TL;DR: Passwordless authentication is moving from optional to expected: Descope’s State of Customer Identity 2025 survey says 87% of organisations still use passwords for customer-facing apps, while 45% have deployed passkeys and 27% plan to within two years. The real challenge is migration discipline, not proof of concept, because hybrid auth will dominate the transition period.
At a glance
What this is: This is an analysis of where passwordless authentication is headed and why the biggest barrier is still operational migration, not user demand.
Why it matters: It matters because customer IAM teams must modernise authentication without breaking existing journeys, while also keeping alignment with broader identity, lifecycle, and access governance.
By the numbers:
- 87% of organisations still use password-based auth for customer-facing apps.
- 45% of organisations have already deployed passkeys in one or more apps.
- 75% of global consumers are now aware of passkeys.
- 48% of consumers would abandon purchases due to an authentication issue.
👉 Read Descope's passwordless authentication trends analysis for 2026
Context
Passwordless authentication replaces knowledge-based credentials with possession- or biometric-based methods, but the governance problem is bigger than the login screen. Customer IAM teams still carry password debt, legacy UX assumptions, and brittle recovery flows that were designed around secrets rather than device-bound or link-based trust.
The primary issue is not whether passwordless works. It is whether organisations can modernise customer authentication without forcing a flag-day migration, breaking fallback paths, or creating a new layer of support and fraud risk in the process.
Key questions
Q: How should security teams implement passwordless authentication without breaking customer journeys?
A: Use a staged rollout that keeps existing sign-in paths available while adding passkeys, magic links, or OTPs where they fit. Test enrollment, recovery, and step-up flows separately, because the biggest failures usually happen at the handoff points between old and new methods. Success depends on policy consistency, not just adding another login option.
Q: Why do passwordless programmes still need strong recovery governance?
A: Because account recovery is often the easiest route back into a customer identity after the primary credential is removed. If re-enrolment is weak, passwordless controls can be bypassed through social engineering, stale devices, or inconsistent identity proofing. Recovery should be designed as part of the authentication control itself, not as an afterthought.
Q: How do organisations know if passwordless authentication is actually working?
A: Look at adoption, abandonment, support volume, and takeover rates together. A healthy programme should reduce password resets and credential-based incidents while preserving or improving conversion. If friction rises but fraud does not fall, the deployment is shifting burden rather than improving control.
Q: What is the difference between passkeys and other passwordless methods in practice?
A: Passkeys provide the strongest phishing resistance because they use cryptographic keys bound to a device or authenticator, while methods like magic links and OTPs still rely on delivery channels that can be intercepted or abused. Teams should reserve passkeys for higher-assurance use cases and use weaker methods only where the risk profile supports them.
Technical breakdown
Passkeys, WebAuthn, and device-bound authentication
Passkeys are the clearest expression of passwordless authentication because they replace memorised secrets with cryptographic proof bound to a device or secure authenticator. In most deployments, the server never sees a reusable password, which reduces phishing exposure and credential replay risk. WebAuthn provides the browser and platform layer, while FIDO2 underpins the standards that make interoperability possible. The practical design challenge is not the cryptography itself, but enrollment, account recovery, and cross-device continuity.
Practical implication: treat passkey rollout as an identity architecture change, not just a new login option.
Magic links, OTPs, and layered customer auth
Magic links and one-time passwords are often grouped with passwordless authentication because they remove reusable secrets from the user journey. They are not equivalent in risk profile. Magic links depend on trusted delivery channels, while OTPs still rely on short-lived codes that can be intercepted or socially engineered. For many organisations, these methods work best as transitional controls inside a layered authentication model rather than as final-state replacements for stronger phishing-resistant methods.
Practical implication: use these methods deliberately as part of a staged migration, not as a permanent substitute for stronger controls.
Hybrid auth and the cost of migration debt
Hybrid authentication is the realistic operating model for most enterprises because passwordless adoption usually overlays existing password systems instead of replacing them. That creates migration debt, where teams must support two or more sign-in patterns, multiple recovery paths, and different trust assumptions at the same time. The architectural issue is not simply technical coexistence. It is that inconsistent policy enforcement across old and new flows can create gaps in assurance, user experience, and support handling.
Practical implication: model your rollout as a coexistence problem and review every fallback path for policy drift.
Threat narrative
Attacker objective: The attacker aims to gain account access that can be monetised through fraud, resale, or further impersonation.
- Entry occurs through password reuse, brute force, phishing, or credential stuffing against customer-facing accounts that still depend on passwords.
- Escalation follows when attackers exploit weak recovery flows, intercepted one-time codes, or reused credentials to take over accounts and bypass additional controls.
- Impact appears as account takeover, fraud, lost trust, support burden, and abandoned purchases across customer-facing digital services.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Passwordless authentication is now a migration and governance problem, not a concept problem. The market has already moved past awareness, but most organisations still operate hybrid authentication stacks with passwords embedded in customer journeys. That means the real question is how to govern coexistence, recovery, and exception handling while reducing password dependence without widening exposure. Practitioners should treat the transition as an IAM operating-model change, not a feature rollout.
Customer authentication is increasingly a fraud-control and support-cost issue, not just a security control. Passwordless adoption changes the economics of account recovery, login friction, and takeovers. When 82% of organisations report business impacts from authentication issues, the operating model cannot be evaluated only on security strength. The implication is that IAM, fraud, and customer experience teams need a shared view of risk, because auth decisions now move conversion, cost, and trust together.
Passkey adoption validates phishing-resistant identity, but it does not eliminate lifecycle governance. Device-bound credentials still require enrollment governance, recovery design, device loss handling, and revocation logic. Passwordless reduces one class of secret exposure, but it does not remove the need to know which authenticators are active, which fallback paths exist, and how assurance is maintained across channels. Practitioners should align passwordless plans with lifecycle and access governance from the start.
Hybrid authentication will remain the dominant transition state, which makes policy consistency the real control boundary. Organisations that layer passkeys, OTPs, magic links, and passwords without consistent rules will inherit multiple trust levels inside one customer IAM stack. That creates assurance drift between enrollment, sign-in, recovery, and step-up flows. The practical conclusion is that architecture decisions now matter more than the choice of any single factor.
Passwordless auth is strongest when it is treated as identity infrastructure, not user-interface optimisation. The article correctly frames the rollout as incremental and additive, which aligns with how large identity programmes actually change. The discipline required is to map assurance, recovery, and fallback across the full journey so that new methods do not simply coexist with legacy weaknesses. Practitioners should use the transition to simplify policy, not just the login screen.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented any policies to govern AI agents, which leaves a wide gap between stated concern and operational control.
- For a broader control baseline, see the Ultimate Guide to NHIs for lifecycle, visibility, and access governance patterns that apply across machine identities.
What this signals
Passwordless programmes are converging with broader identity modernisation, so teams should expect the same governance pressure that has shaped NHI lifecycle work: visibility, recovery discipline, and consistent policy enforcement across states. The lesson is that authentication change fails when it is treated as a point solution rather than a governed transition.
Authentication assurance drift: this is what happens when one sign-in path uses stronger proof than another but both are treated as equivalent in policy. As passwordless layers are added, teams need to watch for inconsistent fallback handling, because the weakest path often becomes the real control boundary.
The most useful next step is to treat customer authentication as a measurable programme, with separate metrics for adoption, abandonment, support, and takeover. That gives IAM and fraud teams a shared operational view instead of relying on anecdote.
For practitioners
- Map every fallback path in your customer auth journey Inventory sign-in, recovery, and reset flows across all customer-facing applications, then document where passwords, OTPs, magic links, and passkeys overlap or diverge. The goal is to find inconsistent trust decisions before they become support or fraud problems.
- Roll out passwordless in staged cohorts Start with new applications or low-risk user segments, then expand through progressive enrolment rather than forced migration. Track conversion, recovery, and abandonment separately so the rollout can be tuned by evidence instead of assumption.
- Align customer IAM and fraud teams on auth risk Create shared reporting for takeover attempts, recovery abuse, and login friction so security and fraud decisions use the same operational picture. Passwordless changes the balance between user convenience and adversary resistance, so these teams need common metrics.
- Treat passkey recovery as a governance control Define who can re-enrol a device, what evidence is required, and how to revoke old authenticators when a phone is lost or replaced. Recovery is where weak implementation often reintroduces the same risk passwordless was meant to remove.
Key takeaways
- Passwordless adoption is advancing, but most organisations are still running hybrid authentication models built around passwords.
- The biggest risk is not the technology itself, but inconsistent recovery, fallback, and policy handling across multiple sign-in methods.
- Teams that treat passwordless as identity infrastructure, rather than a UI change, are more likely to reduce friction and security debt at the same time.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Customer authentication assurance and recovery are central to passwordless migration. | |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Passwordless reduces standing credential exposure in zero trust identity flows. |
| NIST CSF 2.0 | PR.AA-01 | Authentication is a core protective control affected by passwordless rollout. |
Map assurance levels to each auth path and require recovery flows to match the risk of the protected account.
Key terms
- Passwordless Authentication: An authentication approach that removes reusable passwords from the primary sign-in flow and replaces them with stronger methods such as passkeys, device-bound credentials, magic links, or one-time codes. The operational goal is to reduce credential reuse, phishing exposure, and reset overhead while preserving a usable customer journey.
- Passkey: A cryptographic authenticator that lets a user sign in without typing a password, usually by proving possession of a device plus a local unlock method such as biometrics or a PIN. Passkeys are designed to resist phishing and replay because the credential is bound to the device and never reused as a shared secret.
- Hybrid Authentication: A transitional identity model where passwordless methods and legacy passwords both remain active in the same customer journey. It often improves adoption speed, but it also creates policy drift if sign-in, recovery, and step-up rules are not aligned across every authentication path.
What's in the full article
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Survey tables showing how customer IAM decision-makers are weighting passwords, passkeys, OTPs, and social login
- Examples of incremental deployment patterns from real organisations moving toward passwordless flows
- Product-specific rollout guidance for layering passwordless into existing authentication stacks
- Supporting detail on how major platforms are shaping consumer expectations for passwordless sign-in
👉 Descope's full post covers survey breakdowns, adoption patterns, and implementation examples.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity programme maturity, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org