At a recent webinar, BankID Norway’s Ove Morten joined Joe Palmer, president of iProov, and Megan Shamas, CMO at FIDO Alliance, to discuss how the platform has evolved its approach to authentication and why combining passkeys with biometric liveness verification has become central to that strategy. 

Raonsecure will recruit entry-level and experienced hires online through Mar. 15. The company said strong interest is expected again this year after last year’s open recruitment posted a 125-to-1 competition rate.

That is why we are excited to announce the launch of the FIDO Americas Adoption Forum (FAAF). This is a new initiative designed to advance open standards and accelerate market adoption across the region. It aims to uncover new opportunities to provide simpler and safer authentication with FIDO technologies in the Americas. Initially, the Forum will be focused in Latin America, given its potential.

The opportunity

In many Latin America markets mobile internet penetration exceeds 70% and populations are digitally active at very high levels. For example, Brazil’s “Pix” instant payment system has been adopted by over 90% of adults. That kind of uptake signals both technological readiness and a massive user appetite for frictionless experiences.

But rapid digitization brings challenges. Credit card fraud rates across Latin America are 97% higher than North America, and legacy authentication is failing to stop malware attacks that have risen by 113% in the region, with 79% of fraud occurring on mobile devices. Bad actors are also exploiting new threat vectors. Looking at Brazil again, deepfakes in Q1 2025 occur at five times the rate seen in the US and ten times the rate in Germany.

These conditions create an urgent need for phishing-resistant authentication technology that puts trust and simplicity at the center of digital interactions. With FIDO adoption in the relatively early stages across much of the region, the impact that can be achieved by shaping adoption and solving these security gaps is enormous.

Our Approach

The FAAF will focus on fostering a local community of industry leading organizations and experts to address the specific technical, regulatory, and business challenges of the region. We are drawing on FIDO’s model that has proven successful in driving adoption of open, phishing-resistant standards across the globe, including our APAC Marketing Forum, while adapting to regional dynamics. This includes:

• Local champions: We will identify leaders to advocate for interoperable standards within their markets and connect global best practices to local needs.
• Education and enablement: We will bring FIDO expertise to stakeholders in key verticals – including banking, e-commerce, government, and airlines – through targeted webinars and workshops.
• Regulatory engagement: We will help regulators understand how FIDO standards can support national security and economic objectives.
• Regional insights: We will channel feedback from the Forum to ensure FIDO specifications and market enablement activity address real-world deployment challenges.

Help drive FIDO adoption in the region

We’re starting with quarterly calls focussed on understanding the opportunities, challenges and nuances of the Latin American markets. This will include FIDO members from the region and those with interest and operations there. We will also explore bringing in external speakers to share their expertise on regulation, industry trends, and other topics of interest.

A major part of our initial work will focus on understanding the regulatory environment in key markets, and identifying opportunities to engage with regulators to educate them about FIDO.

If you are a FIDO member, look out for a formal invitation to join the Forum soon. We will follow this with our official kick-off call in the coming weeks.

The opportunity in Latin America is significant. I hope you will join us in bringing greater trust and simplicity to digital interactions across these dynamic markets.

The FIDO Alliance hosted a one-day seminar on “Advancing Authentication, Identity and Payments in Europe.” The seminar gathered many influential leaders and decision-makers to explore Europe’s evolving authentication, identity, and payments landscape. 

Attendees gained insights into the latest developments with FIDO, passkeys, payments, identity verification and digital credentials. 

View the presentations below:

The company said the appointment was made at the FIDO Alliance general assembly meeting in Paris and emphasized the role of FIDO-based authentication in the broader shift away from passwords. FIDO’s board composition can matter for both enterprise and consumer deployments because it influences the evolution of specifications, certification programs, and implementation guidance relied on by platforms and relying parties.

The Fast Identity Online (FIDO) Alliance developed passkeys several years ago, and many companies are already implementing them. For example, Microsoft removed password support from its authenticator app in August but left passkey support in place, and Amazon regularly prompts users to create a passkey if they haven’t already.

Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here’s everything you need to know about using them.

At the FIDO Alliance, our mission has always been to champion open, scalable, and trusted identity and authentication standards that are simple to use. Today those same principles, originally forged to eliminate the weak link of shared secrets on the web, are directly applicable to securing OT connectivity and distributed device environments.

Below I’ll outline how FIDO phishing-resistant authentication (passkeys), FIDO Device Onboard (FDO) and emerging work in Bare Metal Onboarding (BMO) support these secure connectivity principles, enabling organizations to achieve strong authentication, trusted connectivity, secure supply chains and secure update of software at scale.

Phishing-Resistant Authentication Is Now Table Stakes for OT

The OT guidance emphasizes strong authentication at network boundaries, remote access points, and management planes. This is exactly the problem FIDO set out to solve with passkeys. Passkeys replace passwords and shared secrets with device-bound cryptographic credentials that are phishing-resistant, replay-resistant, and built on open standards.

For OT operators, engineers, and vendors accessing jump hosts, DMZ gateways, or privileged access workstations, this removes the most common root cause of breaches: stolen credentials. That simple shift from shared secrets to cryptography dramatically reduces risk at OT boundaries.

Practically speaking, this enables organizations to:

• Enforce phishing-resistant MFA for all remote/vendor access
• Secure privileged admin workflows
• Reduce helpdesk overhead from tokens/password resets
• Strengthen auditability and attribution of actions

This aligns directly with the guidance’s goals of minimizing exposure and hardening connectivity with modern, standardized controls.

Securing Vendor and Remote Access Without Increasing Complexity

OT environments frequently require third-party maintenance and specialized engineering support. Historically, that has meant VPN accounts, shared credentials, or brittle remote access solutions. The guidance recommends organizations move to centralized, controlled connectivity and brokered access patterns. FIDO authentication fits naturally into the recommended control framework:

• FIDO authentication-secured jump hosts, remote workstations, and more
• Privileged access gateways
• Just-in-time access provisioning
• Device-verified operator identity

This approach delivers both least privilege and strong non-repudiation — two capabilities that are increasingly important for regulated industries. Most importantly, it does so without adding friction for operators, which is critical in environments where uptime and usability are non-negotiable.

Establishing Trust in Devices with FIDO Device Onboard (FDO)

Users aren’t the only identities that matter in OT. Devices — gateways, sensors, controllers, and edge systems — must also prove they are trusted before joining operational networks. This is where FIDO Device Onboard (FDO) comes in. FDO provides:

• Zero-touch onboarding
• Cryptographic device attestation
• Secure ownership transfer
• Encrypted provisioning channels
• “Late binding” to the correct management platform at deployment time

Rather than shipping devices with default passwords or manual configuration steps, FDO allows them to securely authenticate and receive credentials automatically. For OT environments, this:

• Eliminates weak factory credentials
• Reduces field provisioning errors
• Supports standardized onboarding across diverse hardware
• Strengthens supply-chain assurance

In other words, devices join the network only after cryptographically proving who they are. This satisfies a foundational requirement for segmentation and isolation strategies described in the guidance, delivering value today for industrial IoT, gateways, and modern edge infrastructure.

But secure onboarding is only the first step.

Bare Metal Onboarding and Lifecycle Resilience

One of the most important, and often overlooked, requirements in the OT guidance is the need to keep systems securely updated and maintain a known-good state over time. This has historically been difficult in OT. Devices may be deployed in remote locations, managed by non-IT personnel, or running outdated software because rebuilding them is complex and risky.

