Passkeys and phishing-resistant authentication: are your controls ready?

TL;DR: Passkeys are presented as a phishing-resistant alternative to passwords and OTPs, with up to 93% login success rates versus about 63% for traditional methods, according to OneSpan. The governance question is no longer whether passkeys work, but how to introduce them alongside existing authentication without creating inconsistent assurance across users and channels.

NHIMG editorial — what this means for IAM teams

By the numbers:

• Up to 93% login success rates with passkeys vs ~63% for traditional methods.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams roll out passkeys without disrupting existing authentication flows?

A: Start with applications where phishing risk and user friction are both high, then introduce passkeys alongside current methods while you preserve enrolment, recovery, and audit continuity.

Q: When do passkeys improve security but still leave governance gaps?

A: Passkeys improve security when they replace reusable secrets, but governance gaps remain if fallback authentication, recovery, or exception handling still relies on passwords or OTPs.

Q: What do IAM teams get wrong about passkey adoption?

A: They often treat passkeys as a user-enrolment project instead of an authentication governance change.

Practitioner guidance

• Inventory legacy authentication dependencies Map which applications, user groups, and step-up flows still depend on passwords or OTPs, then identify where those methods remain the effective fallback for critical access paths.
• Segment passkey policy by assurance tier Set different registration and recovery rules for routine users, privileged users, and high-risk transactions so synced and device-bound passkeys are not treated as interchangeable.
• Redesign step-up decisions around risk Tie passkey prompts to transaction sensitivity, device posture, and sign-in context so authentication strength changes only when the access request warrants it.

What's in the full announcement

OneSpan's full guide covers the operational detail this post intentionally leaves for the source:

• A practical three-step adoption path for introducing passkeys alongside existing authentication methods
• A 5-minute self-guided demo showing enrolment, sign-in, and transaction approval flows
• Guidance on combining synced and device-bound passkeys for different assurance needs
• Implementation detail on adaptive, authenticator-aware security across cloud, on-prem, and hybrid environments

👉 Read OneSpan's guide on strengthening authentication with passkeys →

Passkeys and phishing-resistant authentication: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →