By NHI Mgmt Group Editorial TeamPublished 2025-12-18Domain: Governance & RiskSource: Authsignal

TL;DR: Passkeys reached mainstream adoption in 2025, with nearly 70% of users holding at least one passkey, while regulators in the UAE, India, the Philippines, and the US moved away from SMS OTP and toward phishing-resistant authentication, according to Authsignal. Passwordless is no longer a pilot topic; it is becoming the baseline for identity programmes that need to survive fraud pressure and compliance deadlines.


At a glance

What this is: This is a year-in-review analysis showing passkeys moved from emerging option to mainstream authentication pattern, driven by regulation, platform support, and stronger user outcomes.

Why it matters: It matters because IAM teams now have to treat phishing-resistant authentication as an operating requirement, not an experimental enhancement, across both consumer identity and workforce-adjacent access flows.

By the numbers:

👉 Read Authsignal's analysis of passkey adoption, SMS OTP decline, and NIST changes


Context

Passkeys are phishing-resistant credentials that replace password-based login with cryptographic authentication bound to a device or synced credential manager. In 2025, that model moved from early adoption to broad operational relevance because regulators, platform vendors, and fraud pressure all pushed in the same direction, with passkeys becoming a practical control for consumer IAM.

The governance question is no longer whether passkeys work. It is where passwordless authentication should replace SMS OTP, where syncable passkeys are acceptable, and how identity teams adapt access policy, recovery, and step-up flows for a passwordless user base. For practitioners responsible for IAM and customer identity, this is now a lifecycle and risk-management issue, not a UX experiment.


Key questions

Q: How should security teams phase out SMS OTP without breaking user access?

A: Start with the highest-risk journeys first, especially regulated payments, account recovery, and privileged support interactions. Replace SMS OTP with phishing-resistant authentication such as passkeys, then keep a narrow fallback path for exceptional cases only. Measure login success, help-desk load, and fraud reduction so the migration is driven by operational evidence, not just compliance deadlines.

Q: Why do passkeys reduce account takeover risk more effectively than OTP?

A: Passkeys reduce takeover risk because they rely on public-key cryptography rather than shared secrets that can be phished or intercepted. OTP still depends on a code that travels through a vulnerable channel, while passkeys prove possession of a private key without revealing it. That removes the easiest path for credential replay and code theft.

Q: How do organisations decide when syncable passkeys are enough?

A: Use syncable passkeys where usability and adoption matter, but only after assigning the application’s assurance level. High-value or highly regulated access may still require device-bound keys, stronger recovery, or additional step-up checks. The right decision depends on transaction risk, user population, and the consequences of credential compromise.

Q: What should IAM teams do if regulators reject SMS OTP for authentication?

A: Treat the mandate as a control redesign trigger, not a channel swap. Replace SMS OTP with phishing-resistant authentication, revisit recovery workflows, and update policy to distinguish between routine access and sensitive actions. The real work is aligning authentication strength with transaction risk and proving that weaker factors are no longer in the critical path.


Technical breakdown

Why phishing-resistant authentication became the new baseline

Phishing-resistant authentication changes the attack model because the credential is not reusable in the same way as a password or OTP. Passkeys use public-key cryptography, so the authenticator proves possession of a private key without exposing a shared secret that can be phished, replayed, or intercepted. NIST SP 800-63-4 formalised this shift by requiring phishing-resistant options at AAL2 and non-exportable keys for AAL3 scenarios, which makes strong authentication a policy requirement rather than a vendor preference.

Practical implication: teams should reclassify high-risk login journeys and decide where passwordless must be mandatory, not optional.

How SMS OTP failed as an identity control

SMS OTP failed because it was never a true possession factor. Messages can be intercepted, redirected, socially engineered, or abused through SIM swap and account takeover chains, which leaves the factor vulnerable even when the user enters the correct code. Regulators now treat that weakness as structural, not incidental, and the article shows how multiple jurisdictions moved to phase out SMS and email OTP for regulated access. That policy shift reflects the reality that weak recovery and shared secrets become fraud enablers at scale.

Practical implication: teams should inventory all remaining OTP dependencies and map which user journeys still rely on interceptable factors.

Passkey sync, device binding, and recovery trade-offs

The adoption debate is no longer only about whether passkeys are secure. It is also about how credential portability, syncable storage, and account recovery affect trust boundaries. Syncable passkeys expand usability and make adoption easier, but they also shift some assurance assumptions from a single device to the credential ecosystem. Device-bound keys preserve tighter control, while synced credentials can improve scale and recovery. Identity teams need to distinguish those modes instead of treating all passkeys as equivalent.

Practical implication: define which applications can accept syncable passkeys and which require tighter device-binding or stronger recovery controls.


Threat narrative

Attacker objective: The attacker aims to turn weak authentication into persistent account access and monetize that access through fraud, impersonation, or downstream privilege abuse.

  1. Entry begins with credential theft or interception through SMS OTP, password reuse, or credential stuffing against login flows that still trust shared secrets.
  2. Escalation follows when the attacker uses the captured factor to complete authentication, bypassing weak step-up checks and taking over the account.
  3. Impact arrives as account takeover, fraud, unauthorized transactions, or access to sensitive identity-linked services.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Passwordless adoption is now an IAM governance issue, not a product preference. Once nearly 70% of users hold at least one passkey, the operational question changes from adoption feasibility to control design. Identity teams must decide which user journeys can remain password-based, which must move to phishing-resistant authentication, and how recovery is governed across devices and credential managers. The implication is that passkey policy now belongs in the core IAM roadmap, not in a pilot backlog.

