TL;DR: Passkeys are moving from niche authentication option to mainstream IAM discussion, with OneSpan citing Gartner data that 72% of authentication-related inquiries in 2025 were about passwordless authentication and noting a 93% login success rate for passkeys versus 63% for passwords. Passwordless change is no longer just a UX decision, because it reshapes authentication resilience, rollout strategy, and control boundaries across consumer and workforce identity.
At a glance
What this is: This newsletter argues that passkeys are becoming a practical alternative to passwords and that successful rollout depends on choosing the right passkey model and deployment path.
Why it matters: It matters because authentication teams now need to balance usability, phishing resistance, device control, and regulatory fit across human identity programmes, including high-assurance and consumer environments.
By the numbers:
- 72% of Gartner's authentication-related inquiries in 2025 were about passwordless authentication.
👉 Read OneSpan's newsletter on passkeys, passwordless adoption and deployment decisions
Context
Passkeys are phishing-resistant authentication credentials tied to a device or synced account rather than a reusable password. In practice, they are being positioned as a way to reduce password reset burden, improve login success, and lower exposure to common credential attack paths in consumer and workforce environments.
For IAM teams, the real issue is not whether passwords are flawed, but how to transition authentication without breaking user journeys or overcorrecting on control. The article frames passkeys as a deployment decision with usability, security, and operational trade-offs, especially in regulated environments where authentication cannot fail.
Key questions
Q: How should organisations roll out passkeys without disrupting existing login flows?
A: Start by adding passkeys alongside current authentication methods, then use adoption and recovery data to decide when to reduce password dependence. The rollout should be phased by user group and application risk, with clear fallback and support paths so users are not forced into brittle recovery journeys.
Q: When do passkeys work best for regulated or high-assurance environments?
A: Passkeys are most useful when authentication must be resistant to phishing and password reuse, especially where login failure has direct business or compliance impact. Device-bound models usually fit tighter assurance needs, while syncable models may suit broader user populations that need more portability.
Q: What do security teams get wrong about passwordless authentication?
A: The most common mistake is treating passwordless as a user-experience upgrade instead of an identity control change. Teams often focus on the login screen and ignore recovery, lifecycle governance, and fallback authentication, which is where many of the real risks emerge.
Q: Should organisations build or buy a passkey solution?
A: Choose based on operating capacity, not ideology. Building can give tighter control and customisation, but it demands more engineering and governance ownership. Buying can speed deployment, but the organisation still has to own policy, recovery, assurance, and long-term authentication strategy.
Technical breakdown
Passkeys, syncable credentials and device-bound credentials
Passkeys are FIDO credentials stored on a computer, phone, or hardware device, but the control model changes depending on whether they are syncable or device-bound. Syncable passkeys improve portability because the credential can move across devices through the platform ecosystem, while device-bound passkeys preserve tighter device-level control. The security question is not just whether the login is passwordless, but how much account portability the organisation is willing to permit, and what recovery path exists when a device is lost or replaced.
Practical implication: choose the passkey model based on user risk, recovery tolerance, and regulatory constraints rather than defaulting to one credential type.
Passwordless authentication at scale
Passwordless adoption is less about replacing one factor with another and more about changing the operating model for identity proofing, sign-in, and recovery. The article points to staged adoption alongside existing methods, which is how most large enterprises reduce friction during migration. The architectural challenge is coexistence: teams must support old and new methods long enough to avoid lockout risk, but not so long that password fallback becomes the de facto standard.
Practical implication: design a phased rollout with explicit fallback rules, recovery handling, and adoption metrics before broad enforcement.
Build versus buy for passkey deployment
A passkey programme is not only an authentication choice. It is also a delivery choice that affects scalability, engineering effort, time to market, and long-term flexibility. Building in-house can increase control but requires more integration work across apps, devices, and recovery flows. Buying can accelerate delivery, but teams still have to own policy, assurance, and governance decisions because the authentication boundary remains part of the organisation's risk model.
Practical implication: evaluate passkey delivery as an identity architecture decision, not as a pure product-selection exercise.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Passkeys are becoming an authentication control, not a niche UX enhancement. The article reflects a broader shift in identity programmes: authentication is being judged by its ability to reduce phishing exposure, lower operational burden, and improve sign-in success at scale. That puts passkeys into the centre of IAM design rather than the edge of consumer convenience. Practitioners should treat passwordless migration as a core control conversation, not a pilot.
Passkey rollout exposes the difference between stronger login and stronger governance. A passwordless flow can improve sign-in outcomes while still leaving recovery, device change, and step-up policy as weak points. That is why passkey programmes need lifecycle thinking, not just authentication engineering. Teams that only measure login success risk missing whether recovery paths have become the new weakest link.
