TL;DR: Identiverse 2024 highlighted passkey interoperability, faster phishing-resistant MFA adoption, and rising pressure to unify verification and authentication as deepfakes and fragmented identity checks complicate trust, according to 1Kosmos. The signal for practitioners is clear: user-friendly assurance and identity proofing are converging, while legacy recovery and step-up patterns look increasingly brittle.
At a glance
What this is: This is a vendor-authored reflection on Identiverse 2024 that surfaces passkey interoperability, phishing-resistant MFA adoption, and the growing overlap between verification and authentication.
Why it matters: It matters because identity teams must now align human authentication, proofing, and recovery flows with phishing-resistant controls, while also planning for deeper trust risks from deepfakes and fragmented identity journeys.
By the numbers:
- Air New Zealand reported 25% of sign-ins using passkeys and a 30% opt-in rate within the first 24 hours.
- A 2015 breach affected 21.5 million federal workers' fingerprint data.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read 1Kosmos's Identiverse 2024 takeaways on passkeys and verification
Context
Identiverse 2024 reflects a broader identity governance problem: organisations are trying to improve assurance while users, devices, and recovery paths remain fragmented. Passkeys, identity proofing, and phishing-resistant MFA all target the same core issue, which is how to establish trust without relying on fragile shared secrets or repetitive challenge flows.
For IAM teams, the practical question is no longer whether to adopt stronger authentication, but how to connect authentication, verification, and lifecycle controls across human identities and adjacent trust signals. The conference examples point to a market that is moving toward simpler user journeys and stronger assurance at the same time, which raises the bar for account recovery, enrolment, and exception handling.
Key questions
Q: How should IAM teams roll out passkeys without weakening account recovery?
A: Start by treating recovery as part of the authentication control, not a separate help desk function. Define who can recover accounts, what evidence is required, and which fallback factors are allowed. If the recovery path is weaker than the primary passkey flow, attackers will target the exception rather than the cryptography.
Q: Why do verification and authentication need to be governed together?
A: Because users experience them as one trust journey even when teams own them separately. If proofing, step-up checks, and login are not aligned, a weak onboarding step or an inconsistent recovery process can undermine the strength of the primary authenticator. Governance must cover the handoff points, not just the login screen.
Q: What do teams get wrong about phishing-resistant MFA?
A: They often focus on the factor itself and ignore the exception paths around it. SMS OTP, help desk resets, and device-loss procedures can reintroduce takeover risk even after strong authentication is deployed. The real control question is whether every fallback path is held to a comparable assurance standard.
Q: How can organisations reduce repeated identity verification without losing assurance?
A: By standardising identity evidence across systems so the same subject is not forced to re-prove identity at every touchpoint. Centralised proofing policy, shared assurance signals, and tighter lifecycle governance reduce friction while keeping the trust decision consistent across onboarding, access, and recovery.
Technical breakdown
Passkey interoperability and multi-device flows
FIDO passkeys bind authentication to device-backed cryptographic keys rather than reusable passwords or shared secrets. Multi-device support matters because users increasingly move between phones, laptops, and password managers, so the identity system must preserve possession-based assurance without making recovery fragile. Interoperability between keychains reduces lock-in at the user layer, but it also changes the operational model for IAM because credentials become portable across approved ecosystems rather than anchored to one device. That increases the importance of registration policy, attestation confidence, and device-bound recovery paths.
Practical implication: IAM teams should validate how passkeys are enrolled, recovered, and transferred before expanding rollout beyond a pilot.
Phishing-resistant MFA versus legacy second factors
Phishing-resistant MFA changes the trust model by removing the reusable secret from the user challenge. Unlike SMS OTP or security questions, the private key never leaves the authenticator and the response is bound to the origin of the request. That reduces replay and credential interception risk, but it does not eliminate lifecycle issues such as account recovery, lost-device handling, or bypass paths created for edge cases. In practice, the strength of the factor can be undermined by weak exception handling rather than by the cryptography itself.
Practical implication: treat exception flows as part of the control, not as an administrative afterthought.
Verification and authentication are converging
Identity verification establishes who the subject is, while authentication proves that the same subject is present at login time. The conference theme suggests those two layers are increasingly being designed as one trust journey, especially where deepfakes and repeated proofing create friction. That convergence is useful, but it also creates governance pressure because the assurance standard must hold across onboarding, step-up checks, and recovery. Once proofing and login are tightly linked, any weakness in identity evidence can cascade into account takeover or fraudulent recovery.
Practical implication: align proofing, step-up authentication, and recovery governance so assurance does not weaken at the handoff points.
NHI Mgmt Group analysis
Passkeys are becoming a governance problem, not just an authentication upgrade. The conference examples show that usability gains are now tied directly to policy decisions about enrolment, device transfer, and recovery. That means IAM teams have to think about how assurance survives across the full lifecycle of the credential, not only at the moment of login. Practitioners should treat passkey rollout as an identity programme design issue, not a factor swap.
