Key Takeaways (TL;DR)
- What is it? HubSpot now supports passkeys as a phishing-resistant authentication method, letting users log in with biometrics, PINs, or security keys instead of passwords and traditional 2FA codes
- Key Benefit: Eliminates the #1 cause of data breaches — stolen credentials — while making login faster and easier
- Requirements: Any HubSpot subscription (Free through Enterprise); compatible device with biometric support or a FIDO2 security key
- Best For: Organizations that want to strengthen CRM security without adding login friction for their teams
- Compliance Note: Aligns with NIST SP 800-63B guidelines and FIDO2 standards; Super Admins can enforce passkeys as the required login method
- Bottom Line: Passkeys deliver a 93% login success rate (vs. 63% for passwords) and make phishing attacks against your HubSpot portal virtually impossible
Meta Description: Learn how HubSpot's new passkey support for 2FA eliminates phishing risks and streamlines login. Step-by-step setup guide, authentication comparison, and rollout best practices.
Introduction
Your CRM holds some of the most sensitive data in your organization — customer contact information, deal values, communication histories, proprietary sales strategies. Yet for most teams, the only thing standing between that data and a bad actor is a password that someone probably reuses across a dozen other websites.
HubSpot has taken a major step forward in CRM security by adding passkey support as both a login method and a two-factor authentication option. Passkeys represent the biggest shift in authentication technology since the introduction of 2FA itself — a shift that Apple, Google, Microsoft, and the FIDO Alliance have been building toward for years.
In this guide, we'll break down exactly what passkeys are, why they matter for CRM security, how to set them up in HubSpot, and how to roll them out across your team. We'll also compare passkeys to every other authentication method so you can make informed security decisions for your organization.
What Are Passkeys and How Do They Work?
The Simple Explanation
Think of passkeys like a bank safety deposit box. The box requires two keys to open: the bank has one key, and you have the other. To access the box, you prove your identity (with your ID) and present your physical key. One key alone can't open the box.
Passkeys work the same way — except your "key" is stored securely on your device and unlocked with your fingerprint, face scan, or PIN.
The Technical Explanation
Passkeys use public key cryptography based on the FIDO2/WebAuthn standard:
- During setup: A cryptographic key pair is generated. The public key is stored with HubSpot's servers, and the private key is stored securely on your device (or synced through your platform's cloud keychain).
- During login: HubSpot sends a random cryptographic challenge. Your device uses the private key to solve the challenge, which is then verified by the public key.
- Authentication: You confirm the login using your device's biometrics (fingerprint, face scan), a PIN code, or a password manager prompt.
The private key never leaves your device and is never shared with HubSpot. This means there's literally nothing for an attacker to steal from HubSpot's servers — even in the event of a data breach.
Why Passkeys Are Inherently Multi-Factor
Traditional 2FA requires two separate steps: enter your password (something you know) and then enter a code from your phone (something you have). Passkeys combine multiple factors into a single seamless action:
- Something you have: Your device containing the private key
- Something you are: Your biometric (fingerprint or face) that unlocks the key
- Something you know: Your device PIN (as an alternative to biometrics)
This is why passkeys don't just replace passwords — they replace passwords and traditional 2FA in one step.
Why Passkeys Matter for CRM Security
The Problem with Passwords
Compromised credentials are the number one cause of data breaches year after year, according to Verizon's Data Breach Investigation Report. The reasons are well-documented:
- The average person manages 168 password-protected accounts, leading to rampant password reuse
- More than 60% of people reuse passwords across multiple websites and services
- Phishing attacks trick users into entering credentials on fake login pages — and they're getting more sophisticated with AI-generated content
- Password fatigue leads to weaker passwords and workarounds that undermine security policies
For CRM platforms like HubSpot, the stakes are especially high. A compromised CRM account can expose customer personal information, sales pipeline data, communication histories, marketing lists, financial information, and integration credentials for connected systems.
How Passkeys Eliminate These Risks
| Risk | Passwords + Traditional 2FA | Passkeys |
|---|---|---|
| Phishable | Yes — fake login pages can capture both passwords and TOTP codes | No — cryptographically bound to the legitimate domain |
| Reusable across sites | Yes — users frequently reuse passwords | No — each passkey is unique to a single service |
| Requires memorization | Yes — complex password rules lead to weak passwords | No — nothing to remember |
| Interceptable via SIM swap | Yes — SMS-based 2FA is vulnerable | No — no SMS or phone number involved |
| Vulnerable to credential stuffing | Yes — leaked passwords from other breaches can be tried | No — no shared secret to stuff |
| Subject to brute force attacks | Yes — weak passwords can be cracked | No — cryptographic keys can't be guessed |
The Phishing Resistance Advantage
This deserves special emphasis. Passkeys are phishing-resistant by design. Here's why:
When you use a passkey, your browser verifies that the website requesting authentication actually matches the domain the passkey was created for. If an attacker creates a fake hub5pot.com login page, your passkey simply won't work there — your browser knows it's not hubspot.com.
This is fundamentally different from passwords and TOTP codes, which you can type into any form on any website. Even the most sophisticated phishing page can't trick a passkey.
How to Set Up Passkeys in HubSpot
Step 1: Set Up Your Personal Passkey
- Log in to your HubSpot account
- Click the Settings icon (gear) in the top navigation bar
- In the left sidebar, navigate to General > Security
- Click Set up passkeys
- Follow the prompt from your device — this could be a native biometric prompt (Touch ID, Windows Hello, Android biometrics) or a password manager prompt (1Password, Dashlane, Bitwarden)
- Confirm the setup — your passkey will appear in your security settings
The entire process takes less than 60 seconds.
Step 2: Add Passkeys for Multiple Devices
If you use devices across different ecosystems (e.g., a MacBook and an Android phone), you have two options:
Option A: Create multiple passkeys
- Return to Settings > General > Security
- Click Add another passkey
- Set up the passkey on your additional device
Option B: Use a cross-platform password manager
If you use a password manager like 1Password, Bitwarden, or Dashlane, you can create one passkey that syncs across all your devices regardless of platform. This is the recommended approach for users with mixed ecosystems.
Step 3: Log In with Your Passkey
- On the HubSpot login screen, enter your email address and click Next
- Click Sign in with a Passkey
- Complete the biometric or PIN verification on your device
- You're in — no password entry, no 2FA code, no waiting for a text message
Passkeys also work on the HubSpot mobile app for both iOS and Android. Note that passkeys must first be created on desktop, but once created, they can be used to log in on mobile.
For Admins: Enforce Passkeys Across Your Portal
Super Admins can mandate passkeys as the required login method for all users:
- Go to Settings > Security
- Under the Login tab, find Configure allowed login methods
- Toggle the switch on
- Select the Passkeys checkbox
- Choose an enforcement date and click Save
Users will receive email notifications about the new requirement and will be prompted to set up passkeys on their next login.
You can also configure approved 2FA methods separately:
- Navigate to Settings > Security > Login tab
- In the Account 2FA preferences section, toggle Approved 2FA methods
- Select which methods to allow: Authenticator App, Text Message, HubSpot Mobile App
- Click Save
Pro Tip: During the transition period, keep at least one legacy 2FA method enabled as a fallback. Once your team is fully onboarded to passkeys, you can tighten the restrictions.
Authentication Methods Compared: A Complete Guide
Understanding where passkeys fit in the security hierarchy helps you make better decisions for your organization.
Tier 1: Passwords Only (Weakest)
- How it works: User enters a memorized password
- Vulnerability: Phishing, credential stuffing, brute force, password reuse
- Risk level: High
- Recommendation: Never use passwords alone for CRM access
Tier 2: Passwords + SMS-Based 2FA
- How it works: Password plus a one-time code sent via text message
- Vulnerability: SIM swapping, SS7 network attacks, SMS interception, phishing
- Risk level: Medium-High
- Recommendation: Better than passwords alone, but SMS is the weakest 2FA method
Tier 3: Passwords + TOTP (Authenticator App)
- How it works: Password plus a time-based one-time password from an app like Google Authenticator, Authy, or Duo
- Vulnerability: Phishing (real-time relay attacks can capture TOTP codes), device loss
- Risk level: Medium
- Recommendation: Good baseline security; recommended as a minimum for CRM access
Tier 4: Passwords + Push Notifications
- How it works: Password plus a push notification to approve on a trusted device (e.g., HubSpot mobile app)
- Vulnerability: Push fatigue attacks (MFA bombing), social engineering
- Risk level: Medium-Low
- Recommendation: Strong option with some residual risk from notification fatigue
Tier 5: Passkeys / FIDO2 Security Keys (Strongest)
- How it works: Cryptographic key pair with biometric or PIN verification — no password needed
- Vulnerability: Requires physical access to the enrolled device plus the biometric or PIN
- Risk level: Very Low
- Recommendation: The gold standard for authentication security — this is what HubSpot now supports
The Numbers Don't Lie
According to the FIDO Alliance's 2025 Passkey Index:
- 93% login success rate for passkeys vs. 63% for traditional methods
- 87% of enterprises have deployed or are actively deploying passkeys
- 43% of organizations that deployed passkeys reported a significant decline in password usage
- 74% of consumers are now aware of passkeys
Real-world results from early adopters confirm the benefits:
- Intuit: 15% login success rate improvement, 70% faster sign-in
- Yahoo Japan: 25% decrease in forgotten passwords, 2.6x faster authentication
- Kayak: 50% faster sign-in times
- Mercari: 3.9x faster authentication
Best Practices for Rolling Out Passkeys Across Your Team
Phase 1: Preparation (Week 1-2)
Audit your current authentication landscape:
- How many users are on your HubSpot portal?
