Passkeys at scale: what identity teams are still missing

TL;DR: Passkeys are moving from pilot to production at scale, with more than 3 billion in use worldwide, but conference sessions showed that the hard problems are enrolment timing, recovery, platform variance, and post-authentication trust, according to OneSpan and FIDO Alliance discussions. Authentication now has to be treated as part of the full account lifecycle, not a single login control.

NHIMG editorial — based on content published by OneSpan: FIDO Authenticate 2025 and the lessons learned from passkeys at scale

By the numbers:

• 55 to 60% of passkey adoption happens on mobile, while only 20% happens on desktop.

Questions worth separating out

Q: How should security teams roll out passkeys without creating recovery gaps?

A: Start with enrolment at moments of strong user intent, then harden every fallback path that can undo phishing resistance.

Q: Why do passkey programmes succeed on mobile faster than on desktop?

A: Mobile adoption is faster because users already trust biometrics and device-bound authentication, while desktop environments vary more in browser support, synced credential behaviour, and recovery experience.

Q: What do teams get wrong about phishing-resistant authentication?

A: They often assume that adding passkeys automatically makes the account resistant to phishing.

Practitioner guidance

• Move enrolment into high-intent moments Trigger passkey setup immediately after account creation or a successful sign-in, when the user is already engaged and authenticated.
• Map every recovery path to its abuse potential Inventory SMS resets, forgotten-password flows, help-desk overrides, and device-loss handling.
• Segment reporting by platform and browser Track adoption separately for mobile and desktop, then compare browser and authenticator behaviour so you can see where friction is structural rather than user resistance.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• Conference anecdotes from implementers handling tens of millions of users and the practical lessons they shared.
• Vendor session notes on enrolment timing, recovery design, and how teams handle users who change devices or platforms.
• Examples of how large organisations are measuring adoption differently across mobile and desktop environments.
• Additional discussion of identity verification and fraud detection as part of post-authentication trust.

👉 Read OneSpan's analysis of passkeys at scale and account lifecycle security →

Passkeys at scale: what identity teams are still missing?

Explore further

View Full Forum →  |  NHI Foundation Course →