Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passkeys in 2025: what it means for IAM and MFA strategy


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Passkeys reached mainstream adoption in 2025, with nearly 70% of users holding at least one passkey, while regulators in the UAE, India, the Philippines, and the US moved away from SMS OTP and toward phishing-resistant authentication, according to Authsignal. Passwordless is no longer a pilot topic; it is becoming the baseline for identity programmes that need to survive fraud pressure and compliance deadlines.

NHIMG editorial — based on content published by Authsignal: Passkeys, passwordless authentication in 2025, and the year passkeys went mainstream

By the numbers:

Questions worth separating out

Q: How should security teams phase out SMS OTP without breaking user access?

A: Start with the highest-risk journeys first, especially regulated payments, account recovery, and privileged support interactions.

Q: Why do passkeys reduce account takeover risk more effectively than OTP?

A: Passkeys reduce takeover risk because they rely on public-key cryptography rather than shared secrets that can be phished or intercepted.

Q: How do organisations decide when syncable passkeys are enough?

A: Use syncable passkeys where usability and adoption matter, but only after assigning the application’s assurance level.

Practitioner guidance

  • Inventory every remaining SMS and email OTP dependency Map each login, recovery, and step-up flow that still relies on interceptable codes.
  • Separate passkey policy by assurance level Classify where syncable passkeys are acceptable and where device-bound or stronger recovery controls are required.
  • Tie authentication design to fraud telemetry Use login success, account takeover attempts, and help-desk recovery volume to judge whether passkey rollout is reducing risk or simply shifting it.

What's in the full article

Authsignal's full blog covers the operational detail this post intentionally leaves for the source:

  • Implementation specifics for passkey rollout across consumer login, recovery, and step-up flows.
  • The article's full breakdown of regional regulatory deadlines and how they affect authentication planning.
  • More detail on the vendor's adaptive MFA and rules-engine approach for risk-based authentication.
  • Examples of passkey adoption patterns across regulated industries and customer identity journeys.

👉 Read Authsignal's analysis of passkey adoption, SMS OTP decline, and NIST changes →

Passkeys in 2025: what it means for IAM and MFA strategy?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Passwordless adoption is now an IAM governance issue, not a product preference. Once nearly 70% of users hold at least one passkey, the operational question changes from adoption feasibility to control design. Identity teams must decide which user journeys can remain password-based, which must move to phishing-resistant authentication, and how recovery is governed across devices and credential managers. The implication is that passkey policy now belongs in the core IAM roadmap, not in a pilot backlog.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: What should IAM teams do if regulators reject SMS OTP for authentication?

A: Treat the mandate as a control redesign trigger, not a channel swap. Replace SMS OTP with phishing-resistant authentication, revisit recovery workflows, and update policy to distinguish between routine access and sensitive actions. The real work is aligning authentication strength with transaction risk and proving that weaker factors are no longer in the critical path.

👉 Read our full editorial: Passkeys went mainstream in 2025 as SMS OTP lost ground



   
ReplyQuote
Share: