CMMC and the End of Passwords: Why Passkeys Are the Future of Cybersecurity and Compliance

From The Cyber-Minute with Terry McGraw, CEO, Cape Endeavors

In a recent Cape Endeavor Cyber Minute, CEO Terry McGraw didn’t mince words: “Passwords are a delusion of security.” It’s a bold statement—but one that’s increasingly hard to refute. In just sixty seconds, McGraw outlines what cybersecurity professionals have been warning for years: passwords and even multi-factor authentication (MFA) are no longer enough to protect our digital identities.

This statement is especially relevant for businesses working toward Cybersecurity Maturity Model Certification (CMMC) or ensuring ongoing compliance—a requirement for any organization in the Department of Defense (DoD) supply chain that handles Controlled Unclassified Information (CUI).

While the CMMC framework doesn’t explicitly mandate the use of passkeys, it strongly encourages multi-factor authentication (MFA) and passwordless authentication methods to enhance security. Passkeys—based on modern public-private key cryptography—fall squarely into that category and are quickly emerging as a best practice for meeting identity and access management requirements outlined in NIST SP 800-171, the foundation of CMMC.

Why Traditional Passwords Fail in a CMMC Context

Despite their ubiquity, passwords are a poor defense in today’s threat environment. As McGraw explains, they’re easily stolen through phishing, keylogging, and data breaches, and can often be cracked in minutes to hours using automated tools. For organizations handling sensitive government data, that level of vulnerability is unacceptable.

Even when paired with traditional MFA—like text codes or authentication apps—passwords still fall short. Man-in-the-middle attacks can intercept MFA codes in real time, and users may still fall victim to sophisticated phishing campaigns.

That’s why the DoD and CMMC guidance increasingly favor phishing-resistant authentication—a category where passkeys shine.

What Are Passkeys—and Why Are They Better?

Passkeys use public-private key cryptography to replace passwords entirely:

• The public key is stored on the service or application you're logging into.

• The private key remains securely on your device (e.g., phone or laptop) and never leaves it.

• Authentication is completed through a challenge-response process, where your device signs a one-time challenge to prove your identity.

• 
  

Key security advantages of passkeys:

• Phishing-proof: There’s no password or code to steal or trick users into typing.

• Unguessable: Passkeys can’t be brute-forced like traditional passwords.

• Device-bound: Private keys are stored locally and never transmitted to a server—eliminating credential reuse and central repository attacks.

  
  

In McGraw’s words, "Your phone or laptop becomes the key. It’s simple, it’s seamless, it’s ironclad.”

How Passkeys Support CMMC and NIST SP 800-171

CMMC Level 2 and above require strict adherence to NIST SP 800-171, particularly the controls in Section 3.5 (Identification and Authentication). These include:

• Implementing MFA for local and remote access (3.5.3, 3.5.7)

• Restricting access to authorized users (3.5.1)

• Preventing reuse or compromise of authentication credentials (3.5.8, 3.5.9)

  
  

Passkeys directly support these requirements by eliminating shared secrets, preventing credential theft, and offering phishing-resistant, user-friendly authentication.

While not mandatory under CMMC, passkeys represent a forward-looking, compliant, and secure approach to protecting user access and CUI—aligning with both Zero Trust principles and the DoD’s cybersecurity modernization efforts.

Big Tech Is on Board

Apple, Google, and Microsoft have already embraced passkeys. All three companies are implementing support across their ecosystems, enabling users to log in to services with biometric authentication (Face ID, fingerprint, etc.) instead of passwords.

According to the FIDO Alliance, which developed the technology behind passkeys, this approach not only reduces user friction but also drastically improves security.

Ready to Future-Proof Your Authentication Strategy?

If you're pursuing CMMC compliance or simply looking to strengthen your organization’s defenses, it’s time to move beyond passwords. Passkeys not only support core identity and access management requirements—they reduce user friction and lower your attack surface.

Terry McGraw ends his video with a clear call to action:

“Passwords and MFA—they’re outdated. Passkeys: a more secure future.”

Further Reading:

FIDO Alliance: What Are Passkeys?