This is exactly the challenge that FIDO Bare Metal Onboarding (BMO) addresses. Building on FDO’s trusted foundation, BMO extends late binding beyond ownership to the entire software stack:

• Operating system
• Applications
• Configuration
• Credentials

With BMO, a device can be powered on with no preinstalled OS and securely receive:

• Authorized OS images
• Approved software packages
• Policy-defined configurations
• Verified updates

All cryptographically validated and delivered through the same attested, encrypted control plane established by FDO. 

In doing so, BMO unlocks several capabilities that are particularly powerful for OT operators:

1. Zero-touch secure deployment: Devices can be installed by non-technical personnel and automatically provision themselves safely.
2. Secure rebuilds and recovery: If compromise or corruption is suspected, systems can be wiped and reinstalled to a known-good state.
3. Reliable patching and upgrades: Organizations can keep software current (a key expectation in the UK guidance) without manual intervention.
4. Standardization across vendors: A consistent, open, interoperable approach replaces fragmented proprietary tooling.

In short, BMO transforms onboarding into lifecycle assurance. Where FDO answers “Can I trust this device?”, BMO answers “Can I trust exactly what is running on it, not just today but after every update?”

That’s a critical step forward for OT resilience.

[For more information on BMO, check out this webinar]

A Clear Roadmap to go from Principles to Practice

Organizations aligning with the OT secure connectivity principles can take concrete action today, while preparing for what’s next:

Now

• Require phishing-resistant FIDO passkeys for all OT remote and privileged access
• Standardize FIDO authentication at gateways and management interfaces
• Adopt FDO for zero-touch, secure onboarding of new edge and industrial devices

2026 and beyond

• Incorporate FIDO Bare Metal Onboarding into procurement requirements
• Enable secure OS/app provisioning and automated rebuilds
• Maintain known-good state and rapid recovery across distributed OT estates

Identity as the Foundation of OT Security

The OT threat landscape has changed permanently. Connectivity is no longer optional, and security can’t rely on isolation alone. The future is identity-first: verifiable users, verifiable devices, and verifiable software state. FIDO standards provide open, scalable building blocks for all three, turning the guidance principles into something actionable:

• Passkeys secure the people.
• FDO secures the devices.
• BMO secures the software lifecycle.

FIDO technologies already deliver meaningful protection today. And with Bare Metal Onboarding, they will enable an even more resilient, zero-touch, secure-by-design OT ecosystem in the years ahead.

At the FIDO Alliance’s Identity Policy Forum, a panel led by the Better Identity Coalition unpacks a paper it drafted with the American Bankers Association within the Financial Services Sector Coordinating Commission (FSSCC), focusing on the threat of generative AI to the financial services digital identity system.

At the annual Identity Identity & Policy Forum, it’s a tradition for Andrew Shikiar, CEO of the FIDO Alliance, to reflect on his predictions from the previous year and offer predictions for the coming one. 2025 was a pivotal year for FIDO: passkeys – FIDO’s raison d’etre in recent years – finally became a mainstream authentication method, marking a long-term win for the Alliance.

In his keynote, FIDO Alliance CEO Andrew Shikiar estimates over 4 billion passkeys are now being used to secure sign-ins around the world. “That’s a massive number considering we introduced passkeys in 2022.”

Shikiar’s speech runs through his record on predictions he made at the beginning of 2025, and comes out looking pretty clairvoyant. Major banks have deployed passkeys. “I stood here last year and said 2025 will be the year of passkeys and banking,” Shikiar says. “I was kind of eating my socks on that until around Q4, when all of a sudden basically every major bank in the U.S. passkeys for sign-up.”

• We’re sharing a novel approach to enabling cross-device passkey authentication for devices with inaccessible displays (like XR devices).
• Our approach bypasses the use of QR codes and enables cross-device authentication without the need for an on-device display, while still complying with all trust and proximity requirements.
• This approach builds on work done by the FIDO Alliance and we hope it will open the door to bring secure, passwordless authentication to a whole new ecosystem of devices and platforms.

