Passkeys and FIDO: what IAM teams need to change now

TL;DR: FIDO Alliance seminar takeaways reinforce that phishing proxies, adversary-in-the-middle attacks, and social engineering are eroding the value of traditional MFA, while passkeys and hardware-backed FIDO credentials reduce interception risk, according to OneSpan’s recap of the event. Authentication programmes now need to treat phishing-resistant methods as the default, not an enhancement, because the old trust model is breaking under modern attack pressure.

NHIMG editorial — based on content published by OneSpan: Back to identity: FIDO Alliance and the future of phishing-resistant authentication

By the numbers:

• Phishing attacks increased by 4.2% after the introduction of ChatGPT.
• Over 53% of consumers reported an increase in suspicious digital activity over the past year.

Questions worth separating out

Q: How should security teams roll out passkeys without disrupting existing identity programmes?

A: Start with the highest-risk populations first, especially administrators, help-desk teams, and users who face frequent phishing attempts.

Q: Why do phishing-resistant authenticators matter more than legacy MFA?

A: Legacy MFA often adds a second step without changing the trust model, so attackers can still relay or intercept the login flow.

Q: What do IAM teams get wrong about authentication and AI risk?

A: Many teams treat AI as a separate topic from identity, when in practice AI increases both impersonation risk and the need for stronger authorization.

Practitioner guidance

• Prioritise phishing-resistant authentication for high-risk accounts Move administrators, support staff, and privileged business users to passkeys or hardware-backed authenticators before broad population rollout.
• Remove reliance on interceptable second factors Review where OTPs, push approvals, and other replayable factors still serve as primary protections.
• Test authentication against relay and impersonation attacks Run tabletop and red-team exercises that simulate phishing proxies, real-time credential relay, and deepfake-assisted support calls.

What's in the full article

OneSpan's full blog covers the operational detail this post intentionally leaves for the source:

• The seminar-specific framing behind the FIDO Alliance discussion and how the speakers connected authentication, usability, and AI.
• Examples of how passkeys are being positioned across workforce access, customer sign-in, and ecosystem integrations.
• The article’s own explanation of why hardware security keys are still preferred for higher-assurance use cases.
• The author’s closing perspective on where identity and authentication are headed next.

👉 Read OneSpan's recap of the FIDO Alliance seminar on phishing-resistant authentication →

Passkeys and FIDO: what IAM teams need to change now?

Explore further

View Full Forum →  |  NHI Foundation Course →