Australian business climbed 50% to $80,850, and to $97,200 for medium businesses (up 55% on the year before). ASD’s resilience guidance is no longer hedged: “Use phishing-resistant MFA wherever possible, preferably passkeys.”

The defence everyone reaches for is multi-factor authentication: the second step where you type a code, or approve a prompt on your phone, after entering your password. We’ve insisted on it across every managed client well before the insurers started asking, and it does block most automated attacks. The trouble is that it doesn’t block the new generation of phishing kits, which can intercept the code or the approval as you type it. SMS, voice approval, and number-matching push notifications all still ask a busy human to judge whether a sign-in is genuine. Get tired or rushed enough, and the wrong person gets a green tick.

The only way out of that loop is to remove the password from the equation entirely. Hence the headline.

Bad

Password only

• 123456
• qwerty
• password
• iloveyou
• Password1

Good

Pass + MFA

• SMS
• Voice call

Better

Pass + MFA

• Authenticator (push)
• Software OTP
• Hardware OTP

Best

Passwordless

• Windows Hello
• Authenticator passkey
• FIDO2 security key

What passwordless actually means in Microsoft 365

Four ways to sign in, all included in a Microsoft 365 Business Premium tenant:

• Windows Hello. Sign in to your laptop by looking at the camera or pressing a fingerprint reader. The sign-in credential is locked inside a chip in the laptop and never gets typed, sent, or stored anywhere it could be stolen.
• A passkey in the Microsoft Authenticator app. A sign-in credential that lives on the user’s phone, released by Face ID or fingerprint. To sign in on a different device, the user scans a QR code with their phone and approves on the phone.
• A hardware security key. A small USB or NFC stick (the most common brand is YubiKey) that plugs into the laptop or taps against a phone. Useful for shared workstations, senior staff, or as a backup when a phone is lost.
• A passkey held on a Windows device. A newer pattern that lets a Windows machine carry a passkey for an account without the laptop itself being managed by your IT team. Useful for shared kiosks, contractor laptops, and other unmanaged devices.

All four are described as “phishing-resistant” because of how they work. The credential is mathematically tied to a specific piece of hardware, so a fake login page can’t capture it (no password to type) and the device won’t release the credential to a website it doesn’t recognise. Microsoft’s phishing-resistant deployment guide and Intune passwordless overview cover the full menu if your IT team wants to read along.

The older “approve this sign-in” prompt in Microsoft Authenticator is a fifth option, and it’s a real step up from SMS codes, but it isn’t phishing-resistant on its own. We use it as a stepping stone for users we haven’t moved to Hello yet, never as the destination.

What the staff experience looks like

A staff member who’s gone passwordless on a Windows 11 laptop signs in by looking at the camera or pressing a fingerprint reader. That gesture also signs them into Microsoft 365, SharePoint, Teams, Outlook, every other app the business uses through Microsoft, and (with a small one-time setup) any traditional file servers the business hasn’t moved to the cloud yet. There is no password to type, and no one to phish.

When they pick up their phone, the same identity is available via the passkey in Authenticator. New browser session on a personal device, sign-in on a colleague’s machine, contractor visit at a client site: scan the QR code, approve with Face ID, you’re in. No password, no SMS code, no MFA prompt to misjudge.

The user-facing change everyone notices first is speed. Microsoft’s published numbers have a passkey sign-in averaging around 8 seconds versus up to 24 seconds for a password and MFA combination, with a sign-in success rate of 98% against 32% for passwords. Roughly three times the success rate at a third of the time. We see the same pattern on rollouts: the staff who were most resistant to “another security thing” become the loudest advocates by week two.

Roughly three times the success rate at a third of the time.

Why Microsoft 365 Business Premium makes this approachable

Going passwordless used to be the kind of project only enterprises with full-time identity teams could pull off. That is no longer true. Microsoft 365 Business Premium, the licence we already recommend to almost every client over 25 staff, includes the two pieces that make a passwordless rollout work end to end:

• The security policy engine that lets us require phishing-resistant sign-in on the apps holding real data, central reporting so we can see who’s signed up, and the controls to push the change out to everyone at once.
• The device management piece that registers each laptop, iPhone, and Android phone with the business, sends them the right settings automatically, and prepares them for the credential they’re going to hold.

Together they cover every step: register the device, push the policy, set up the new credential, retire the password. Microsoft’s Windows Hello for Business overview covers the laptop side in technical depth if your IT team wants to read along.

The same licence also includes the email security, malware protection, data-loss prevention, and document classification you’d want anyway. Business Premium is, in our view, the strongest cybersecurity platform a 20 to 250 staff Australian business can buy off the shelf. Going passwordless on it is the single biggest security improvement you can make.

What rolling this out looks like

Done properly, a passwordless rollout has a recognisable shape. We’ve run it enough times that it’s predictable.

