Notifications
Clear all
Topic starter
06/06/2026 1:50 am
TL;DR: Passkeys are moving from niche authentication option to mainstream IAM discussion, with OneSpan citing Gartner data that 72% of authentication-related inquiries in 2025 were about passwordless authentication and noting a 93% login success rate for passkeys versus 63% for passwords. Passwordless change is no longer just a UX decision, because it reshapes authentication resilience, rollout strategy, and control boundaries across consumer and workforce identity.
NHIMG editorial — based on content published by OneSpan: the Authentication Newsletter for May 2026, including its World Passkey Day 2026 discussion of passkeys and passwordless authentication
By the numbers:
- 72% of Gartner's authentication-related inquiries in 2025 were about passwordless authentication.
Questions worth separating out
Q: How should organisations roll out passkeys without disrupting existing login flows?
A: Start by adding passkeys alongside current authentication methods, then use adoption and recovery data to decide when to reduce password dependence.
Q: When do passkeys work best for regulated or high-assurance environments?
A: Passkeys are most useful when authentication must be resistant to phishing and password reuse, especially where login failure has direct business or compliance impact.
Q: What do security teams get wrong about passwordless authentication?
A: The most common mistake is treating passwordless as a user-experience upgrade instead of an identity control change.
Practitioner guidance
- Map passkey type to risk tier Use device-bound passkeys where control and assurance matter most, and reserve syncable passkeys for user groups where portability and recovery are more important.
- Stage passwordless rollout beside existing methods Introduce passkeys in parallel with current authentication paths, then gradually reduce password dependence as adoption and recovery performance stabilise.
- Redesign account recovery before enforcing passwordless Review lost-device handling, re-enrolment, help desk verification, and step-up recovery so that passwordless does not shift risk into weak fallback processes.
What's in the full article
OneSpan's full newsletter covers the operational detail this post intentionally leaves for the source:
- Side-by-side explanation of syncable versus device-bound passkeys for different user populations
- Six-factor build versus buy decision points for passkey deployment across enterprise environments
- Practical rollout considerations for combining passkeys with existing authentication methods
- Conference and industry event references for teams tracking passwordless adoption trends
👉 Read OneSpan's newsletter on passkeys, passwordless adoption and deployment decisions →
Passkeys in 2026: what IAM teams need to weigh now?
Explore further
06/06/2026 3:10 am
Passkeys are becoming an authentication control, not a niche UX enhancement. The article reflects a broader shift in identity programmes: authentication is being judged by its ability to reduce phishing exposure, lower operational burden, and improve sign-in success at scale. That puts passkeys into the centre of IAM design rather than the edge of consumer convenience. Practitioners should treat passwordless migration as a core control conversation, not a pilot.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Should organisations build or buy a passkey solution?
A: Choose based on operating capacity, not ideology. Building can give tighter control and customisation, but it demands more engineering and governance ownership. Buying can speed deployment, but the organisation still has to own policy, recovery, assurance, and long-term authentication strategy.
👉 Read our full editorial: Passkeys, passwordless adoption and the identity trade-off for IAM teams
