TL;DR: Passkeys now account for 62% of one million 2025 authentication challenges, with autofill at 65%, according to Authsignal, while the FIDO Alliance reports more than 1 billion people have activated at least one passkey and consumer awareness rose from 39% to 57%. The governance issue is no longer readiness but rollout design: adoption is happening faster than many IAM programmes have adjusted.
NHIMG editorial — based on content published by Authsignal: What issuing and verifying millions of passkeys has taught us at Authsignal
By the numbers:
- In a sample of one million transactions in 2025, passkeys accounted for 62% of all authentication challenges.
- Consumer awareness of passkeys jumped from 39% to 57% in just two years, according to the FIDO Alliance.
- Over 95% of iOS and Android devices are passkey-ready, according to Authsignal.
Questions worth separating out
Q: How should organisations roll out passkeys without creating new fallback risk?
A: Start with platform readiness, then govern every fallback path as part of the authentication control.
Q: When do passkeys deliver the most value in an IAM programme?
A: Passkeys deliver the most value when an organisation wants to reduce phishing exposure and password dependence across a large user base.
Q: What do IAM teams get wrong about passkey adoption?
A: Teams often assume adoption is mainly a user-education problem, but the article shows readiness, platform support, and rollout design matter just as much.
Practitioner guidance
- Inventory passkey readiness across devices and browsers Confirm which endpoints already support platform authenticators, synced passkeys, and conditional enrollment.
- Redesign recovery and fallback flows Map every backup path that can bypass passkey assurance, including help desk resets, SMS OTP, and email-based recovery.
- Roll out passkeys in high-value segments first Prioritise users with frequent authentication activity or access to sensitive data, then use adoption and support metrics from those groups to refine the broader rollout.
What's in the full article
Authsignal's full blog covers the operational detail this post intentionally leaves for the source:
- Observed enrollment patterns across enterprise customers, including the timing and prompt styles that improved adoption.
- Operational examples of how passkeys were rolled out across mobile and web channels without fragmenting the user journey.
- Support and call centre effects after passkey deployment, including reduced password-reset demand.
- Practical messaging lessons on how to explain passkeys to users in ways that improve opt-in rates.
👉 Read Authsignal's analysis of what millions of passkey transactions reveal →
Passkeys adoption at scale: what IAM teams need to know now?
Explore further
Passkeys are now a mainstream human identity control, not an experimental add-on. When a sample of one million transactions shows 62% passkey usage, the question changes from whether users will adopt the method to whether the organisation can govern it consistently across accounts, devices, and fallback paths. The practical conclusion is that password migration programmes now need passkey operating models, not pilots.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a behaviour gap that persists even where governance exists.
A question worth separating out:
Q: How do passkeys compare with password-based multifactor sign-in for risk reduction?
A: Passkeys reduce reliance on shared secrets and are resistant to common phishing paths that undermine passwords and OTP-based flows. The practical difference is that passkeys move the primary verification step to a cryptographic authenticator, which is harder to replay or intercept.
👉 Read our full editorial: Passkeys are reaching scale faster than enterprise IAM expected