Free trial

RSAC 2026 recap: Moving passkeys from direction to execution

Authentication
Murtaza Hafizji,
OneSpan team at RSAC 2026

In the opening keynote at this RSAC 2026, Dr. Hugh Thompson, Executive Chairman of RSAC, posed a simple question: “What’s your why?”

The insightful conversations from this year’s event were a reminder that cybersecurity isn’t just about underlying technology. It’s also about responsibility, purpose, and the role we play in shaping what comes next.

For those unable to attend RSAC this year, I want to share a few specific, important themes that came through clearly throughout the week. For me, they showed up most clearly in the conversations at the booth.

First, passwordless authentication is gaining real momentum as reducing user friction becomes a top security priority. In a broader sense, security is also evolving beyond point-in-time authentication toward more continuous, context-aware models.

AI and agentic AI were major themes as well. There’s a growing recognition that AI systems and agents are becoming part of the identity landscape themselves, introducing new long-term risks and requiring new models of control and governance.

The focus of my conversations, however, stayed grounded in more immediate challenges, such as how to deploy and scale authentication in real environments today to address threats like these.

Earlier in the week, I spoke at a FIDO Alliance seminar focused on workforce passkeys, covering enrollment, devices, recovery, and the operational systems around authentication.

You can view my presentation here.

One takeaway stood out clearly: Passkeys don’t fail.  Deployments do. At RSAC 2026, those challenges weren’t theoretical; they were the starting point for my conversations.

In conversations with practitioners, architects, and security leaders, a clear pattern emerged around the challenges and strategic differentiators of great passkey strategy execution.

Passkeys, FIDO standards, and hardware authentication have gained awareness, but strong execution lags

Passkeys were everywhere at RSAC this year. While everyone seemed familiar with the concept, there was less consensus about deployment.

The conversation quickly shifted to questions like:

  • How do we roll this out across a workforce?
  • What about shared devices and contractors?
  • How do we migrate from existing MFA solutions?

The technology is proven.  The challenge is everything around it.

Phishing-resistant FIDO standards have strong awareness, but practical understanding is still developing. FIDO provides a strong foundation, but too many teams are still operating with a narrow mental model.

Understanding of the different types of FIDO authenticators continues to grow, which is a promising sign of momentum. But deployment strategy still needs far more attention.

Effective passkey implementation depends on identity binding, credential strategy, enrollment and distribution, and lifecycle management.

Take a deeper look at implementation approaches here.

Most security teams are thinking about passkeys through the lens of platform authenticators. That makes sense on the surface, but doesn’t necessarily apply to real environments where hardware authentication may be the best solution.

Shared devices, managed endpoints, and higher-assurance use cases all introduce deployment challenges that require a more nuanced strategy.

Security is moving beyond the login moment, and UX is a growing consideration

The move toward more continuous, context-aware security also dominated RSAC conversations, shifting from authentication alone to:

  • What happens after login?
  • How do we secure sessions?
  • What about transactions?
  • How do we manage real-time risk?

Especially as innovations like agentic AI become part of the enterprise landscape, authentication is becoming the starting point for security, not the full story.

For years, stronger security meant more friction. That assumption is starting to shift. There’s growing confidence that organizations can deliver both strong, phishing-resistant security and a better user experience.

The opportunity now is to make that real across complex environments.

Clarity is becoming a differentiator, especially for passkey implementation

The cybersecurity space is only getting more complex, and clarity is becoming a real competitive advantage. A passkey strategy with clear goals and benchmarks will harness the operational benefits of passwordless authentication, while a disjointed one won’t.

RSAC does a great job of bringing the industry together and clarifying direction. The conversations happening across the show floor and at the booth help bring that direction to life.

The ideas are there. The momentum is there. The focus now is on making it real.

What is my “why” that Dr. Thompson asked about?

I was initially drawn to cybersecurity because it was an exciting field to be part of. Today, it feels far more critical.

The stakes are higher, the impact is broader, and the focus is on execution. Making these ideas work matters more than ever.

And the answer increasingly comes down to execution.

Passkeys implementation: Build or buy?
Blog

Should your organization build or buy its passkeys implementation?

6 considerations for deciding between building custom software or buying off-the-shelf solutions.

Read the blog
Murtaza Hafizji
Murtaza Hafizji

Murtaza Hafizji is the U.S.-based Technical Product Marketing Manager for OneSpan’s Security Business Unit, focused on FIDO, identity, and authentication. With over 15 years in cybersecurity and deep expertise in the identity space, he brings a clear, technical perspective to solving real-world challenges in secure access and digital trust.

Sign up for OneSpan updates
Share