1. Set the rules. The security policy engine gets configured to require phishing-resistant sign-in on Microsoft 365 and the apps holding sensitive information (finance systems, practice management software, anything regulated).
2. Set up Windows Hello on every laptop. The settings get pushed to each managed Windows machine. Where the business still runs traditional file servers, we link the new sign-in back to those at the same time.
3. Register a phone passkey for every staff member. Each person sets up their phone in the Authenticator app. From that point, the phone covers every cross-device or away-from-desk sign-in.
4. Use one-time setup passes for new starters. A new staff member receives a temporary code (Microsoft calls it a Temporary Access Pass), uses it to sign in once on their laptop and phone, registers the permanent credentials, and never sees a password.
5. Keep two emergency keys somewhere safe. Two break-glass accounts, each holding a hardware key, stored physically (a locked drawer at the office, or a safe), excluded from the new rules. These exist for the day something goes wrong with the identity platform itself.
6. Turn off password sign-in. Once everyone is registered, password sign-in gets disabled in the security rules. The point of the exercise is closing the door, not just opening a new one.

Step six is the one most rollouts skip. If the password remains a valid way to sign in for any account that touches business data, you’ve added a feature, not removed an attack surface. Phishers will keep trying, and one tired staff member is enough.

The quiet wins

The security argument is the headline, but the operational wins start showing up before the security delta is even measurable.

• Password reset volume drops near zero. No password to forget. The helpdesk reclaims the time it used to lose to “I can’t get into Outlook” tickets, and that capacity goes back into the work that actually moves a business forward.
• Onboarding gets faster. Day one for a new staff member becomes: receive the laptop, scan a QR code with the phone, fingerprint the laptop, work. No “welcome email with the temporary password”, no first-day reset call, no half-day waiting on IT.
• Account-takeover incidents stop. Not “drop by 80%”. Stop. We can find malicious sign-in attempts in the security logs every week, but they have nothing to attack.
• Audit conversations get shorter. Ticking “we use phishing-resistant MFA on every employee, with passwords disabled” is the easiest box on every cybersecurity insurance application and Essential Eight assessment we’ve seen this year. It’s also one of the harder controls for a competing IT provider to claim with a straight face.

Where this lands you on the Essential Eight

The Essential Eight is the Australian government’s list of the eight most important cybersecurity controls a business should have in place. It’s the framework most insurers, regulators, and larger clients use to ask the question “are you doing the basics?” The model has three maturity levels: Level One (the entry bar), Level Two (the standard expected of a business holding sensitive data), and Level Three (the standard expected of a high-risk target like a critical infrastructure operator).

Multi-factor authentication is one of the eight controls, and the requirement gets stricter at higher levels. Level Two requires phishing-resistant MFA on every account that accesses important data, with sign-in events logged centrally. Level Three keeps that scope, adds central monitoring of those logs, and requires that the second factor cannot be used on its own. That last requirement means the password is gone. The 2024-25 ASD report restates the same expectation in plainer language: phishing-resistant MFA, preferably passkeys.

Going passwordless on Microsoft 365 Business Premium lifts this control to Level Two in one move and most of the way through Level Three with the rollout. Windows Hello and the phone passkey both meet the phishing-resistant bar Microsoft and ASD describe. The older “approve this sign-in” prompt in Authenticator does not, which is why we use it as a stepping stone rather than the destination.

The same rollout improves a second Essential Eight control: restricting administrative privileges, which itself requires phishing-resistant sign-in on every account with admin rights at Level Two and above. Admin accounts get the same passwordless credential as everyone else. We see the gap routinely on assessments: privileged accounts still on the same SMS code that’s been deprecated for two years, while the same business has been telling its insurer it has the controls in place.

Translated to an Essential Eight scorecard: the MFA pillar moves from “we have MFA” to “phishing-resistant for every user, logged, monitored.” That’s a real maturity step, not a tickbox renaming. Run our Essential Eight self-assessment to see where your current MFA control sits before and after.

What we’re advising every managed client

• Move to Microsoft 365 Business Premium if you’re not already on it. The price step from Business Standard is small relative to what you get, and every other recommendation below depends on the parts the licence includes.
• Roll out Windows Hello and phone passkeys to every staff member. No opt-in pilot that runs for a year. The controls only work if everyone is across, and a half-deployed rollout is mostly cost.
• Set the rules so that signing in to Microsoft 365 and any app holding sensitive data requires the new phishing-resistant credential, not a password.
• Use one-time setup passes for onboarding and recovery. New starters never see a password; users who lose a device don’t get reset to one.
• Keep two emergency keys in a locked drawer or a safe, excluded from the new rules. Don’t skip this.
• Disable password sign-in for the user population once everyone is across. Closing the door is the move that actually retires the attack surface.

If you’re a managed client, your account lead will bring this up at the next review anyway. If you’d rather move sooner, get in touch.

This is, in our view, the single most consequential cybersecurity decision an Australian SMB on Microsoft 365 will make in 2026. The licences are already in the package. The deployment is well-documented. What’s missing is the decision to actually finish it.