- What 2FA methods are currently in use?
- Are any users still using password-only access?
- What devices and platforms does your team use?
Check device compatibility:
- Nearly all modern devices and browsers support passkeys
- Verify compatibility at passkeys.dev/device-support
- Note any users with older devices that may need upgrades or hardware security keys
Communicate the change:
- Announce the transition to passkeys with a clear timeline
- Explain the benefits: faster login, no more codes to enter, stronger security
- Address common concerns: "What if I lose my device?" "What about shared computers?"
Phase 2: Voluntary Adoption (Week 2-4)
Enable passkeys as an option:
- Turn on passkey support in your HubSpot security settings
- Encourage early adopters and tech-savvy team members to set up passkeys first
- Collect feedback and address any issues
Provide setup support:
- Create a brief internal guide or share HubSpot's passkey knowledge base article
- Offer quick setup sessions — passkey creation takes under 60 seconds
- Help users with cross-platform setups (password managers are key)
Phase 3: Encouraged Adoption (Week 4-6)
Track adoption metrics:
- Monitor how many users have set up passkeys
- Use HubSpot's Security Health dashboard to review 2FA enrollment
- Follow up individually with users who haven't yet transitioned
Tighten 2FA requirements:
- If still allowing SMS-based 2FA, consider restricting it to authenticator apps and passkeys
- Set a target date for passkey enforcement
Phase 4: Full Enforcement (Week 6-8)
Mandate passkeys as a required login method:
- Use the Super Admin settings to enforce passkey login
- Set an enforcement date that gives users adequate notice (HubSpot sends automatic email notifications)
- Keep one fallback method available during the first month of enforcement
Monitor and support:
- Watch for login issues in the first week after enforcement
- Have IT support ready to assist with passkey recovery or device issues
- Review security logs for any anomalies
How This Compares to Salesforce's Approach
It's worth noting the contrast between how HubSpot and Salesforce are approaching phishing-resistant authentication:
Salesforce has been progressively mandating stronger security measures. Their 2026 security roadmap includes enforcing phishing-resistant MFA for high-privilege accounts, with broader requirements rolling out over time. Salesforce's approach is compliance-driven — organizations must meet deadlines or risk losing access.
HubSpot is taking a more adoption-friendly path. By offering passkeys across all subscription tiers (including Free) and providing a gradual enforcement mechanism, HubSpot makes it easy for organizations to adopt at their own pace while still providing the tools Super Admins need to mandate stronger security when they're ready.
The takeaway: Whether your organization uses HubSpot, Salesforce, or both, the industry is clearly moving toward phishing-resistant authentication. The organizations that adopt passkeys proactively — rather than waiting for mandates — will be better protected and face smoother transitions.
