Passkeys at scale: what IAM teams need to fix next

TL;DR: Passkeys have crossed into mainstream use with more than 3 billion active credentials globally, but the hard work now sits in enrollment, recovery, platform variation, and phishing-resistant account lifecycle design, according to OneSpan’s report from FIDO Authenticate 2025. The security shift is no longer about proving passkeys work; it is about removing the fallback paths that quietly preserve password-era risk.

NHIMG editorial — based on content published by OneSpan: FIDO Authenticate 2025 and passkeys at scale

By the numbers:

• 55-60% of passkey adoption occurs on mobile, with only around 20% adoption on desktop.

Questions worth separating out

Q: How should security teams implement passkeys without weakening account recovery?

A: Security teams should map every recovery path to the assurance it preserves and remove any fallback that depends on phishable methods.

Q: Why do passkey rollouts often look better on mobile than on desktop?

A: Mobile users are already trained to use biometrics and device-bound authentication, so the interaction feels familiar.

Q: What do organisations get wrong about phishing-resistant authentication?

A: They often assume that adding a phishing-resistant option is enough.

Practitioner guidance

• Audit every recovery path for phishable fallback methods Trace password resets, SMS recovery, help-desk resets, and alternate verification flows back to the account assurance model.
• Segment passkey metrics by platform and login moment Track adoption separately for mobile, desktop, first login, recovery, and repeat sign-in.
• Treat session security as part of the passkey programme Extend governance beyond enrollment by monitoring token theft, session hijacking, and step-up triggers for high-risk actions.

What's in the full article

OneSpan's full blog covers the operational detail this post intentionally leaves for the source:

• Practitioner stories from FIDO Authenticate 2025 on rollout friction, support issues, and enrollment timing.
• Examples of how organisations handled platform switching, device loss, and recovery without breaking user flow.
• Conference observations on passkey adoption patterns across startups, enterprises, and financial institutions.
• The vendor's commentary on how digital credentials and post-authentication security fit into the account lifecycle.

👉 Read OneSpan's analysis of passkeys at scale and account lifecycle lessons →

Passkeys at scale: what IAM teams need to fix next?

Explore further

View Full Forum →  |  NHI Foundation Course →