Notifications
Clear all
Topic starter
07/06/2026 9:03 pm
TL;DR: Passkeys have crossed into mainstream use with more than 3 billion active credentials globally, but the hard work now sits in enrollment, recovery, platform variation, and phishing-resistant account lifecycle design, according to OneSpan’s report from FIDO Authenticate 2025. The security shift is no longer about proving passkeys work; it is about removing the fallback paths that quietly preserve password-era risk.
NHIMG editorial — based on content published by OneSpan: FIDO Authenticate 2025 and passkeys at scale
By the numbers:
- 55-60% of passkey adoption occurs on mobile, with only around 20% adoption on desktop.
Questions worth separating out
Q: How should security teams implement passkeys without weakening account recovery?
A: Security teams should map every recovery path to the assurance it preserves and remove any fallback that depends on phishable methods.
Q: Why do passkey rollouts often look better on mobile than on desktop?
A: Mobile users are already trained to use biometrics and device-bound authentication, so the interaction feels familiar.
Q: What do organisations get wrong about phishing-resistant authentication?
A: They often assume that adding a phishing-resistant option is enough.
Practitioner guidance
- Audit every recovery path for phishable fallback methods Trace password resets, SMS recovery, help-desk resets, and alternate verification flows back to the account assurance model.
- Segment passkey metrics by platform and login moment Track adoption separately for mobile, desktop, first login, recovery, and repeat sign-in.
- Treat session security as part of the passkey programme Extend governance beyond enrollment by monitoring token theft, session hijacking, and step-up triggers for high-risk actions.
What's in the full article
OneSpan's full blog covers the operational detail this post intentionally leaves for the source:
- Practitioner stories from FIDO Authenticate 2025 on rollout friction, support issues, and enrollment timing.
- Examples of how organisations handled platform switching, device loss, and recovery without breaking user flow.
- Conference observations on passkey adoption patterns across startups, enterprises, and financial institutions.
- The vendor's commentary on how digital credentials and post-authentication security fit into the account lifecycle.
👉 Read OneSpan's analysis of passkeys at scale and account lifecycle lessons →
Passkeys at scale: what IAM teams need to fix next?
Explore further
08/06/2026 8:50 am
Passkeys are now a lifecycle governance problem, not just an authentication upgrade. The article shows that the difficult issues are enrollment, device loss, platform switchovers, and recovery design, not the protocol itself. That means identity teams must stop treating passkeys as a point control and start governing the full account journey. The practitioner conclusion is that authentication assurance is only as strong as the weakest lifecycle fallback.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How should IAM teams manage trust after a successful passkey login?
A: IAM teams should treat authentication as the start of a trust decision, not the end. Session protections, fraud detection, and step-up checks for sensitive actions matter because attackers increasingly target tokens and sessions after login. Passkeys reduce password risk, but they do not eliminate downstream session abuse.
👉 Read our full editorial: Passkeys at scale expose the real account lifecycle gap
