Passkeys in CIAM: what it means for login and recovery

TL;DR: Passkeys are gaining momentum as Apple, Google, Microsoft, FIDO Alliance and major brands report broad support and adoption, while consumers increasingly recognise the model and regulators accept it for secure authentication. The real challenge is not whether passkeys work, but how to roll them out without breaking recovery, consistency or hybrid access paths.

NHIMG editorial — based on content published by Strivacity: Passkeys are taking off, what is still standing in the way, and how to roll them out

By the numbers:

• More than 15 billion accounts are enabled for passkeys.
• Google has logged 2.5 billion passkey authentications across 800 million accounts.
• Amazon reports 175 million users with passkeys.

Questions worth separating out

Q: How should security teams roll out passkeys without breaking customer login flows?

A: Start with an opt-in model, keep passwords plus MFA available during transition, and standardise one policy across all applications.

Q: Why do passkey programmes still fail if passwords are removed?

A: Removing passwords does not remove the need for recovery, enrollment and fallback governance.

Q: What do organisations get wrong about passkey adoption?

A: They often treat it as a front-end authentication change instead of a lifecycle and policy change.

Practitioner guidance

• Standardise a single passkey policy model Define where passkeys are preferred, where passwords remain available, and how step-up is triggered for sensitive transactions across every customer-facing application.
• Treat recovery as a high-assurance workflow Require stronger identity verification for device loss, device replacement and account rebind than you use for ordinary sign-in or self-service reset.
• Preserve secure fallback paths during migration Keep passwords plus MFA available for users who are not ready for passkeys, but prevent fallback paths from becoming the default weak link in the journey.

What's in the full article

Strivacity's full blog post covers the rollout detail this post intentionally leaves for the source:

• The customer education flow for introducing passkeys during sign-up and password reset journeys.
• The practical recovery choices for lost or replaced devices, including secure fallback design.
• The phased rollout pattern for moving from optional adoption to broader default use.
• The recommended approach for standardising passkeys across multiple apps and environments.

👉 Read Strivacity's analysis of passkey adoption and rollout strategy →

Passkeys in CIAM: what it means for login and recovery?

Explore further

View Full Forum →  |  NHI Foundation Course →