Notifications
Clear all
Topic starter
07/06/2026 8:21 pm
TL;DR: Passkeys reduce phishing exposure by replacing shared secrets with device-bound private keys, but the article notes that synced key protection, transport security, and user sharing still create edge cases, according to OneSpan. The security gain is real, yet regulated environments still need stronger device binding and careful assurance choices.
NHIMG editorial — based on content published by OneSpan: Pros and cons of passkeys: Security benefits outweigh risks
Questions worth separating out
Q: How should organisations decide where to use passkeys instead of passwords?
A: Start with applications where phishing and password reuse create the greatest exposure, then compare the sign-in journey to the assurance level required.
Q: When do passkeys still need compensating controls?
A: They still need compensating controls when the environment depends on strict device trust, regulated assurance levels, or tightly controlled account recovery.
Q: What do teams get wrong about passkey security?
A: Teams often assume passkeys are either perfect or too risky to adopt.
Practitioner guidance
- Prioritise password replacement in phishing-heavy journeys Move customer and workforce sign-in flows that are most exposed to credential theft onto passkeys first, especially where the business impact of phishing is high and the application can tolerate device-bound authentication.
- Separate synced and device-bound assurance decisions Document which applications may accept synced passkeys and which require stronger device binding, then align that split to regulatory and internal assurance requirements.
- Review recovery and enrolment paths as part of authentication design Treat account recovery, key restoration, and device replacement as part of the control, because those are the routes that can weaken passkey assurance if they are left unmanaged.
What's in the full article
OneSpan's full article covers the security and implementation detail this post intentionally leaves at the decision level:
- How synced passkeys behave across platform providers and password managers in real deployments
- The article's comparison of device-bound versus synced passkeys for regulated environments
- Practical discussion of when OTPs still belong in a mixed authentication strategy
- The white paper context behind passkey security properties and authenticator implementations
👉 Read OneSpan's analysis of the pros and cons of passkeys →
Passkeys and passwordless sign-in: are edge cases the real risk?
Explore further
07/06/2026 10:12 pm
Passkeys are a human identity control that removes the reusable secret from the attack path. That changes authentication from secret sharing to cryptographic possession plus user verification. The practical consequence is that phishing, credential stuffing, and password reuse lose their primary lever, so identity programmes can reduce dependence on brittle user behaviour.
Passwordless assurance boundary: passkeys make authentication more resilient, but they also force IAM teams to define where device trust, sync, and recovery are acceptable parts of the identity chain. That boundary should sit inside the application risk model, not inside user preference alone. Teams that align passkey type to assurance level will avoid turning a stronger control into a weaker policy exception.
A question worth separating out:
Q: Should regulated environments keep OTPs after adopting passkeys?
A: Yes, in some cases. OTPs can still serve high-assurance or transitional workflows where device binding, backup access, or regulatory interpretation require an additional factor. The key is to limit OTPs to defined exceptions rather than keeping them as the default path for all sign-ins.
👉 Read our full editorial: Passkeys strengthen authentication, but edge cases still matter
