Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passkeys, agentic AI and account takeover: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Merchants are increasingly using agentic AI for chargeback documentation and refund review, while passkeys are moving from pilot to practice as credential stuffing and phishing continue to drive account takeover, according to Sift and cited FIDO Alliance and NIST guidance. The governance challenge is no longer authentication alone, but trust, measurement and identity resolution across the customer journey.

NHIMG editorial — based on content published by Sift: Company 3 Themes from the MAG-Sift Merchant Meet-Up: Agents, Passkeys, and Identity Trust

By the numbers:

Questions worth separating out

Q: How should security teams use passkeys without assuming account takeover is solved?

A: Use passkeys as a phishing-resistant layer, but keep recovery, device trust and step-up verification under strict control.

Q: Why do account takeover controls need to involve both fraud and IAM teams?

A: Because takeover is rarely limited to authentication.

Q: What breaks when customer identity signals are fragmented across tools?

A: Detection becomes partial, false declines rise and legitimate users are harder to distinguish from attackers.

Practitioner guidance

  • Define agent boundaries for fraud automation Restrict agentic AI to narrow tasks such as chargeback document assembly or refund triage, and require human approval for exception handling, payout changes and customer-impacting reversals.
  • Harden passkey recovery paths Review account recovery, trusted-device binding and step-up verification so a phishing-resistant authenticator does not become a weakly governed back door to the account.
  • Correlate identity signals across the customer journey Link onboarding, login, payment and loyalty telemetry so takeover patterns can be seen as one identity narrative rather than isolated events in separate tools.

What's in the full article

Sift's full blog post covers the operational detail this post intentionally leaves for the source:

  • How merchants are using agentic AI for chargeback documentation, refund review and transaction routing in live operations
  • The specific passkey adoption patterns discussed for returning customers, trusted devices and mobile login flows
  • How teams are tying ATO metrics to approval rates, false declines and customer retention outcomes
  • The practical ways merchants are combining device fingerprinting with identity resolution across the customer journey

👉 Read Sift's analysis of agents, passkeys and identity trust in merchant operations →

Passkeys, agentic AI and account takeover: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Identity trust is becoming a commercial control, not just a security control. The article shows merchants linking authentication decisions to approval rates, headcount hours and retention, which means identity is now part of revenue governance. That is a useful shift, but it also raises the bar for assurance because a fast decision is not the same as a trustworthy decision. Practitioners should treat identity signals as commercial risk inputs, not just login telemetry.

A question worth separating out:

Q: Who is accountable when agentic AI makes a fraud decision that affects customers?

A: The business owner remains accountable, even if the agent executes the workflow. Teams need clear approval thresholds, audit trails and escalation rules so automated decisions can be explained, reviewed and reversed when the outcome is wrong.

👉 Read our full editorial: Agentic AI, passkeys and identity trust are reshaping digital commerce



   
ReplyQuote
Share: