Post-passwordless identity: what comes after passkeys and MFA?

TL;DR: Passwordless authentication, passkeys, and phishing-resistant MFA are accelerating, but the real challenge is scaling trust across platforms, privacy models, and future post-quantum requirements, according to OneSpan’s commentary on Gartner’s July 2025 Hype Cycle for Digital Identity. The important shift is that passwordless is now table stakes, not an end state, and IAM teams need to plan for what comes after it.

NHIMG editorial — based on content published by OneSpan: Beyond passwordless: preparing for what’s next in digital identity authentication

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams scale passwordless authentication without creating new access risk?

A: Security teams should scale passwordless by treating enrollment, recovery, revocation, and exception handling as first-class controls.

Q: Why do passkeys and phishing-resistant MFA still need governance oversight?

A: Because stronger authentication does not eliminate lifecycle risk.

Q: When should organisations move from one-time login checks to continuous authorization?

A: Organisations should move when access risk can change during the session, not just at sign-in.

Practitioner guidance

• Map passwordless rollout to lifecycle control Define how enrollment, recovery, device replacement, and revocation work before expanding passkeys across workforce or customer populations.
• Plan for continuous authorization where risk changes mid-session Identify applications where one-time login assurance is no longer enough and define which context signals should trigger re-evaluation.
• Test interoperability before standardising on one identity path Validate how passkeys, federation, and verifiable credentials behave across browsers, devices, and partner ecosystems.

What's in the full article

OneSpan's full article covers the practical detail this post intentionally leaves for the source:

• How OneSpan frames the Gartner Hype Cycle for Digital Identity in roadmap terms rather than strategy terms.
• The article's own view on how passkeys, decentralized identity, and continuous authorization fit together in 2025 planning.
• The specific next-step recommendations for IAM leaders considering post-passwordless roadmaps.
• OneSpan's perspective on why executive buy-in matters for identity modernization timelines.

👉 Read OneSpan’s analysis of what comes after passwordless identity →

Post-passwordless identity: what comes after passkeys and MFA?

Explore further

View Full Forum →  |  NHI Foundation Course →