In a PaymentsJournal podcast, Dr. Adam Lowe, Chief Product and Innovation Officer at CompoSecure and Arculus, and Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research, explored the rising fraud challenges facing financial institutions and how some of the latest solutions may be inspired by innovations in retail.

Our senior reporter, Justin Bachman, dug deeper into the AI-driven agentic payments topic to help readers better understand when and how this tech tool really becomes a reality. Spoiler: not in 2026. Still, his story describes the challenges being tackled this year that are likely to lead to bot payments as early as next year.

About 80% of respondents to a new survey said they received at least one data breach notice in the prior 12 months, according to the Identity Theft Resource Center.

Nearly 40% of respondents received three to five separate notices over that period. The survey polled 1,040 individuals in November.

Of those who recently received a data breach notice, 88% reported at least one negative consequence, such as increased phishing or other scam attempts, more spam emails or robocalls or an attempted account takeover, the survey found.

It’s a situation many organizations find themselves in. The Cisco Duo 2025 State of Identity Security reports that 74% of IT leaders admit identity security is often an afterthought in infrastructure planning. As a result, businesses scramble to tack on an identity solution, often too late to assess whether it’s the right fit for their architecture, compliance, and scalability goals. ’Cause unlike the milk, it’s harder to swing back later and grab the right solution.

Global Momentum: Local Leadership Driving Adoption

The seminar kicked off by highlighting the rapid adoption of FIDO standards and the strong commitment shown by the Japanese market.

Andrew Shikiar, CEO & Executive Director of the FIDO Alliance, shared the latest metrics: over 7 billion accounts worldwide are now protected by passkeys, with more than 3 billion passkeys saved by users. Data from the newly introduced “Passkey Index” further demonstrated the technology’s impact, revealing a 93% authentication success rate and a 73% reduction in login times.

In the Japanese market, Koichi Moriyama (NTT DOCOMO), Chair of the FIDO Japan Working Group (FJWG), reported on the growth of the local community as it celebrates its 10th anniversary and 111th monthly meeting. The day also marked a notable announcement: the FIDO Alliance has signed a liaison partnership with the Japan Securities Dealers Association (JSDA). This partnership is expected to accelerate security improvements and FIDO adoption across the entire securities industry.

Policy & Security: From Recommended to Essential

In 2025, Japan’s policy and security strategies are upgrading phishing-resistant authentication from “recommended” to “essential.”

• Digital Agency: Masanori Kusunoki addressed the revision of the guidelines for online identity verification in administrative procedures (DS-500 to DS-511). He expressed the view that for Assurance Level 2 or higher, phishing-resistant methods like the My Number Card or passkeys will effectively become mandatory.
• NPA & FSA: Takahide Sannomiya (National Police Agency) and Motoshi Matsunaga (Financial Services Agency) emphasized the importance of passkeys in countering cyber threats. In the financial sector specifically, policies are advancing to default to phishing-resistant Multi-Factor Authentication (MFA) for critical operations such as logins and fund transfers.

Proven Success & Next Frontier: Account Recovery

A highlight of the seminar was the consensus that passkeys have moved beyond “early adoption” to become mainstream in Japan’s major services.

The “Passkey Index Japan” panel session (Mercari, NTT DOCOMO, KDDI, FIDO Alliance) revealed that passkey authentication usage has exceeded 50% among smartphone users at these three companies. It was disclosed that 50.4% of all monthly active users (MAU) for authentication services are already utilizing passkeys.

This widespread usage, spanning all ages and demographics, suggests that passkeys are a realistic solution that balances convenience with security.

The discussion also focused on “Account Recovery” as one of the key challenges following widespread passkey adoption. Tatsuya Karino (Mercari), Masao Kubo (NTT DOCOMO), and Hideki Sawada (KDDI) emphasized the importance of secure recovery processes utilizing My Number Cards (JPKI) and eKYC, as well as designing for device changes. This is poised to be a cross-industry theme for 2026.

