Notifications
Clear all
Topic starter
06/06/2026 2:34 am
TL;DR: Passkeys and FIDO standards are broadly understood, but RSAC 2026 conversations highlighted that deployment still breaks on enrolment, device strategy, recovery, and lifecycle management, according to OneSpan. The real problem is not whether passkeys work, but whether organisations can bind them cleanly into existing identity operations across people, devices, and sessions.
NHIMG editorial — based on content published by OneSpan: RSAC 2026 recap on moving passkeys from direction to execution
Questions worth separating out
Q: How should organisations roll out passkeys across a mixed workforce environment?
A: Start by segmenting the workforce into use cases such as managed endpoints, shared devices, contractors, and higher-assurance roles.
Q: Why do passkey programmes fail even when the underlying technology works?
A: They fail when the operating model is incomplete.
Q: How can security teams know whether passkey adoption is actually improving security?
A: Look for fewer phishing-driven account compromises, lower reliance on password resets, and consistent enrolment success across user groups.
Practitioner guidance
- Define the passkey binding model Map how each workforce identity is enrolled, re-bound, recovered, and retired.
- Segment rollout by use case Separate managed endpoints, shared devices, contractors, and high-assurance users into different deployment patterns.
- Extend governance beyond the login moment Link authentication decisions to session monitoring, transaction checks, and real-time risk signals so a successful login does not become the only control boundary.
What's in the full article
OneSpan's full blog covers the operational detail this post intentionally leaves for the source:
- The specific rollout questions raised by practitioners at RSAC 2026, including workforce migration and shared-device scenarios.
- The FIDO Alliance seminar context around enrollment, devices, recovery, and operational systems around authentication.
- The product and implementation considerations that sit behind building or buying passkey capability.
- The author’s direct perspective on why execution, not awareness, is now the constraint.
👉 Read OneSpan's recap of RSAC 2026 passkey execution and authentication trends →
Passkeys at RSAC 2026: what stops workforce rollout from working?
Explore further
06/06/2026 4:20 am
Passkey programmes fail on execution design, not on authentication science. The article is clear that FIDO standards and hardware authentication have strong awareness, yet deployment still lags because the surrounding operating model is underspecified. That is an identity governance problem, not a cryptography problem. Teams that treat passkeys as a swap for passwords miss the actual work of binding, recovery, device coverage, and lifecycle control.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly identity sprawl outpaces governance.
A question worth separating out:
Q: How do continuous authentication and passkeys fit together in IAM programmes?
A: Passkeys solve the authentication step, but they do not complete the security model. Teams still need session controls, transaction validation, and real-time risk assessment after login. The practical test is whether access remains trustworthy after authentication, not just during it.
👉 Read our full editorial: Passkey execution, not awareness, is the real authentication gap