Implications for CRM Data Protection
Regulatory Alignment
Passkeys align with emerging security frameworks and regulations:
- NIST SP 800-63B: The National Institute of Standards and Technology published supplemental guidance on syncable authenticators (passkeys), recognizing them as a secure authentication method for organizations
- FIDO2/WebAuthn: Passkeys are built on open standards maintained by the FIDO Alliance and the W3C
- Zero Trust Architecture: Passkeys support zero-trust principles by providing strong, continuous authentication without relying on network perimeter security
- SOC 2 and ISO 27001: Implementing passkeys demonstrates strong access control practices for audit and compliance purposes
Reducing Your Attack Surface
Every password in your organization is a potential attack vector. By moving to passkeys, you:
- Eliminate credential theft risk — there are no passwords to steal
- Remove phishing as a viable attack — passkeys can't be entered on fake sites
- Reduce help desk burden — no more password resets or 2FA lockouts
- Simplify compliance — fewer credentials to manage, rotate, and audit
Protecting Connected Integrations
HubSpot often serves as the hub for a web of business integrations — email, calendar, marketing automation, payment processing, and more. A compromised HubSpot account doesn't just expose CRM data; it can provide access to connected systems. Passkeys help secure the entire ecosystem by hardening the primary access point.
Frequently Asked Questions
What is a passkey and how is it different from a password?
A passkey is a cryptographic credential that replaces passwords entirely. Instead of typing a memorized string of characters, you authenticate using your device's biometrics (fingerprint or face scan) or a PIN. Passkeys use public key cryptography, meaning the secret (private key) never leaves your device and can't be phished, guessed, or stolen from a server breach.
Do passkeys work on all HubSpot subscription tiers?
Yes. Passkey support is available across all HubSpot products and subscription tiers, including the free CRM. This is a universal security improvement that every HubSpot user can take advantage of.
Can I use passkeys on mobile devices?
Yes, you can use passkeys to log in to the HubSpot mobile app on both iOS and Android. However, passkeys must first be created on the desktop version of HubSpot. Once created, they sync across your devices through your platform's cloud keychain (iCloud Keychain, Google Password Manager) or your password manager.
What happens if I lose my device with my passkey?
If your passkey is synced through a cloud service (iCloud Keychain, Google Password Manager) or a password manager, you can access it from another device signed into the same account. If you lose access entirely, you can complete the recovery process for the service where the passkey is stored. HubSpot also allows you to have multiple passkeys, so setting up a backup passkey on a second device is recommended.
Can I use passkeys if my organization uses Single Sign-On (SSO)?
If your organization requires SSO for HubSpot login, passkeys are not applicable — SSO handles the authentication flow. However, if SSO is available but not required, individual users can choose to use passkeys instead.
Are there any limitations to passkeys in HubSpot?
A few to note: (1) Each user can only set one passkey per authenticator type. (2) Passkeys don't work with the Microsoft Outlook desktop app's embedded browser — they work fine in Outlook Web. (3) The HubSpot Sales Extension in a web browser supports passkeys. (4) Passkey setup is currently desktop-only, though login works on both desktop and mobile.
How do passkeys compare to hardware security keys like YubiKey?
Hardware security keys (YubiKey, Titan Key) are a type of FIDO2 authenticator and are fully compatible with HubSpot's passkey support. The main difference is that hardware security keys don't sync — they're tied to the physical device. Syncable passkeys (stored in your platform keychain or password manager) offer more convenience, while hardware keys offer the highest security for organizations with strict compliance requirements. Both are phishing-resistant.
Conclusion
HubSpot's passkey support represents a significant leap forward in CRM security. By adopting passkeys, your organization gains phishing-resistant authentication that's actually easier to use than the passwords and 2FA codes it replaces.
The industry trend is unmistakable: 87% of enterprises are already deploying passkeys, and the FIDO Alliance reports a 93% login success rate compared to 63% for traditional methods. Whether driven by security best practices, compliance requirements, or simply wanting to eliminate password headaches, the case for passkeys is clear.
Don't wait for a mandate. Start your passkey rollout today and give your team the most secure, most convenient way to access your CRM.
Ready to Strengthen Your CRM Security?
Vantage Point helps organizations implement robust security practices across their CRM platforms. Whether you need help rolling out passkeys across your HubSpot portal, configuring advanced security settings, or building a comprehensive CRM security strategy, our team is ready to help.
Contact Vantage Point to discuss your CRM security needs.
About Vantage Point
Vantage Point is a CRM consulting firm specializing in Salesforce and HubSpot implementations, integrations, and optimization. As partners of Salesforce, HubSpot, Anthropic (Claude AI), Aircall, and Workato, we help businesses of all sizes build secure, connected, and intelligent customer platforms. From Data Cloud and MuleSoft integrations to AI-powered automation, Vantage Point delivers solutions that drive growth and protect your most valuable asset — your customer relationships. Learn more at vantagepoint.io.
