Back to identity: FIDO Alliance and the future of phishing-resistant authentication

This week, in my first week at OneSpan as Technical Product Marketing Manager, I had the opportunity to attend the FIDO Alliance Seminar in Dallas, TX, focused on Authentication & Identity: The Road Ahead. The event brought together industry leaders, practitioners, and standards advocates to reflect on the state of authentication and, more importantly, to define what must come next.

As threat models evolve and digital experiences accelerate, one thing is clear: traditional approaches to authentication are no longer sufficient.

Joining OneSpan at a time when identity is being redefined—through passkeys, FIDO standards, and the convergence with AI—feels like a return to first principles. It reminded me of why I was drawn to identity in the first place. It’s where security meets usability, trust meets technology.

With over 15 years in cybersecurity and more than a decade at RSA, identity and authentication have long been central to my professional journey. In 2010, I began my career working on RSA SecurID, and in many ways, it laid the foundation for how I think about trust, access, and risk. The FIDO Alliance Seminar reminded me why I came to OneSpan: to help advance new, more secure approaches to authentication.

The shifting authentication landscape

Multi-factor authentication (MFA) has long been considered best practice, but today’s threat actors are increasingly bypassing it using phishing proxies, real-time adversary-in-the-middle attacks, and social engineering tactics. This challenge has been amplified by the rise of generative AI, which lowers the barrier to launching sophisticated attacks at scale.

According to industry data from the FIDO Alliance shared during the seminar:

• Phishing attacks increased by 4.2% after the introduction of ChatGPT
• Phishing is now estimated to be 30x more cost-effective than traditional human-led social engineering
• Over 53% of consumers reported an increase in suspicious digital activity over the past year

The message is clear: Phishing-resistant authentication is no longer optional—it’s essential.

Passkeys: A simpler and stronger alternative

At the heart of FIDO’s efforts is the promotion of passkeys, which are FIDO-based credentials designed to replace passwords with cryptographically strong, device-bound or cloud-synced authentication. Passkeys offer the benefits of public key cryptography without introducing friction for users.

They are:

• Phishing-resistant: No shared secrets to intercept
• User-friendly: A single biometric or device gesture enables login
• Scalable: Supported across major browsers, platforms, and devices

Passkeys come in different form factors. While syncable or multi-device credentials offer convenience, FIDO2-certified hardware security keys, such as OneSpan’s Digipass FX security keys, provide the highest level of assurance. These portable, device-bound keys offer strong protection against phishing and tampering and are ideal for high-assurance use cases.

Organizations across industries are beginning to adopt passkeys and seeing strong results:

• In the technology sector, passkeys have significantly accelerated authentication with faster sign-ins, while reducing help desk volume
• For consumer users in industries like gaming, they have improved sign-in success rates and reduced user abandonment
• In airline and travel, organizations have reported faster transaction completion and increased authentication reliability

These outcomes affirm that passkeys are not only secure, they’re practical and impactful.

Identity and AI: Converging forces

The FIDO Alliance Seminar also addressed the growing intersection between identity and artificial intelligence, a relationship that is quickly becoming foundational to modern security strategy. Three emerging roles for identity were emphasized:

1. 1. Enhancing identity with AI for behavioral analysis, adaptive access, and threat detection
2. 2. Protecting identity against AI such as mitigating deepfakes and impersonation fraud
3. 3. Securing AI with identity through access control and authorization for model and data usage

As AI adoption accelerates, identity becomes the first line of defense and the foundation of responsible AI governance.

Three core principles for scaling authentication

Another key takeaway was that authentication at scale must balance security, usability, and deployability. The following principles were emphasized across sessions:

1. 1. Design for user experience: Make secure access intuitive and low-friction
2. 2. Simplify the technology ecosystem: Minimize dependencies and complexity
3. 3. Enable choice: Support different authenticators to meet varying user and device needs

The ultimate goal: Make the secure path the easiest one to take.

What’s next for identity and authentication

As mentioned earlier, joining OneSpan at a time when identity is being redefined feels like a return to first principles, but with renewed urgency. Now that the standards are mature and the ecosystem is aligned, the opportunity to lead is clear.

At OneSpan, we’re focused on enabling phishing-resistant authentication at scale and helping organizations build trust without adding friction. Whether through secure workforce access, strong customer authentication, or ecosystem integrations, we’re making identity secure by design and usable by default.

Follow me here and on Linkedin as I dig deeper into FIDO, passkeys, and modern authentication strategies in my new role. I’ll be sharing more insights on where the industry is headed and how we can help shape it.

Blog

Interested in what’s ahead for passwordless authentication?

Get an update on our participation in the 2025 FIDO Alliance plenary in Istanbul, Turkey.

Read now