FIDO Authenticate 2025: What I learned about passkeys at scale
Last week, I attended my first full FIDO Authenticate conference in Carlsbad, CA. Coming from the Dallas FIDO seminar a few months ago, I had a solid grasp of passkey fundamentals. But three days immersed in sessions, booth conversations, and hallway discussions with practitioners from dozens of companies revealed the gap between understanding passkeys and deploying them at scale.
What struck me most wasn't the technology itself; passkeys are well understood at this point. It was the maturity of the conversations.
Organizations weren't debating if passkeys work. They were troubleshooting production challenges, comparing adoption metrics across platforms, and sharing hard-won lessons from deployments serving millions of users.
Andrew Shikiar, Executive Director of the FIDO Alliance, opened with a milestone that captures this momentum: Over 3 billion passkeys are now in active use globally.
This has been achieved in less than three years, a remarkable feat for any authentication standard. The conference theme, "achieving usable security across the account lifecycle," captured this shift perfectly.
Organizations were focused on the practical work of making passkeys succeed in production and exploring what complete account security looks like beyond just authentication.
What nobody tells you about implementing passkeys
Rolf Lindemann from OneSpan opened his session, "Passkeys in Action: Real-World Lessons from the Frontlines," with a scenario many in the room recognized. A hypothetical developer finds example code for passkeys and confidently tells their boss, "This is so easy, give me four weeks to implement."
The room laughed knowingly. The code is the easy part. What takes time are challenges that only surface in production, including:
- Handling user enrollment without friction
- Supporting users who lose devices
- Managing platform switchers
- Scaling from thousands to millions of users
These are design and operational challenges, not technical problems. Between our OneSpan booth sessions highlighting our message: "Secure every identity moment," and conversations with implementers from companies ranging from startups to Fortune 20 enterprises, three patterns emerged.
Timing makes or breaks adoption
Uber built a technically perfect passkey solution, but users kept choosing passwords. The breakthrough? They experimented with when they prompted users to enroll.
When they offered passkeys immediately after account creation or successful login, the time when users are already engaged and authenticated, the adoption spiked. Present the same option at the wrong moment, and users ignore it.
This insight seems obvious in retrospect, but it highlighted an important distinction — passkey deployment is a user journey design challenge just as much as it’s a technical implementation challenge.
Platform matters more than you'd think
eBay's data reinforced an important point: 55-60% of passkey adoption occurs on mobile, with only around 20% adoption on desktop. That's not a deployment failure, that's reality.
Mobile users expect, and are already used to, biometric authentication. They're already unlocking their phones with Face ID or fingerprints dozens of times daily, so passkeys feel like a natural user experience (UX) feature in other applications. Desktop environments are still catching up, with browser experiences that vary significantly.
The key takeaway: platform-specific expectations matter in measuring passkey success.
The best UX is invisible
Norway's BankID migrated over half the country's population to passkeys without anyone knowing they were using passkeys. Users simply updated their app and continued authenticating, as they always have.
This interesting story reinforced an important principle — sometimes the most effective approach is to make the secure path the default, without asking users to understand the underlying technology or make a decision about adoption on their own.
Beyond authentication: Building complete trust
Two critical themes emerged that go beyond basic passkey implementation:
1. Phishing resistance requires commitment. Apple's keynote delivered a message that resonated throughout the conference: Adding passkeys as an option doesn't automatically make a system phishing-resistant. True phishing resistance requires eliminating all phishable authentication and recovery methods from an account. One SMS recovery flow or one "forgot password" link undermines the protection passkeys provide.
This requires product, IT support, and security teams to align on a strategy that may temporarily increase costs or friction. But as PayPal's data shows, it's worth it. Phishing-related losses dropped nearly in half after their passkey deployment.
That insight clarifies the real question: Are organizations willing to remove the insecure methods that passkeys should replace?
2. Authentication is just the beginning. OneSpan CTO Ashish Jain's keynote articulated what many sessions reinforced: "Authentication alone doesn't equal trust. In an era of AI-driven attacks and increasingly sophisticated fraud, digital trust requires more pillars, such as identity verification to know who you're dealing with and fraud detection to ensure they're acting with good intent."
The most successful organizations are using passkeys as enablers for high-assurance workflows across their platforms. They're rethinking how trust gets established and maintained beyond the login gate and throughout the entire user journey.
What's next in authentication
Every conference has "future trends" sessions, but three topics at Authenticate 2025 caught my attention because they're already solving real problems today.
- Verifiable digital credentials complement passkeys rather than competing with them. Passkeys authenticate you; digital credentials provide portable, selective disclosure of your attributes. As Google's team explained, passkeys don't fully solve account creation and recovery, but, with the addition of digital credentials, organizations can complete a fully secured account lifecycle.
- Agentic AI authentication moved from theoretical to urgent remarkably fast. With AI agents now booking travel, making purchases, and accessing systems, we need to authenticate not only the agent, but the context and authority behind its actions.
- Post-authentication security addresses what happens after login. Sessions highlighted emerging technologies that prevent token theft and session hijacking — attacks that can bypass even the strongest authentication. Passkeys secure the entry point, but there's important work happening to maintain that security throughout the entire session.
Main takeaways from Authenticate 2025
Walking away from my first Authenticate conference, a few things are clear:
- 1. Passkeys have crossed from emerging to mainstream. Organizations with 100 million enrolled users are leading indicators, not edge cases. This aligns with what Gartner captured in the July 2025 Hype Cycle™ for Digital Identity, and was confirmed by what I witnessed at Authenticate.
- 2. Successful deployment requires more than code. The technical specs are well documented. The real value comes from understanding the organizational, design, and operational considerations that make passkeys work seamlessly for real users at scale.
- 3. The ecosystem is vibrant. From major tech platforms to specialized vendors and financial institutions, the sheer number of organizations actively deploying passkeys was impressive. The community aspect — people genuinely helping each other solve problems — stood out.
I left Authenticate energized, and not just from the California sunshine. The authentication landscape is shifting more quickly than I realized, and events like this make change more visible and tangible.
Blog
Beyond passwordless: Preparing for what’s next in digital identity
Read my analysis of the Gartner Hype Cycle to see how Identity and Access Management (IAM) leaders can prepare for what’s next.
Read now