Securities Transformation: Advancing Passkey Deployment

The transformation within the securities industry is noteworthy. Shinobu Hirayama of Rakuten Securities reported that the company completed the rollout of passkey authentication (FIDO2) across all channels in October 2025. According to Hirayama, five securities firms have already implemented FIDO2, with that number expected to rise to seven by the end of the year. He emphasized that passkeys play a central role in building a technology-based “layered defense” against evolving fraud attacks.

Deep Dive into Tech: Platforms & Security

Technical sessions for developers and security experts explored the latest features supporting passkey implementation.

• Google Platform Evolution: Eiji Kitamura shared the latest updates based on Credential Manager. Of particular note was the “Restore Credentials API,” which promises to improve the developer experience by enabling seamless sign-ins when users migrate to new devices.
• Session Protection: In the “All About Passkeys” session (Eiji Kitamura, Kosuke Koiwai, Masaru Kurabayashi), the discussion turned to the risks of “session hijacking” that remain even after passkey adoption. Speakers argued for the necessity of risk-based session protection and new specifications like Device Bound Session Credentials (DBSC) to counter malware-based cookie theft.

Ecosystem & Innovation: Expanding Use Cases

Presentations from sponsor companies demonstrated a mature ecosystem capable of supporting diverse use cases.

• Regulated Industries & Finance: Gim Leng Koh (OneSpan) presented a dual-key approach for financial institutions, enabling device health assessment and transaction signing (WYSIWYS).
• Scale & Performance: Eugene Lee (RaonSecure) introduced their FIDO solution’s high processing performance, supporting over 10 million monthly users.
• Solving B2B Challenges: Kazuhito Shibata (ISR) addressed the barriers hindering MFA adoption in corporate environments.
• Device Security in the AI Era: Everett Hiroshi Shiina (Yubico) explained the importance of hardware-attested Single Device Passkeys in the face of rising AI threats.
• Lifecycle Protection: Takashi Yoshii (Daon) introduced the integration of FIDO authentication with Deepfake detection-enabled eKYC via the IdentityX platform.
• Customer Engagement: Mitsuharu Nakamura (Twilio) proposed a seamless authentication experience using Twilio Verify, which supports passkeys alongside SMS and TOT

Beyond Authentication: Digital Credentials & Identity

The conversation extended beyond authentication to the entire identity lifecycle.

In a video message, Lee Campbell (Google/FIDO Alliance Digital Credential WG Co-Chair) shared the vision of extending the trust and interoperability established by passkeys to “Digital Credentials,” defining ecosystem standards for wallets and identity verification.

The final panel session, featuring members from the FIDO Alliance, OpenID Foundation, OpenID Foundation Japan, and the Digital Agency, deepened the discussion on managing the entire identity lifecycle—from account creation to recovery.

Looking Forward: Building Japan’s Digital Identity Future

The 12th FIDO Tokyo Seminar served as a testament that passkeys are becoming firmly established as part of Japan’s digital social infrastructure. As we look toward 2026, the FIDO Alliance’s initiatives will continue to expand from authentication to the entire identity lifecycle and into the realm of digital credentials.

We would like to express our sincere gratitude to the sponsor companies who supported this event, as well as to all the speakers and attendees. We look forward to seeing you at our next event!

In that environment, the long-maligned guest checkout flow is gaining fresh relevance—not as a stopgap, but as a structurally efficient payment model.

As cyber threats intensify and user frustration with passwords seemingly grows, enterprises are turning to passwordless authentication for improvement in both security and customer experience. This shift—led by passkeys, biometrics, and magic links—promises not just stronger defenses but simpler, faster, and more imaginative identity journeys.

1Password allows you to import passwords via CSV from other password managers. If coming from Bitwarden, you can import more securely through an encrypted .json file. 1Password will also support the FIDO Alliance’s Credential Exchange Protocol (CXP) starting in early 2026, which allows secure transfer of passkeys in addition to passwords between apps and services with CXP enabled.

