Passkeys at scale expose the real account lifecycle gap

At a glance

What this is: This is an analysis of what FIDO Authenticate 2025 revealed about passkey deployment at scale, with the key finding that implementation, recovery, and lifecycle design now matter more than the authentication standard itself.

Why it matters: It matters because IAM teams are moving from pilot thinking to production governance, where passkeys, recovery flows, and post-login controls must be managed across human, NHI, and emerging agentic identity journeys.

By the numbers:

• 55-60% of passkey adoption occurs on mobile, with only around 20% adoption on desktop.

👉 Read OneSpan's analysis of passkeys at scale and account lifecycle lessons

Context

Passkeys are a phishing-resistant authentication method that replaces passwords with cryptographic credentials bound to a device or authenticator. The primary issue in 2025 is no longer whether the standard works, but whether organisations can deploy it without leaving recovery, enrollment, and session security gaps behind.

For IAM teams, this is a lifecycle problem as much as an authentication problem. The conference material points to a broader reality: secure access now depends on how organisations handle onboarding, device loss, cross-platform use, and post-authentication trust, not just first-time login.

Key questions

Q: How should security teams implement passkeys without weakening account recovery?

A: Security teams should map every recovery path to the assurance it preserves and remove any fallback that depends on phishable methods. If password resets, SMS verification, or informal help-desk processes remain available, passkeys only improve the front door while leaving the side door open. The recovery design has to match the same trust level as the primary sign-in flow.

Q: Why do passkey rollouts often look better on mobile than on desktop?

A: Mobile users are already trained to use biometrics and device-bound authentication, so the interaction feels familiar. Desktop adoption depends more on browser support, platform consistency, and user habit, which creates uneven results across environments. Teams should interpret adoption by channel, not as a single enterprise average.

Q: What do organisations get wrong about phishing-resistant authentication?

A: They often assume that adding a phishing-resistant option is enough. In practice, any remaining phishable recovery or fallback method weakens the whole account model. The control must cover the full lifecycle of access, including enrollment, recovery, and sensitive-session actions, not just the initial login event.

Q: How should IAM teams manage trust after a successful passkey login?

A: IAM teams should treat authentication as the start of a trust decision, not the end. Session protections, fraud detection, and step-up checks for sensitive actions matter because attackers increasingly target tokens and sessions after login. Passkeys reduce password risk, but they do not eliminate downstream session abuse.

Technical breakdown

Passkey enrollment and recovery at scale

Passkey deployment breaks down when organisations treat enrollment as a one-time authentication feature instead of an account lifecycle flow. Users lose devices, switch platforms, and need recovery paths that do not reintroduce phishable methods. The technical challenge is not cryptography. It is orchestration across identity proofing, device binding, help desk recovery, and policy enforcement. If any one of those paths falls back to passwords or SMS, the assurance model collapses into the weakest available option.

Practical implication: map every enrollment and recovery path to the assurance level it actually preserves, then remove fallback methods that undermine passkey assurance.

Platform-specific passkey adoption patterns

Passkey adoption is not uniform across devices or user journeys. Mobile tends to outperform desktop because users are already conditioned to biometric unlock and app-based authentication, while desktop environments vary by browser, platform support, and user habit. That means adoption metrics need to be segmented by channel, not averaged into one enterprise number. A rollout that looks weak on desktop may still be healthy if the interaction model matches how users authenticate in each context.

Practical implication: measure passkey uptake by platform and login moment so rollout decisions reflect actual user behaviour rather than blended adoption averages.

Post-authentication trust and session security

Authentication proves the user or device at login, but it does not preserve trust for the rest of the session. Modern attacks target tokens, session state, and recovery flows after the initial challenge succeeds. That is why passkeys should be treated as one layer in a broader access model that includes session protections, fraud detection, and step-up controls for sensitive actions. The operational question is whether the organisation can keep trust intact after the first successful login.

Practical implication: pair passkey adoption with token and session controls so post-login abuse does not become the new bypass path.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passkeys are now a lifecycle governance problem, not just an authentication upgrade. The article shows that the difficult issues are enrollment, device loss, platform switchovers, and recovery design, not the protocol itself. That means identity teams must stop treating passkeys as a point control and start governing the full account journey. The practitioner conclusion is that authentication assurance is only as strong as the weakest lifecycle fallback.

