Passwordless authentication gaps remain as passkeys go mainstream

At a glance

What this is: This is an analysis of how passkeys, hardware security keys, and AI-driven use cases are reshaping passwordless authentication, with the key finding that adoption is advancing faster than enterprise control models.

Why it matters: It matters because IAM, NHI, and human identity programmes all depend on proving presence, binding credentials, and enforcing policy across device and runtime conditions that passwordless systems do not solve on their own.

👉 Read OneSpan's analysis of passkeys, hardware security keys, and AI-driven authentication

Context

Passwordless authentication is moving from niche deployment to mainstream identity control, but the governance problem has shifted rather than disappeared. The core issue is not whether passkeys work, but whether enterprises can still enforce binding, presence, and policy when credentials sync across devices and users expect low-friction access.

That matters for IAM and NHI programmes because the same design pressure appears across human login flows, workload access, and emerging agentic use cases. Once authentication becomes more portable and more automated, security teams have to separate convenience from control and decide where device binding, trust signals, and hardware-backed assurance remain necessary.

Key questions

Q: How should security teams decide where to use syncable passkeys versus device-bound keys?

A: Use syncable passkeys where usability and scale matter most, but keep device-bound keys for privileged access, regulated workflows, and any application where the organisation must preserve a stronger device-to-credential binding. The decision should be based on assurance requirements, not user preference alone. If the workflow tolerates credential portability, syncable passkeys are reasonable. If it does not, hardware binding should stay mandatory.

Q: Why do passwordless controls still need governance if phishing resistance is improved?

A: Phishing resistance removes one major attack path, but it does not solve policy enforcement, device trust, or delegated use cases. A passwordless login can still create exposure if the enterprise cannot distinguish between a managed device, a synced authenticator, and an action initiated by automation. Governance is still required because authentication strength is only one part of identity assurance.

Q: What do security teams get wrong about passkeys in regulated environments?

A: They often treat passkeys as a universal replacement for passwords instead of an assurance model with different operating modes. In regulated environments, the key question is whether the organisation can prove device binding, control revocation, and restrict use to approved contexts. Without those controls, passkeys may improve convenience while leaving assurance gaps unresolved.

Q: Who is accountable when an AI system uses delegated authentication to act on a user’s behalf?

A: Accountability should sit with the organisation that approved the delegation model and defined the policy boundaries, not with the authentication method itself. Teams need to specify who can initiate delegated actions, what the system may do, and where human review is required. Without that, passwordless authentication can become a governance blind spot instead of a control.

Technical breakdown

Syncable passkeys and enterprise control

Syncable passkeys improve adoption because they reduce user friction and replace phishing-prone passwords, but they also weaken the enterprise's ability to tie a credential to a single physical device. The private key is still protected, but the trust boundary moves into the cloud account and sync ecosystem. That creates a policy problem: an organisation can no longer assume that possession of the credential means possession of a managed endpoint. For regulated environments, that distinction matters as much as authentication strength. Practical implication: treat syncable passkeys as a usability gain, not a complete control model, and decide where device-bound enforcement remains mandatory.

Practical implication: define which apps and user groups can accept syncable passkeys and where device-bound assurance must stay in place.

Hardware security keys and phishing-resistant authentication

Hardware security keys keep the credential in physically bound secure storage, which preserves a stronger link between the user, the device, and the authentication event. That makes them attractive where high assurance, step-up access, or regulated workflows demand a tighter trust boundary than syncable passkeys can provide. In FIDO terms, the difference is not just format, but assurance context: a hardware key narrows the attack surface by resisting phishing and limiting credential portability. Practical implication: use hardware keys for privileged access, high-value transactions, and scenarios where mobile authenticators are not acceptable.

Practical implication: reserve hardware security keys for privileged and regulated use cases where credential portability is an unacceptable risk.

Agentic AI and passwordless authentication

The article correctly points to a deeper shift: passwordless authentication was designed around explicit user presence, but agentic AI can take actions on behalf of a user without the same human-paced interaction loop. That creates a governance tension, not just a technical one. If an agent is initiating requests, the authentication event may no longer map cleanly to a human acting at a keyboard. The result is pressure on FIDO models to evolve from user presence proof toward policy-aware delegation and bounded execution contexts. Practical implication: do not reuse human authentication assumptions for AI-driven workflows without re-validating the trust model.

Practical implication: redesign authentication policy for delegated and agent-driven actions instead of assuming human presence will always be the control anchor.

NHI Mgmt Group analysis

Passkey adoption is outpacing enterprise trust design: The market has treated passwordless authentication as a credential-format problem, but the real issue is control boundary design. Syncable passkeys improve reach and usability, yet they weaken the assumption that the enterprise controls the full lifecycle of the authenticator. Practitioners should read this as a warning that authentication strength alone does not equal governance strength.

Device binding remains the dividing line between convenience and assurance: Syncable credentials help scale adoption, but device-bound credentials preserve a narrower and more defensible trust boundary. That distinction matters for regulated access, privileged workflows, and environments where the organization must know not just who authenticated, but on what controlled device the event occurred. Teams that blur those two models will overestimate their assurance posture.

User-presence proof was designed for human-paced authentication, not delegated runtime action: That assumption fails when the actor is autonomous or AI-assisted because the request and the decision to act can be separated from direct human initiation. The implication is not merely that a new factor is needed, but that authentication models must stop assuming a stable human operator behind every action.

Hardware security keys are becoming a policy tool, not just a phishing control: Their value extends beyond resisting account takeover. They let organisations maintain stronger assurance for high-risk populations where syncability, shared devices, or unmanaged endpoints would otherwise dilute identity confidence. Practitioners should treat them as part of an assurance architecture, not a user-support accessory.

FIDO's next phase will be about delegation boundaries, not just login replacement: As AI systems start acting on behalf of users, the industry will need clearer rules for when a credential authenticates a person versus authorises a delegated workflow. That is where IAM, authentication, and emerging AI governance converge. Security leaders should prepare for identity policy to expand beyond login events into runtime action control.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams still cannot reliably govern non-human access at scale.
• Ultimate Guide to NHIs , Standards is the next step for teams aligning passwordless, workload identity, and zero trust controls.

What this signals

Passkey rollouts will expose control maturity gaps faster than they expose authentication weaknesses. The organisations that move first will discover whether their identity programme can distinguish between convenience and assurance at the policy layer. That is especially relevant where passwordless login, workload access, and delegated AI actions start sharing the same trust architecture.

The next governance question is not whether passwordless works, but where the organisation can still assert control over binding, revocation, and approved usage contexts. Teams that cannot answer that question cleanly will end up expanding access assurance faster than they can operationalise it.

For practitioners

• Classify which users can accept syncable passkeys Separate standard users, privileged users, and regulated workflows so that syncable credentials are only allowed where device portability is acceptable.
• Preserve hardware-backed assurance for high-risk access Require hardware security keys for privileged administration, sensitive financial actions, and any use case where mobile or cloud-synced authenticators weaken assurance.
• Rework authentication policy for delegated AI actions Map where an AI system is acting on behalf of a user and require separate policy for delegated execution, rather than assuming a normal login event is enough.
• Review trust signals before expanding passwordless rollout Confirm which applications need device binding, contextual signals, or explicit policy enforcement before you broaden passwordless use across the enterprise.

Key takeaways

• Passwordless adoption is advancing, but enterprise assurance still depends on whether credentials are bound tightly enough to the right device and context.
• Hardware security keys and device-bound flows remain the stronger option wherever regulated access, privileged actions, or delegated AI use cases demand tighter control.
• IAM teams should treat passkeys as a governance decision, not just an authentication upgrade, because delegation and policy enforcement now matter as much as phishing resistance.

Key terms

• Syncable Passkey: A syncable passkey is a passwordless credential that can move across a user’s devices through a cloud account. It improves convenience, but it also changes the trust model because the enterprise is no longer dealing with a credential locked to a single endpoint.
• Device-bound Passkey: A device-bound passkey stays tied to a specific hardware device and secure storage. This gives organisations a stronger assurance boundary because the credential is harder to copy, share, or use outside the approved device context.
• Phishing-resistant Authentication: Phishing-resistant authentication uses methods that are not easily tricked into handing credentials to an attacker through a fake login prompt. In practice, it narrows the attack surface, but it still needs policy, device trust, and lifecycle controls to be effective at enterprise scale.
• Delegated Authentication: Delegated authentication is when one actor, often software or an AI system, is allowed to act using another identity’s authority. The key governance issue is not only proving identity, but constraining what the delegate may do, when it may do it, and under which approval rules.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by OneSpan: What's ahead for passwordless authentication, with takeaways from the FIDO Alliance plenary. Read the original.