Track the share of accounts that are passkey-enrolled, the proportion of sign-ins still using passwords, and the number of recovery events that bypass the primary factor. If password use remains high or recovery is frequent, the programme is still in transition rather than truly passwordless.
Why This Matters for Security Teams
Passkey adoption can look healthy on paper while risk remains unchanged underneath. The real question is not whether passkeys exist, but whether they are replacing passwords at scale, reducing reliance on recovery paths, and shrinking the number of events that fall back to weaker authentication. That makes passkey measurement a governance problem, not just an authentication rollout metric. Current guidance from the NIST Cybersecurity Framework 2.0 and NHI research from Ultimate Guide to NHIs — Why NHI Security Matters Now both point to the same operational issue: identity controls only matter when they measurably reduce exposure.
Passkeys can lower phishing and password spraying risk, but organisations still need to verify that users are enrolling, using them for primary sign-in, and not being routed back through password resets, SMS fallback, or help desk exceptions. If recovery volumes stay high, the environment may still be dependent on legacy authentication paths that attackers routinely exploit. In practice, many security teams discover this only after a phishing campaign, account takeover attempt, or help desk abuse has already exposed the weak link.
How It Works in Practice
Security teams should measure passkey effectiveness through a small set of operational indicators rather than a single adoption percentage. The most useful metrics are the share of enrolled accounts, the percentage of successful sign-ins that use passkeys versus passwords, and the rate of recovery events that bypass the primary factor. That last measure is often the clearest signal of residual risk because it shows where users, support staff, or platform policy are still allowing weaker paths.
A practical review usually combines identity telemetry, help desk workflow data, and authentication logs. Teams should look for:
- Passkey enrollment coverage by workforce segment, application, and device type
- Password sign-in volume after passkey rollout, including legacy protocol traffic
- Recovery events such as account unlocks, reset links, and escalation to support
- Break-glass or exception accounts that still rely on passwords or shared recovery paths
This is where measurement discipline matters. The Top 10 NHI Issues resource is useful because it highlights the broader pattern: organisations often believe an identity control is “implemented” before they have actually removed fallback exposure. The same logic applies to passkeys. A programme can be technically enabled and still fail to reduce risk if password resets, legacy IdP paths, or admin overrides remain common.
For program owners, the right question is whether passkeys are becoming the default path under real user conditions, not only in pilot groups. Baselines should be compared month over month, and any spike in recovery or password fallback should be investigated by application, geography, or device posture. These controls tend to break down in mixed-legacy environments where older apps, remote support processes, and unmanaged devices still require password-based exceptions.
Common Variations and Edge Cases
Tighter passkey enforcement often increases operational friction, requiring organisations to balance phishing resistance against user recovery and support overhead. That tradeoff is especially visible during rollout, where some groups can adopt passkeys quickly while others depend on older hardware, shared workstations, or regulated workflows that still need alternate access methods.
Best practice is evolving on how much fallback is acceptable, but there is no universal standard for this yet. Some organisations define success as high passkey enrollment with steadily declining password use. Others require near-total replacement for high-risk populations before they consider the programme effective. The important point is to distinguish transition metrics from steady-state metrics. If password use remains elevated, the programme is still in hybrid mode.
Edge cases matter. Executive users, contractors, and service desks may drive disproportionate recovery activity. High-risk applications may also need stricter thresholds than low-risk internal tools. For that reason, passkey risk reporting should be segmented rather than averaged across the enterprise. The broader NHI security lesson from the 2024 ESG Report: Managing Non-Human Identities is that control effectiveness often degrades when exceptions become normalised, and the same pattern applies to authentication programmes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Passkey telemetry measures whether authentication is actually reducing exposure. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Recovery paths and fallback auth often preserve weak credential exposure. |
| NIST SP 800-63 | AAL2 | Passkeys map to stronger authenticators, but assurance depends on actual usage. |
Track adoption, fallback, and recovery metrics to verify authentication controls lower risk.