Syncable and device-bound passkeys create different governance models. The same credential family can either reduce friction through portability or increase control through device binding. That difference matters for regulated environments, high-assurance use cases, and mixed consumer-workforce estates. A single passkey policy is usually too blunt for environments with different risk tolerances.
Build-versus-buy is really an operating-model decision for identity teams. The article correctly frames scalability and flexibility as decision factors, because authentication programmes fail when engineering effort, policy ownership, and user support are treated as separate concerns. The practical test is whether the organisation can own rollout, recovery, and assurance as one control system.
Authentication success rate is now a governance metric: teams should stop treating user login reliability as a support issue and start treating it as a control signal. When authentication failure is high, users route around policy, reset costs increase, and security posture weakens. IAM leaders should use sign-in success as evidence of whether the chosen authentication model is operationally viable.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- For the broader control picture, see Ultimate Guide to NHIs for the lifecycle and governance model that sits behind passwordless and machine identity decisions.
What this signals
Passkey adoption is a reminder that authentication programmes now sit at the intersection of UX, assurance, and lifecycle control. Teams that modernise login without rethinking recovery and enrolment are likely to shift risk rather than remove it. The next phase of identity governance will be defined by whether passwordless is managed as a control plane, not a feature rollout.
Authentication success rate is becoming an operational signal that deserves the same attention as phishing resistance. If users cannot sign in reliably, they will adopt workarounds, and security teams will inherit the support cost later. In that sense, passkey strategy is as much about reducing failure modes as it is about removing passwords.
For teams managing human and non-human identity together, the lesson is broader: credentials only improve security when the lifecycle around them is governed. The same discipline that limits standing access and unmanaged secrets also determines whether passwordless schemes remain durable as environments and device fleets change.
For practitioners
- Map passkey type to risk tier Use device-bound passkeys where control and assurance matter most, and reserve syncable passkeys for user groups where portability and recovery are more important. Document the decision by identity population, not by application alone.
- Stage passwordless rollout beside existing methods Introduce passkeys in parallel with current authentication paths, then gradually reduce password dependence as adoption and recovery performance stabilise. Track sign-in success, support contacts, and fallback usage during each phase.
- Redesign account recovery before enforcing passwordless Review lost-device handling, re-enrolment, help desk verification, and step-up recovery so that passwordless does not shift risk into weak fallback processes. Recovery is part of the authentication control, not an afterthought.
- Use measurable rollout criteria for approval Set thresholds for adoption, login success, and support burden before expanding passkeys to more applications or user groups. That prevents the programme from becoming a technology experiment without governance.
Key takeaways
- Passkeys are moving authentication decisions from password replacement to identity control design, which changes how IAM teams should evaluate rollout success.
- The strongest evidence in the newsletter is operational, not promotional: passkeys improve login reliability and align with a broader market shift toward passwordless authentication.
- Organisations should treat recovery, fallback, and deployment sequencing as part of the authentication control, because that is where passwordless programmes either hold or fail.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Passwordless authentication and federation decisions map directly to digital identity assurance. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Passkeys support continuous access decisions under zero trust, especially for step-up flows. |
| NIST CSF 2.0 | PR.AA-01 | Authentication strength and recovery design fit identity management under the Protect function. |
Align passkey enrolment and recovery with NIST 800-63 assurance requirements and fallback verification.
Key terms
- Passkey: A passkey is a phishing-resistant digital credential used to replace or supplement a password. It is typically stored on a device or synced through a platform account and relies on cryptographic authentication rather than shared secrets. In identity programmes, the governance question is how the credential is enrolled, recovered, and controlled over time.
- Syncable Passkey: A syncable passkey is a passkey that can move across a user’s devices through a trusted ecosystem. It improves convenience and recovery, but it also broadens the portability of the credential, which matters when the organisation needs stronger device-level control or tighter assurance boundaries.
- Device-bound Passkey: A device-bound passkey stays tied to a specific device or hardware token. It offers stronger control over where the credential can be used and is often better suited to regulated or higher-risk scenarios. The trade-off is lower portability, which can increase the importance of recovery and provisioning processes.
- Passwordless Authentication: Passwordless authentication is a sign-in model that removes reusable passwords and uses stronger methods such as cryptographic credentials or device-based verification. It reduces phishing and reset risk, but only works well when lifecycle controls, recovery flows, and fallback methods are designed as part of the same system.
Deepen your knowledge
Passkeys and passwordless authentication are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are planning a staged rollout or evaluating recovery risk, it is worth exploring.
This post draws on content published by OneSpan: the Authentication Newsletter for May 2026, including its World Passkey Day 2026 discussion of passkeys and passwordless authentication. Read the original.
Published by the NHIMG editorial team on 2026-05-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
