Passwordless identity and passkeys: are IAM teams ready to scale?

TL;DR: Passwordless authentication, phishing-resistant MFA, passkeys, and emerging standards such as AuthZEN and OID4VC are moving from early adoption to operational planning, according to OneSpan’s analysis of Gartner’s July 2025 Digital Identity Hype Cycle. The strategic shift is no longer whether these controls work, but how identity teams scale them without creating new integration, portability, and governance gaps.

NHIMG editorial — based on content published by OneSpan: Au-delà de l'absence de mot de passe, préparer l'avenir de l'identité numérique

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should organisations roll out passwordless authentication without breaking access workflows?

A: Start with a controlled subset of applications, users, and recovery scenarios.

Q: When does phishing-resistant MFA create more value than traditional MFA?

A: It creates the most value where credential theft, phishing, and session hijacking are recurring threats, especially for customer login, employee access, and privileged activity.

Q: How do verifiable credentials change enterprise identity governance?

A: Verifiable credentials shift governance toward issuer trust, portability, revocation, and user-controlled presentation.

Practitioner guidance

• Define passwordless migration by application tier Segment customer, workforce, and privileged applications by compatibility with passkeys and phishing-resistant MFA.
• Test recovery and fallback workflows first Validate what happens when a device is lost, replaced, shared, or unavailable.
• Establish standards-based interoperability criteria Set explicit requirements for passkey, federation, and verifiable credential support across browsers, mobile devices, and enterprise applications.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• Gartner Hype Cycle context for digital identity priorities and why the vendor is framing passwordless as a roadmap issue
• Practical adoption guidance for phishing-resistant MFA, passkeys, and identity standards across workforce and customer flows
• The article's own recommendations on how to explain 2025 to 2027 authentication planning to leadership
• Early-stage discussion of post-quantum authentication considerations and why they matter for future identity design

👉 Read OneSpan's analysis of the 2025 digital identity Hype Cycle →

Passwordless identity and passkeys: are IAM teams ready to scale?

Explore further

View Full Forum →  |  NHI Foundation Course →