Notifications
Clear all
Topic starter
08/06/2026 5:05 pm
TL;DR: FIDO forum takeaways frame passkeys, phishing-resistant authentication, and AI-driven fraud as a reset for access design, with FIDO citing a 4.2% rise in phishing after ChatGPT and more than 53% of consumers reporting suspicious digital activity. The practical issue is not passwords alone but whether identity programmes can scale stronger authentication without adding user friction.
NHIMG editorial — based on content published by OneSpan: Retour à l'identité, l'alliance FIDO et l'avenir de l'authentification résistante à l'hameçonnage
By the numbers:
- Plus de 53 % des consommateurs ont signalé une augmentation des activités numériques suspectes au cours de l'année écoulée.
Questions worth separating out
Q: How should security teams implement phishing-resistant authentication without hurting adoption?
A: Start with the highest-risk populations and applications, then offer the simplest usable authenticators that still meet your assurance target.
Q: When should organisations require hardware-bound keys instead of synchronised passkeys?
A: Require hardware-bound keys for privileged access, regulated operations, and any workflow where origin assurance and device binding matter more than convenience.
Q: What do security teams get wrong about MFA in phishing-heavy environments?
A: They assume MFA always blocks account takeover, even when the factor can be relayed in real time.
Practitioner guidance
- Prioritise phishing-resistant authentication for high-risk access paths Start with privileged users, finance, admin consoles, and any workflow that can trigger sensitive changes.
- Separate convenience passkeys from assurance-grade authenticators Define which user groups can use synchronised passkeys and which roles require hardware-bound keys.
- Rework account recovery as an assurance control Treat recovery as part of the authentication boundary, not an operational exception.
What's in the full article
OneSpan's full blog covers the operational detail this post intentionally leaves for the source:
- How passkey enrolment and recovery choices affect deployment at scale across different user populations
- The specific user-experience and help desk trade-offs between synchronised passkeys and hardware-bound keys
- The article's examples of where passkeys improved login speed, support volume, and transaction reliability
- The three identity-and-AI roles the source uses to frame authentication strategy across fraud, access, and governance
👉 Read OneSpan's analysis of FIDO passkeys and phishing-resistant authentication →
Passkeys and phishing-resistant auth: what IAM teams must change?
Explore further
08/06/2026 7:05 pm
Passkeys are becoming the practical replacement for shared-secret trust in human authentication. The article makes a straightforward point: password-based access and conventional MFA are too easy to relay, prompt, or socially engineer. Phishing-resistant authentication changes the assurance model by removing reusable secrets from the path. For IAM programmes, this is not a cosmetic upgrade, it is a shift from recoverable credentials to cryptographic proof of possession.
Phishing-resistant authentication is now a programme design issue, not a point solution choice. Teams that still rely on promptable MFA are carrying forward an assumption that attackers need longer than they actually do. The practical signal is to segment access by assurance tier and prioritise systems where session relay or push fatigue would create the biggest blast radius.
A question worth separating out:
Q: How can IAM teams prepare for AI-driven identity fraud?
A: Treat AI fraud as an identity and authorization problem, not only a fraud analytics problem. Strengthen proofing, reduce reliance on reusable secrets, and put stronger controls around recovery, delegated access, and high-risk transactions. That gives fraud teams and IAM teams a shared control model.
👉 Read our full editorial: FIDO passkeys and phishing-resistant authentication are resetting IAM
