Passkey execution, not awareness, is the real authentication gap

At a glance

What this is: This recap argues that passkeys are no longer a concept problem, but an execution problem defined by identity binding, rollout design, and lifecycle controls.

Why it matters: For IAM teams, the lesson is that phishing resistance only becomes useful when enrollment, recovery, shared-device handling, and session governance are operationally sound across human and NHI-style identity workflows.

👉 Read OneSpan's recap of RSAC 2026 passkey execution and authentication trends

Context

Passkeys are a phishing-resistant authentication method, but the operational challenge is not the cryptography. The harder problem is how to bind the credential to the right identity, distribute it across devices, recover it safely, and keep it governable over time in a real enterprise environment.

The article places that challenge in the broader identity programme, where authentication now sits alongside session security, transaction risk, and the growing presence of AI systems and agents in the identity landscape. That makes workforce passkeys a governance issue, not just a login upgrade.

Key questions

Q: How should organisations roll out passkeys across a mixed workforce environment?

A: Start by segmenting the workforce into use cases such as managed endpoints, shared devices, contractors, and higher-assurance roles. Then define enrolment, recovery, and fallback rules for each segment before broad rollout. A single passkey pattern rarely fits every environment, and lifecycle exceptions are where deployment usually fails.

Q: Why do passkey programmes fail even when the underlying technology works?

A: They fail when the operating model is incomplete. Common breakpoints include identity binding, recovery paths, device coverage, and offboarding. The cryptography may be sound, but the programme still collapses if users cannot enrol cleanly, recover safely, or be removed without leaving authentication gaps.

Q: How can security teams know whether passkey adoption is actually improving security?

A: Look for fewer phishing-driven account compromises, lower reliance on password resets, and consistent enrolment success across user groups. Also check whether recovery and device-change scenarios remain controlled, because a passkey programme that works only in the happy path is not mature.

Q: How do continuous authentication and passkeys fit together in IAM programmes?

A: Passkeys solve the authentication step, but they do not complete the security model. Teams still need session controls, transaction validation, and real-time risk assessment after login. The practical test is whether access remains trustworthy after authentication, not just during it.

Technical breakdown

Identity binding and credential strategy for passkeys

Passkey deployment fails when teams treat the authenticator as the product rather than the identity binding behind it. A passkey must be tied to the right user, device, recovery path, and lifecycle process, otherwise enrolment becomes inconsistent and support-heavy. In practice, the design choice is not just platform authenticator versus hardware key. It is how the credential will be issued, recovered, re-bound, and retired across managed endpoints, shared devices, and contractor scenarios.

Practical implication: define the binding model before rollout so enrolment, recovery, and offboarding all use the same governance path.

Why passkey rollout breaks in shared-device environments

Shared devices, contractor access, and high-assurance use cases expose the limits of a narrow platform-authenticator model. These environments often need stronger device assurance, clearer separation of user state, and more explicit lifecycle handling than a standard consumer-style flow provides. Hardware authenticators may be the better fit when the operational requirement is not convenience alone, but predictable control over who can authenticate, on what device, and under what policy.

Practical implication: segment deployment by use case instead of forcing one passkey pattern across the entire workforce.

Continuous authentication, sessions, and transaction risk

The post reflects a broader shift away from point-in-time authentication toward continuous, context-aware security. That means authentication is no longer the end state; it is the entry condition for session monitoring, transaction validation, and real-time risk decisions. As AI and agentic systems become part of the identity landscape, the control question extends beyond login to how trust is maintained after access is granted.

Practical implication: pair passkeys with session and transaction controls so strong login does not become the only security boundary.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passkey programmes fail on execution design, not on authentication science. The article is clear that FIDO standards and hardware authentication have strong awareness, yet deployment still lags because the surrounding operating model is underspecified. That is an identity governance problem, not a cryptography problem. Teams that treat passkeys as a swap for passwords miss the actual work of binding, recovery, device coverage, and lifecycle control.

Passkey deployment gap: The named concept here is the gap between credential capability and enterprise operability. Passkeys can be technically sound and still fail at scale if enrolment, fallback, and offboarding are not designed together. Practitioners should read that as a warning that authentication success does not equal programme success, especially in mixed device estates.

Continuous authentication is becoming part of identity governance, not a separate security layer. The article’s shift from login to sessions and transactions shows that authentication controls are being asked to sustain trust after initial access. That widens the scope of IAM beyond the login moment and into policy enforcement, risk signals, and behavioural continuity. Practitioners should align authentication design with post-login governance, not isolate it as a front-door control.

AI systems entering the identity landscape raise the floor for governance consistency. The article links agentic AI to the same broader security conversation as passkeys, which is a signal that identity controls now have to work across human users, machine access patterns, and emerging autonomous behaviour. Even when the immediate subject is workforce authentication, the governance lesson is that programme design must survive identity diversity. Practitioners should assume one control model will not fit every actor type.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly identity sprawl outpaces governance.
• The next control question is not whether passwordless is available, but whether lifecycle and visibility controls can keep up, as explored in Top 10 NHI Issues.

What this signals

Passkey rollout is becoming a governance programme, not a point solution. The organisations that succeed will treat enrollment, recovery, and device changes as first-class identity events, not edge cases. That is where the operational maturity gap appears, and it is why passkey projects stall even after technical selection is complete.

Identity teams should expect authentication to merge with session control and risk decisioning. Once strong login is normalised, the differentiator moves to what happens after authentication. Programmes that do not connect passkeys to session assurance and transaction review will leave the most important part of trust unmanaged.

As AI systems and other non-human actors become part of the identity landscape, the same governance discipline will need to hold across multiple actor types. That makes passkey strategy a useful stress test for broader identity architecture, especially where human and machine access patterns now intersect.

For practitioners

• Define the passkey binding model Map how each workforce identity is enrolled, re-bound, recovered, and retired. Make device state, fallback authentication, and offboarding part of the same control path so support teams do not improvise exceptions.
• Segment rollout by use case Separate managed endpoints, shared devices, contractors, and high-assurance users into different deployment patterns. Use hardware authentication where device control and assurance matter more than convenience.
• Extend governance beyond the login moment Link authentication decisions to session monitoring, transaction checks, and real-time risk signals so a successful login does not become the only control boundary.
• Review lifecycle controls before scaling Test whether enrolment and recovery flows still work when a user changes devices, leaves the organisation, or loses access. If the lifecycle breaks, the passkey programme will break with it.

Key takeaways

• Passkeys do not fail because the crypto is weak, but because the rollout model is incomplete.
• The scale of the problem is operational, with identity binding, recovery, and device handling doing most of the damage.
• Teams should govern passkeys as part of the full identity lifecycle, not as a one-time authentication upgrade.

Key terms

• Passkey Binding: Passkey binding is the process of tying a phishing-resistant credential to a specific identity, device, and recovery path. In enterprise use, the binding must survive enrolment, device replacement, and offboarding without creating unmanaged fallback routes or support-driven exceptions.
• Continuous Authentication: Continuous authentication is a model where trust is re-evaluated after login based on session, device, and transaction signals. It treats authentication as an entry condition rather than a one-time event, which makes post-login policy and risk controls part of the identity stack.
• Identity Lifecycle Governance: Identity lifecycle governance is the set of controls that manage how identities are enrolled, changed, recovered, reviewed, and removed. For passkeys, it determines whether credential state remains aligned with the user’s current access, device, and employment context.

Deepen your knowledge

Passkey deployment and identity binding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building authentication governance across mixed device and access scenarios, it is worth exploring.

This post draws on content published by OneSpan: RSAC 2026 recap on moving passkeys from direction to execution. Read the original.