Every week, another home care agency gets breached. The attack vector? Almost always the same: a caregiver clicked a phishing link, entered their password, and an attacker walked right in.
Passwords are broken. They've been broken for years. But in 2026, there's finally a better option that's ready for mainstream adoption: passkeys.
What Are Passkeys?
Simplify Your Home Care Operations
CareCade helps DDA and HCBS providers manage scheduling, EVV, and billing in one platform.
Passkeys replace passwords with cryptographic keys stored on your device. Instead of typing a password, you authenticate with:
- Face ID on iPhone or Mac
- Touch ID on iPhone, iPad, or Mac
- Windows Hello facial recognition or fingerprint
- Android biometrics
- Hardware security keys like YubiKey
The technical name is WebAuthn (Web Authentication), part of the FIDO2 standard developed by the FIDO Alliance with support from Apple, Google, and Microsoft.
But you don't need to understand the cryptography. You just need to know this: passkeys can't be phished.
Why Passkeys Can't Be Phished
Here's how phishing works with passwords:
- Attacker sends email that looks like it's from your software provider
- Email links to a fake login page that looks identical to the real one
- Caregiver enters username and password
- Attacker now has those credentials
- Attacker logs into the real system
This works because passwords are "shared secrets"—both you and the service know the password, so if someone intercepts it, they can use it.
Passkeys work differently:
- Your device stores a private key that never leaves the device
- When you log in, your device cryptographically verifies the website's identity
- If the site isn't the real one, authentication simply fails silently
- There's no password to intercept, no credential to steal
A fake login page at "carecade-login.com" (not the real site) would never receive a response from your passkey. The authentication just doesn't happen.
NIST Now Recommends Passkeys
In 2025, the National Institute of Standards and Technology (NIST) updated its cybersecurity guidelines to recognize synced passkeys as phishing-resistant authentication. This is significant because:
- Federal agencies are now directed to implement passkeys
- Regulated industries (including healthcare) follow NIST guidance
- HIPAA assessors increasingly ask about phishing-resistant authentication
The passwordless authentication market reached $24.1 billion in 2025 and is projected to hit $55.7 billion by 2030. This isn't a future technology—it's happening now.
The Problem with Passwords in Home Care
Home care agencies face unique password challenges:
Shared Device Environments
Multiple caregivers may use the same tablet at your office. Password fatigue leads to weak passwords, shared passwords, or passwords written on sticky notes.
High Staff Turnover
The home care industry sees significant turnover. Every departing staff member is a potential security risk if passwords aren't immediately changed.
Limited IT Support
Most home care agencies don't have dedicated IT staff to enforce password policies or respond to compromise attempts.
Caregiver Technology Comfort
Staff with varying technical comfort levels may struggle with complex passwords, leading to workarounds that undermine security.
Mobile-First Workforce
Caregivers access systems from phones in the field. Typing complex passwords on mobile keyboards is frustrating and error-prone.
How Passkeys Solve These Problems
| Password Problem | Passkey Solution |
|---|---|
| Phishing attacks | Cryptographically impossible to phish |
| Weak passwords | No passwords to be weak |
| Password reuse | Each passkey is unique to each site |
| Forgotten passwords | Biometric—you can't forget your face |
| Password sharing | Passkeys are tied to individual devices |
| Typing on mobile | One tap with Face ID or Touch ID |
Setting Up Passkeys: Easier Than You Think
For caregivers, passkey setup takes about 30 seconds:
- Log into your care management system
- Go to security settings
- Click "Add Passkey"
- Authenticate with Face ID, Touch ID, or Windows Hello
- Done
From then on, logging in is a single biometric scan. No passwords to remember, no codes to type.
For administrators, rollout is straightforward:
- Enable passkey authentication in your system settings
- Communicate the change to staff (it's easier, not harder—an easy sell)
- Have staff set up passkeys during a team meeting or shift start
- Optionally, set a deadline to disable password-only login
What About Staff Without Biometric Devices?
Passkeys work with any modern device:
- iPhones from iPhone 6s onward have Touch ID or Face ID
- Most Android phones have fingerprint or face unlock
- Windows 10/11 laptops with Windows Hello
- Hardware security keys for older devices
For the rare staff member with an incompatible device, TOTP two-factor authentication (Google Authenticator, Authy) provides strong protection as a fallback.
Real-World Passkey Adoption
Major organizations are already deploying passkeys at scale:
- Microsoft is rolling out Entra passkeys across Windows in 2026
- Google made passkeys the default sign-in for personal accounts
- Apple integrated passkeys across iOS, iPadOS, and macOS
- Healthcare systems in Europe are adopting passkeys to meet EU Digital Identity requirements
The technology is mature, widely supported, and actively maintained by the largest tech companies in the world.
The Cost of Waiting
Every month you delay passkey adoption is another month of phishing vulnerability. Consider:
- One successful phishing attack can expose thousands of client records
- HIPAA breach notifications require informing every affected individual
- Average healthcare breach cost exceeds $10 million including fines, legal fees, and remediation
- Reputation damage can take years to repair
Meanwhile, passkeys are free. The technology is built into modern devices. The only cost is the 30 seconds per staff member to set them up.
Getting Started This Week
Here's a practical rollout plan:
Week 1: Enable and Test
- Enable passkey authentication in your system (if available)
- Have administrators and office staff set up passkeys first
- Test the experience and document any questions
Week 2: Caregiver Rollout
- Introduce passkeys at team meetings
- Emphasize the benefit: faster, easier login with Face ID
- Help staff set up passkeys on their devices
- Keep password login available as fallback during transition
Week 3: Monitor and Support
- Check adoption rates in your admin dashboard
- Follow up with staff who haven't set up passkeys
- Address any technical issues
Week 4: Strengthen
- Consider requiring passkeys for administrative functions
- Optionally disable password-only login
- Document your new authentication policy
Questions Agencies Ask
What if someone steals a caregiver's phone?
The passkey only works with that person's biometrics. A thief would need the phone AND the caregiver's face or fingerprint. Plus, you can immediately revoke the passkey from your admin console.
Can passkeys be shared between caregivers?
No—that's a feature. Each passkey is tied to an individual person's biometrics. This creates accountability and proper audit trails.
What happens if a caregiver gets a new phone?
Passkeys can sync through iCloud Keychain (Apple) or Google Password Manager (Android). Or they can set up a new passkey on the new device in 30 seconds.
Do passkeys work offline?
The authentication requires connectivity, but that's true of any login system. Passkeys don't require more connectivity than passwords do.
The Future Is Passwordless
Passwords were invented in the 1960s. They made sense when computers were rare and users were technical. They don't make sense for a mobile workforce accessing sensitive health information.
Passkeys represent the biggest improvement in authentication security in decades. They're easier for users AND more secure—a rare combination in technology.
Your caregivers will thank you for eliminating password frustration. Your clients will be safer. Your agency will be protected from the phishing attacks that breach agencies every week.
The technology is ready. The question is whether your agency is.