Authentication without removal of phishable fallback methods is partial assurance. The article’s own example is clear: adding passkeys does not create phishing resistance if SMS recovery, password reset links, or other weaker paths remain. That is a structural governance failure, because the account still contains an attackable alternate path. The practitioner conclusion is that organisations must evaluate the whole recovery chain, not the primary login method alone.

Platform variance is now a measurement problem for identity programmes. The mobile and desktop adoption split shows that success depends on user context, not just feature availability. Teams that report a single passkey adoption figure are likely hiding channel-specific friction that affects rollout quality and support cost. The practitioner conclusion is to govern adoption as a segmented operating model, not a single enterprise KPI.

Complete trust requires identity verification and session defence after login. OneSpan’s framing is consistent with where the market is heading: passkeys solve one step in the chain, but AI-driven fraud and token abuse move the attack surface further downstream. That creates a broader identity control plane where authentication, fraud detection, and session protections must work together. The practitioner conclusion is to design for trust continuity, not login success alone.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For the account lifecycle angle, see Ultimate Guide to NHIs , Why NHI Security Matters Now for the broader access-risk context.

What this signals

Passkey programmes will increasingly be judged by lifecycle integrity, not enrollment counts. The key question for IAM leaders is whether the secure path remains secure after device loss, platform change, and support escalation. That means passkeys should be governed alongside recovery design, session controls, and fraud detection, not as a standalone authentication feature.

Account security is moving toward trust continuity across the full user journey. As attackers shift attention from passwords to tokens and recovery paths, teams need controls that preserve assurance beyond the login screen. For practitioners, the next maturity step is to measure whether the whole account lifecycle remains phishing-resistant rather than whether a passkey prompt exists.

For practitioners

• Audit every recovery path for phishable fallback methods Trace password resets, SMS recovery, help-desk resets, and alternate verification flows back to the account assurance model. Remove or harden any route that would let a weaker method bypass passkey protections.
• Segment passkey metrics by platform and login moment Track adoption separately for mobile, desktop, first login, recovery, and repeat sign-in. This shows where users accept passkeys naturally and where UX or browser constraints are slowing production adoption.
• Treat session security as part of the passkey programme Extend governance beyond enrollment by monitoring token theft, session hijacking, and step-up triggers for high-risk actions. The login event is not the end of the trust decision.
• Align support and security on device-loss recovery Document the exact help-desk workflow for lost devices, platform switching, and credential rebinds. Recovery should preserve assurance instead of rebuilding the account through a weaker path.

Key takeaways

• Passkeys are mature enough for scale, but production governance now matters more than protocol awareness.
• The evidence points to recovery paths, platform differences, and session abuse as the real implementation risks.
• IAM teams should govern passkeys as part of the full account lifecycle, not as a standalone login control.

Key terms

• Passkey: A passkey is a phishing-resistant credential that uses public-key cryptography instead of a shared secret like a password. In practice, it binds authentication to a device or authenticator and reduces exposure to credential reuse, but it still depends on secure enrollment, recovery, and session controls.
• Phishing-resistant authentication: Phishing-resistant authentication is a login method designed so a user cannot easily be tricked into handing over a reusable secret. It lowers classic credential theft risk, but it does not automatically secure recovery flows, device-loss handling, or post-login session abuse.
• Account lifecycle: Account lifecycle is the full sequence of join, use, recovery, change, and removal for an identity. For passkeys, it includes enrollment, device replacement, credential binding, support escalation, and deprovisioning, because security breaks when any lifecycle step falls back to weaker controls.
• Session security: Session security is the set of controls that protect an authenticated session after login begins. It matters because attackers often target tokens, cookies, and session state after the primary authentication event, so strong login alone does not guarantee continued trust.

Deepen your knowledge

Passkey enrollment, recovery, and session trust are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a production identity programme from the same starting point, it is worth exploring.

This post draws on content published by OneSpan: FIDO Authenticate 2025 and passkeys at scale. Read the original.