Four key takeaways from RSAC 2025
The OneSpan team at RSAC 2025 in San Francisco
Last week, I had the opportunity to attend RSAC 2025 in San Francisco and connect with thousands of innovators and experts about the continued growth and evolution of cybersecurity.
Spending time listening to presentations, having conversations with fellow security professionals, and sharing our point of view at OneSpan gave me the opportunity to see trends in the security space to watch out for during the rest of 2025. Below, I pulled together my thoughts from the conference and what these takeaways mean for security-minded organizations.
1. RSAC is back — and bigger than before
Since the COVID shutdowns five years ago, many events have struggled to re-establish a presence and audience for in-person events, often turning to digital or hybrid options. This year’s strong attendance at RSAC proves that there’s still a large appetite in the security sphere for in-person, face-to-face conversation and connection.
More than 41,000 security professionals, speakers, exhibitors, and media representatives filled Moscone last week, easily surpassing RSA attendance from the past several years. It was energizing and exciting to walk the show floor. As the space continues to grow, I expect we’ll see more appetite for in-person cybersecurity events.
2. Passkeys put a spotlight on workforce authentication
Workforce authentication is a particular passion and area of focus for us at OneSpan, but at RSAC, we weren’t alone. Conversations about identity and access management (IAM) in particular centered around the growing use of passkeys, with experts acknowledging that static passwords are — and should be — a relic of the past.
Experts from the likes of Capital One, Instacart, Okta, and IANS Research all spoke to the need for passkeys and an overall passwordless security posture. Our own CTO Ashish Jain spoke about implementing passkeys in high-assurance markets during the FIDO seminar, highlighting how passkeys enhance security, reduce fraud, and improve user experience.
You can see this in the news too: tech juggernauts like Microsoft and Google have expanded their passkey use, with Google and FIDO disclosing the use of more than 2.5 billion passkeys and Microsoft recently pushing for a passwordless experience by default.
The conversations and sessions I heard at RSAC show how leaders in the space understand that the future is a passwordless security posture. Throughout the conference, we discussed how this is particularly important for high-privilege users in departments like finance or HR who have access to critical, sensitive information and who are often targets of attempted attacks by malicious agents.
In his session, Jain noted how secure-by-design passkeys not only relieve the user’s burden of remembering a password, but also keep sensitive information safe because they are phishing-resistant. This is especially true of device-bound passkeys versus syncable passkeys, a conversation that’s begun to gain traction with experts.
While both provide an added layer of security, device-bound passkeys eliminate inherent risks found in syncable passkeys, offer better enterprise control, and prevent the risk of unmanaged devices allowing unauthorized users to access data.
But experts recognize that moving to a passwordless security posture can take time and internal planning. If you’re implementing passkey solutions, consider how to encourage employees to use their security keys versus continued reliance on passwords for access. For example, you might alter password requirements over a set period to 30 or more characters to make passkeys an attractive alternative to the end user. Following conversations at RSAC, I expect to see more on this in the coming months.
Blog
Device-bound passkeys: Bolstering workforce authentication
Want to dig deeper into what experts are saying about device-bound passkeys? We shared a few key considerations in this recent blog post.
Read now3. AI took center stage
It’s no longer a question of if organizations use AI — it’s a question of how. AI is everywhere and essentially impossible to avoid. It was exciting to see at this year’s conference just how much this technology has advanced in a short amount of time.
While we learned last year what AI can do with data and monitoring capabilities, we’re now seeing organizations turn toward more proactive and advanced use cases. Better prediction capabilities have especially taken off, as has agentic AI use in security.
An overall highlight in AI conversations was how quickly it’s changing both technology and security, for the better and the worse. The advent of AI in tandem with solutions like trust signals can offer great benefits, like helping to differentiate between real and fake content, or authenticate identities and platforms. A company might, for example, integrate AI trust signals via mobile application shielding, which helps organizations maintain the security of their apps without disrupting end-user experience.
Conversely, though, there are plenty of ways for malicious actors to use it for their own nefarious purposes — 87% of organizations have experienced AI-powered cyberattacks. Those numbers are likely to continue growing as the technology offers cybercriminals the capability of creating more sophisticated attacks, ranging from phishing to deepfakes.
Armed with the ability to mine data through LLMs, attackers can extract more information at a faster rate and with more ease. They can also poison AI to produce content and results leading to their preferred insecure sites or codes, laden with back doors and viruses. AI stands to bring us incredible benefits, but with those also come risks that organizations must be prepared to address.
4. Sophisticated attacks converge organizational and personal security
As we continue to see AI-powered threats materialize, security measures must evolve to keep up with the changing threat environment.
Security is top of mind for leaders across industries, and not just when it comes to their organizations. At RSAC, attendees often discussed and heard about the need for industry and organizational leaders to think not just as a business entity, but as a person, too. The rise in sophistication and volume of phishing attacks makes this especially critical: not only are attackers using AI to launch more of these attacks, but they’re able to customize them to target high-privilege users better than ever before.
The best thing leaders can do right now is understand that someone’s personal security converges with what they’re doing at work. Building better habits not only keeps their own data and finances safe, but also ensures they’re better able to protect the sensitive information tied to their employment. I expect this to continue playing a key role in how leaders educate and train their employees on how to maintain cybersecurity at their jobs, which often starts by doing so at home.
Final thoughts from RSAC 2025
The cybersecurity industry is at a critical juncture, and it’s important we continue the conversations that happened at this year’s RSAC. We’re caught in a constantly evolving landscape that requires leaders to focus and invest more into cybersecurity, particularly as AI advancements put more at stake.
This is particularly true for IAM leaders as personal and professional identity remains an often-threatened target. Implementing passwordless security and incorporating predictive AI capabilities will help organizations defend against evolving threats.
Knowledge-sharing among security professionals at events like RSAC is the key to a more secure future. I look forward to furthering these discussions throughout the year and to what’s in store at next year’s show.
Blog
Security insights
Check out our blog for even more insights on moving to a passwordless future with FIDO2 authenticators and passkeys.
Read now