Verification and authentication are collapsing into one trust journey. That is the right direction for user experience, but it also means a weak proofing step can contaminate later access decisions. In high-friction environments, organisations often separate onboarding, verification, and authentication ownership, which creates blind spots when a single identity journey spans all three. Practitioners should align ownership across those handoffs before scaling passkey or passwordless programmes.
Deepfake pressure exposes the limits of repeated identity proofing. The keynote theme is not just about stronger authentication, but about reducing the number of times a person must re-prove identity across systems. That points to a broader identity fragmentation problem: when the same subject is checked multiple times with inconsistent evidence standards, assurance becomes uneven and user trust degrades. Practitioners should rationalise proofing points and remove redundant identity challenges where possible.
Phishing-resistant MFA only works when recovery is equally disciplined. Security teams often harden the primary sign-in path while leaving fallback flows softer than the rest of the control stack. That is where attackers look for account takeover opportunities. Practitioners should treat password resets, device replacement, and escalation paths as first-class security controls with the same assurance standard as the primary factor.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- For the broader governance model behind identity lifecycle and access control, see Ultimate Guide to NHIs.
What this signals
Passkey adoption will expose governance maturity gaps faster than authentication teams expect. When users can move between devices and keychains more easily, the real differentiator becomes how well the organisation controls enrolment, transfer, recovery, and exception handling. That is why the operational centre of gravity is shifting from password replacement to trust orchestration across identity journeys.
Identity programmes should prepare for a convergence of user assurance and abuse prevention. The more organisations rely on passwordless flows and stronger proofing, the more attractive fallback channels become to attackers. Service desks, recovery workflows, and account exception processes need to be designed with the same scrutiny as primary login, because that is where the assurance model usually breaks.
Visibility is still the limiting factor in non-human identity governance. Only 5.7% of organisations have full visibility into their service accounts, per the Ultimate Guide to NHIs, which is a reminder that human identity innovation will not compensate for weak machine identity control. Practitioners should expect pressure to align passwordless strategy with broader identity inventory and access governance work, not treat them as separate initiatives.
For practitioners
- Map the full passkey lifecycle Document enrolment, transfer, device replacement, and recovery for every passkey deployment so that policy decisions are explicit before scale. Include help desk steps, exception handling, and who can approve recovery.
- Harden fallback identity proofing Review every non-passkey fallback path, especially security questions, SMS OTP, and manual support resets, and set a higher assurance bar for those flows. The weakest step in the journey should not govern the strongest factor.
- Consolidate repeated verification points Identify where users are asked to prove identity multiple times across onboarding, authentication, and account recovery, then remove duplicate checks that add friction without improving assurance.
- Test deepfake-resistant support workflows Run support simulations that assume voice, image, or social-engineering impersonation so your service desk can recognise when identity evidence has been manipulated. Escalation rules should require stronger confirmation for high-risk recovery requests.
Key takeaways
- Passkeys improve authentication, but the real governance challenge is controlling enrolment, transfer, and recovery across the full identity journey.
- The conference examples show that assurance is converging with user experience, which makes fallback paths and support workflows more important, not less.
- Identity teams should use passwordless adoption as a trigger to rationalise proofing, reduce duplicate checks, and harden exception handling.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Passkeys and verification map directly to digital identity assurance and authentication. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires continuous, trustworthy identity signals across login and recovery. |
| NIST CSF 2.0 | PR.AC-1 | Authentication and access control governance are central to the identity journey discussed here. |
Align enrolment, recovery, and assurance levels to NIST 800-63 guidance before expanding passwordless access.
Key terms
- Passkey: A passkey is a phishing-resistant credential that uses public-key cryptography instead of a reusable password. The private key stays on the authenticator, while the public key is registered with the service, which reduces replay risk and makes the enrolment, transfer, and recovery process the main governance concern.
- Phishing-resistant MFA: Phishing-resistant MFA is a multi-factor method that cannot be easily replayed, intercepted, or relayed by an attacker. It usually relies on cryptographic binding to the legitimate origin or device, which makes the authentication factor stronger but leaves fallback and recovery paths as the most likely point of failure.
- Identity proofing: Identity proofing is the process of establishing that a person is who they claim to be before granting access or setting up an account. In mature programmes, proofing evidence, assurance level, and recovery rules are governed together so that weak verification does not undermine later authentication decisions.
- Account recovery: Account recovery is the process used to restore access when a user loses a factor, device, or credential. It is often the weakest part of the identity lifecycle, because organisations may allow lower-assurance checks that bypass the protections used during normal sign-in.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
This post draws on content published by 1Kosmos: Identiverse 2024 takeaways on passkeys, verification, and digital identity. Read the original.
Published by the NHIMG editorial team on 2024-06-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