SMS OTP is collapsing as a trustworthy identity factor because its threat model is obsolete. That factor was designed for a world where message interception and shared-secret abuse were not yet dominant identity threats. That assumption fails when attackers can phish, redirect, or socially engineer codes at scale, and when regulators explicitly classify SMS and email OTP as insufficient. The implication is that organisations must rethink assurance boundaries, not just swap one login method for another.

Passkey success rates matter because authentication quality is now measurable at the business layer. A 93% login success rate compared with 63% for traditional methods means stronger security can also reduce abandonment and support cost. That changes the governance conversation across consumer identity, help desks, and fraud operations. Practitioners should treat passkey metrics as both security evidence and user-experience evidence.

Passkey portability creates a new trust boundary that IAM teams cannot ignore. When credentials can be synced or exported across managers, the control question shifts from individual device protection to ecosystem trust, recovery design, and policy consistency. This does not weaken passwordless authentication, but it does mean assurance levels must be assigned by use case. The practical conclusion is that passkeys need differentiated governance by application risk, not a single blanket rule.

Phishing-resistant authentication is now the named control concept that connects regulation, fraud, and IAM architecture. NIST, central banks, and consumer platforms are converging on the same premise: interceptable factors are no longer adequate for sensitive access. For practitioners, the field is moving toward assurance-based policy, where the authentication method must match the transaction risk, account value, and recovery path.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
  • That combination of slow remediation and uneven practice is why Ultimate Guide to NHIs , The NHI Market remains relevant for teams mapping where identity controls break down across systems and secrets.

What this signals

Passkey adoption changes the control baseline for customer identity. Once users expect phishing-resistant login by default, organisations that keep SMS OTP in the critical path will look increasingly out of step with both fraud realities and regulatory expectations. The practical signal is to accelerate roadmap decisions around recovery, step-up policy, and support-channel identity verification, while anchoring the architecture to NIST SP 800-63 Digital Identity Guidelines.

Passkey governance now sits between authentication and lifecycle management. Identity teams need to decide how credentials are enrolled, migrated, recovered, and retired across devices and credential managers. The concept to watch is authentication assurance drift: the gap that appears when a strong authenticator is deployed but recovery or fallback paths quietly reintroduce weaker factors.

A practical reading of the market is that passwordless will be judged less by adoption slogans and more by measurable friction reduction, fraud suppression, and failure recovery. That means customer identity teams should track abandonment, help-desk resets, and suspicious login patterns as core programme metrics, not as peripheral support data.


For practitioners

  • Inventory every remaining SMS and email OTP dependency Map each login, recovery, and step-up flow that still relies on interceptable codes. Prioritise regulated transactions, support channels, and high-value consumer accounts first, then define replacement paths with passkeys or other phishing-resistant authenticators.
  • Separate passkey policy by assurance level Classify where syncable passkeys are acceptable and where device-bound or stronger recovery controls are required. Use account value, transaction sensitivity, and fraud exposure to set policy instead of applying one default rule everywhere.
  • Tie authentication design to fraud telemetry Use login success, account takeover attempts, and help-desk recovery volume to judge whether passkey rollout is reducing risk or simply shifting it. Feed that telemetry back into policy tuning and step-up rules.
  • Update recovery and support workflows before rollout Redesign account recovery, lost-device handling, and credential reset processes so passkeys do not become the weakest link. Make sure support staff can verify identity without reverting to phishable factors.

Key takeaways

  • Passkeys moved from promising option to mainstream control in 2025 because regulation, platform support, and user acceptance converged.
  • SMS OTP is losing legitimacy as an authentication factor because its interception and social-engineering exposure no longer matches today’s fraud environment.
  • IAM teams now need differentiated passkey governance, with policy, recovery, and assurance levels aligned to transaction risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BThe article centers on phishing-resistant authenticator requirements and digital identity assurance.
NIST CSF 2.0PR.AC-7Authentication quality and access enforcement are the core governance themes here.
ISO/IEC 27001:2022A.8.5Authentication information and credential handling are directly relevant to passkey governance.
GDPRArt.32Consumer authentication changes can affect personal data protection and account security obligations.

Map passwordless rollout to PR.AC-7 and validate that access policies enforce stronger authentication at sensitive points.


Key terms

  • Passkey: A passkey is a phishing-resistant credential based on public-key cryptography rather than a shared secret. It lets a user prove possession of a private key without revealing a password or one-time code, which reduces replay, interception, and credential stuffing risk.
  • Phishing-resistant authentication: Phishing-resistant authentication uses a factor that cannot be easily captured and replayed by an attacker through a fake login page or intercepted message. In practice, it usually means cryptographic authenticators such as passkeys or hardware-backed keys that bind the login response to the legitimate site.
  • Credential stuffing: Credential stuffing is the automated abuse of reused usernames and passwords taken from previous breaches. Attackers test large sets of stolen credentials across services until one works, which makes reusable secrets a persistent account takeover risk for consumer and workforce identity alike.
  • Authentication assurance: Authentication assurance is the confidence that a login method really proves the identity being claimed. It is not just about convenience or multi-factor presence. For high-risk access, assurance depends on how resistant the method is to phishing, interception, replay, and recovery abuse.

What's in the full article

Authsignal's full blog covers the operational detail this post intentionally leaves for the source:

  • Implementation specifics for passkey rollout across consumer login, recovery, and step-up flows.
  • The article's full breakdown of regional regulatory deadlines and how they affect authentication planning.
  • More detail on the vendor's adaptive MFA and rules-engine approach for risk-based authentication.
  • Examples of passkey adoption patterns across regulated industries and customer identity journeys.

👉 Authsignal's full post covers adoption data, regulatory timelines, and implementation context for passwordless authentication.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org