Passkeys in customer IAM: what the adoption gap means for teams

TL;DR: Passkey awareness is broadening, with 75% of global consumers recognizing them and 28% enabling them whenever possible, while 45% of organisations have deployed them in at least one app and 87% still rely on passwords for customer-facing authentication, according to FIDO Alliance and Descope. The gap is no longer about demand; it is about whether identity teams can modernise authentication without breaking existing customer journeys.

NHIMG editorial — based on content published by Descope: Passkey Trends for 2026: What the Data Says

By the numbers:

• 75% of global consumers now recognize passkeys, and 28% enable them whenever possible.
• 87% of organizations still use passwords for customer-facing auth, while only 2% believe passwords balance security and UX.
• 45% of organizations have deployed passkeys in at least one app, and 27% expect to within two years.

Questions worth separating out

Q: How should organisations roll out passkeys without breaking customer login flows?

A: Start with journeys that already tolerate fallback, such as signup, account recovery, and step-up authentication.

Q: Why do passkeys often fail to replace passwords quickly?

A: Because the barrier is usually programme readiness, not user demand.

Q: How do security teams know whether passkeys are working well?

A: Look at sign-in success rate, average login time, recovery friction, and login-related ticket volume.

Practitioner guidance

• Start with low-stakes authentication flows Deploy passkeys first in signup, account recovery, and step-up journeys where fallback options already exist and rollback is manageable.
• Define fallback policy before rollout Decide which users, devices, and risk states can use OTPs, magic links, or passwords so fallback does not become an uncontrolled permanent path.
• Assign a named owner for CIAM modernisation Give one team authority over authentication policy, recovery design, and migration sequencing so passkey work is not fragmented across product teams.

What's in the full article

Descope's full blog post covers the operational detail this post intentionally leaves for the source:

• A deeper breakdown of the Descope State of Customer Identity 2025 survey findings and how respondents are segmenting passkey adoption.
• Examples of A/B testing flows that show how teams can introduce passkeys without changing the primary login path on day one.
• A closer look at Branch Insurance's rollout pattern, including fallback handling when device support is unavailable.
• The article's discussion of risk-based signals layered on top of passkeys for step-up scenarios and sensitive transactions.

👉 Read Descope's passkey adoption analysis for customer IAM teams →

Passkeys in customer IAM: what the adoption gap means for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →