TL;DR: First Credit Union reports that over half of authentications now use passkeys and tens of thousands of members have enrolled, showing that phishing-resistant authentication can scale in consumer banking without adding more MFA friction, according to Authsignal. The practical lesson is that passwordless adoption succeeds when identity teams treat usability, device compatibility, and integration work as part of the control design, not an afterthought.
NHIMG editorial — based on content published by Authsignal: First Credit Union and Authsignal, a passkey deployment case study
Questions worth separating out
Q: How should banks roll out passkeys without breaking existing customer login flows?
A: Banks should start with the full authentication journey, not just the credential itself.
Q: When do passkeys reduce risk more than they increase user friction?
A: Passkeys reduce risk when they replace password-based or OTP-driven authentication in flows that are heavily exposed to phishing and account takeover.
Q: What do organisations get wrong about passwordless authentication?
A: They often assume that enabling passkeys automatically solves identity risk.
Practitioner guidance
- Map every fallback path before rollout Inventory password resets, backup factors, and account recovery steps so they do not silently undo the phishing-resistant properties of passkeys.
- Test cross-device enrolment and recovery journeys Validate mobile, browser, and support-assisted flows end to end, including cases where users change phones, lose access, or move between platforms.
- Align passkey state with session and step-up policy Make sure applications can recognise registered, enrolled, and recovered passkey states consistently before extending the programme across more banking channels.
What's in the full article
Authsignal's full case study covers the operational detail this post intentionally leaves for the source:
- Step-by-step deployment sequence for FIDO-certified passkeys across a banking environment
- Member adoption metrics and the rollout lessons that shaped the programme
- Implementation details on how the passkey experience fit with existing customer channels
- The practical considerations behind secure enrolment and support-assisted recovery
👉 Read Authsignal's case study on First Credit Union's passkey rollout →
Passkey deployment in banking: what it means for IAM teams?
Explore further
Passkey adoption is now a human IAM governance problem, not just an authentication upgrade. The security value of passkeys is clear, but the organisational work shifts into enrolment, recovery, device lifecycle, and exception handling. Once a programme reaches real adoption, the question is no longer whether the technology can authenticate users, but whether the identity team can govern the full lifecycle without weakening the phishing-resistant posture. Practitioners should treat passkeys as a policy and operating model change, not a feature toggle.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, showing that control design still depends heavily on user behaviour.
A question worth separating out:
Q: How do teams know whether a passkey programme is actually working?
A: Look for sustained enrolment, high successful-authentication rates, and low reliance on passwords or backup factors. Then check whether recovery cases remain rare and controlled. A passkey programme is working when users adopt it willingly and the identity team can prove that exceptions do not become the normal path.
👉 Read our full editorial: Passkeys in banking show where phishing-resistant IAM pays off