MIXI, Inc. (hereafter MIXI) is one of Japan’s leading internet companies, best known for its popular mobile game MONSTER STRIKE, among other entertainment services, with tens of millions of users. The company has also expanded into sports and lifestyle businesses, providing services that enrich the daily lives of a broad range of generations.

The company’s MIXI ID serves as a common account platform enabling users to access multiple services seamlessly. In recent years, it has also been adopted by flagship titles, continuing to grow its user base.

The Business Challenge

From the outset, MIXI ID pursued a passwordless approach, adopting an email-based one-time password (OTP) method. However, this proved insufficient against the rising threat of real-time phishing attacks, while the flow of opening an email app, retrieving a code, and entering it was cumbersome for users. For services that involve payment functions in particular, there was a strong need for a mechanism that could deliver both high authentication strength and excellent user experience.

Internally, the company also faced the challenge of balancing enhanced security with operational efficiency, while accommodating shared PC usage and continuously evolving OS environments.

Decision to deploy Passkeys

To address these challenges, MIXI introduced FIDO2-compliant passkey authentication to MIXI ID in 2024. Leveraging the WebAuthn API offered by web applications and browsers, users can now log in smoothly and password-free using the biometric authentication built into their smartphones and PCs.

In addition, passkey authentication was made mandatory for administrative tools in the payment system, enabling stronger security operations without reliance on passwords.

MIXI also advanced its internal enterprise security environment by adopting YubiOn Portal, provided by SoftGiken (a FIDO Alliance member), together with YubiKey from Yubico (a FIDO Alliance board member). This strengthened physical security for shared PCs and logon authentication, creating a unified, cloud-managed two-factor authentication environment for both Windows and macOS. As a result, MIXI achieved both stronger authentication for shared terminal logons and greater operational efficiency.

Why FIDO was chosen

While the company also utilizes Apple and Google social logins, there were clear reasons for adopting FIDO authentication as one of its primary methods:

• Trust in security and interoperability based on international standards
• Smooth and practical user experience enabled by platform-provided Passkey Autofill
• Strong security with biometrics combined with the convenience of passwordless login

Impact of adoption

Currently, more than 25% of MIXI ID users have registered a passkey, and adoption is steadily expanding. Helpdesk enquiries caused by issues with OTPs —such as “delays/resending of authentication codes” and “input errors”—have decreased, helping to reduce support costs.

For users, the experience of being able to log in safely and quickly is spreading, further reinforcing trust in MIXI’s authentication infrastructure.

Within the enterprise environment, the introduction of YubiOn Portal enabled a shift from ledger-based authentication management to cloud-based management, ensuring real-time visibility into the latest authentication status. It also supports Windows Remote Desktop usage and has been highly praised by employees.

Overcoming Implementation Challenges

In some early deployments at other companies, confusing error messages such as “Passkey not found” created user difficulties. MIXI avoided this issue by timing its rollout to coincide with the point at which Passkey Autofill had become sufficiently mature across major OS platforms, successfully preventing user confusion.

The adoption of YubiOn Portal required detailed policy settings, but thanks to extensive documentation and f lexible configuration features, the IT team was able to implement and operate the system smoothly.

Looking ahead

MIXI expects passkey authentication to become widely adopted across services and evolve from its current optional status into a primary authentication method. The company intends to expand its use across more service areas, contributing to the realization of a passwordless society.

Finally, Ryo Ito of MIXI, who shared insights for this case study, commented:

“FIDO authentication delivers strong phishing resistance and high security, but there are still challenges such as account recovery from environments where passkeys are unavailable. It’s important to correctly recognize these issues and refer to the FIDO Alliance’s published design and implementation guidelines and checklists when adopting FIDO authentication.

As passkey authentication becomes more widespread, we are already seeing its positive impact with MIXI ID. FIDO/Passkeys are a rare technology that can simultaneously provide excellent UX and robust security at low cost. Going forward, we look forward to the evolution of the ecosystem to support an even wider variety of use cases.”

For decades, passwords have been the default mechanism for securing digital access. They are deeply embedded in enterprise systems and workflows, yet they were never designed to withstand today’s threat landscape.

Passwords are easy to steal, easy to reuse, and costly to manage at scale. Despite years of awareness training and layered defenses, credential-based attacks remain one of the most common causes of security breaches. At the same time, password resets continue to consume a disproportionate share of IT support resources, slowing productivity across the organization.

Passwords are a cybersecurity nightmare, with hackers trading stolen sign-in credentials on illicit markets every day. That’s because the overwhelming majority of passwords are too hackable, according to an analysis by Verizon, with just 3 per cent complex enough to withstand hackers.

Off the top, hosts Bill Fisher and Ryan Galuzzo of NIST provide a walk-through of NCCoE’s mDL privacy risk assessment, to help parties gauge what’s at stake in implementing mDLs. Its data flow diagram, an “abbreviated version of the NIST Privacy Risk Assessment Methodology”  written from the perspective of a financial institution, includes five questions that cover goals, potential problems and potential solutions.

The move to support passkeys brings Telegram in line with a growing number of platforms embracing the FIDO2 standard, a cryptographic login method backed by the FIDO Alliance and major industry players including Apple, Google, and Microsoft. With passkeys, Telegram users can now authenticate into their accounts using biometric data like Face ID or fingerprints, or a device PIN, instead of waiting for SMS codes that may be delayed or intercepted.

The initiative arrives at a time when governments and large businesses worldwide are focused on providing (and increasingly, insisting on) digital identities, such as the increased momentum behind the European Digital Identity Wallet, which will be required to do business online by EU and EU-trading businesses next year. The need for secure and interoperable digital credentials is apparent, therefore, driven by a need for greater convenience, better security, and the ability to access services (especially public sector providers) and verify identity online.

“The FIDO Alliance united the industry to solve the password problem, and the world is now embracing the simplicity and security of passkeys – with billions of accounts now benefiting from this significant shift in user authentication,” said Andrew Shikiar, CEO of FIDO Alliance.

The password is dying. If not in theory, certainly in practice. After years of technical development and cross-platform alignment, passkeys have reached a state of real-world maturity. The user experience is seamless. The infrastructure is robust. Compliance is no longer a barrier. And, most importantly, passkeys are working at scale for both consumers and the companies serving them.

After dropping hints on the Biometric Update Podcast, the FIDO Alliance today announced the launch of a new digital credentials initiative, to be carried out by a new Digital Credentials Working Group (DCWG). The company’s announcement calls it an expansion of the FIDO Alliance’s mission to accelerate the adoption of verifiable digital credentials and identity wallets. Work will focus on three foundational workstreams: wallet certification, specification development and usability and relying party enablement.

Setting the Stage: Global Momentum, Local Leadership

The seminar kicked off with a strong message on the state of the industry. Karen Chang, Chair of the FIDO Taiwan Regional Engagement Forum, and Andrew Shikiar, CEO & Executive Director of the FIDO Alliance, opened the day by framing the global success of passkeys.

Andrew Shikiar shared updated metrics on the global adoption of FIDO standards—noting that billions of user accounts are now secured by passkeys—while emphasizing that the technology has moved from “early adoption” to “mainstream deployment.” Karen Chang highlighted the region’s critical role in this ecosystem, detailing how local industries and government bodies are integrating these standards to build a more resilient digital infrastructure.

Keynote: AI, Identity, and Digital Trust

No technology conversation in 2025 is complete without addressing Artificial Intelligence. Dr. Yennun Huang, Distinguished Research Fellow at Academia Sinica and former Minister of Digital Affairs, delivered a compelling keynote titled “AI, Identity, and Digital Trust.”

Dr. Huang bridged the gap between policy and technology, warning that as AI tools reshape the threat landscape, traditional authentication methods are becoming obsolete. He argued that phishing-resistant authentication is no longer just a security feature but a foundational requirement for establishing trust in the AI era.

From the Trenches: Deployments, Strategies, and Future Tech

The sessions then shifted focus to execution, featuring a chronological lineup of industry leaders sharing insights on platforms, deployments, and certification.

Google: The Google team, represented by Niharika Arora and Eiji Kitamura, demonstrated the latest platform enhancements designed to smooth the implementation path for developers.

Keypasco: As the Host Sponsor of the event, Hsin-Yi Lin, General Manager, spoke on “The Passkey Era: Embrace Passwordless Transformation,” offering a roadmap for enterprises to embrace passwordless transformation without disrupting existing workflows.

Mercari: Naohisa Ichihara, CISO of Mercari, provided a view into the e-commerce sector, explaining how FIDO standards are helping the platform reduce fraud rates while keeping checkout flows seamless.

OneSpan: Koh Gim Leng explored “Augmenting Passkey for Different Use Cases,” discussing how to tailor authentication experiences to fit diverse security requirements and user behaviors.

FIME: James Daniels highlighted the “Value of FIDO Certification,” emphasizing how rigorous testing and certification are essential for ensuring global interoperability and trust in authentication products.

HID: Edwardcher Monreal presented “The Passkey Playbook,” outlining a phased approach that allows organizations to transition from legacy credentials to passkeys at a pace that suits their infrastructure.

TikTok: Yan Cao, Engineering Leader at TikTok, shared a fascinating case study on rolling out passkeys to hundreds of millions of users globally, proving that robust security does not have to come at the expense of user experience.

Jmem Technology: Shifting the focus to hardware, John Chang discussed “Building Secure Chips for the Quantum Era,” highlighting the intersection of Post-Quantum Cryptography (PQC) and trusted edge AIoT integration.

Innovation at the Edge: IoT and Zero Trust

The seminar concluded its technical tracks by exploring how authentication standards are securing the Internet of Things (IoT) and edge computing.

A standout moment was the presentation by Simon Trac Do, CEO & Founder of VinCSS. He introduced a “creative combination” of FIDO authentication and FIDO Device Onboard (FDO) standards, demonstrating how fusing these technologies creates a comprehensive Zero Trust Network Access (ZTNA) solution that secures both user identity and device integrity in the IoT era.

Meanwhile, Doris Liu from ASRock Industrial shifted the focus to the hardware foundation of intelligent systems. In her session on pioneering secure Edge AI, she outlined how ASRock is leveraging FDO deployment to build trusted devices, offering a robust, one-stop solution for the burgeoning Edge AI market.

Panel Discussion: The Road Ahead

The day concluded with a dynamic panel discussion moderated by Megan Shamas, CMO of the FIDO Alliance. Panelists, including Koichi Moriyama (NTT DOCOMO, FIDO Executive Council Member, FJWG Chair), Paul Liu (Keypasco), Jiunn-Shiow Lin (Ministry of Digital Affairs), Da-Yu Kao (National Chengchi University), and Niharika Arora (FIDO India Working Group Chair), explored the future of identity.

The conversation reinforced a clear consensus: the standards are mature, the technology is ready, and the focus must now shift to optimizing usability and broadening adoption across all sectors.

Looking Forward

The FIDO Taipei Seminar 2025 was a testament to the strength and collaboration of the APAC identity community. As we move into 2026, the partnership between government, industry, and standards bodies will be the key to finally eliminating the password for good.

A special acknowledgment goes to our Host Sponsor, Keypasco, and other sponsors for their generous support in making this event possible, as well as to all our speakers and attendees. We look forward to seeing you at our next event!

Throughout the week, we released early selections of talks and presentations from our flagship Authenticate 2025 event, shared resources, highlighted passkey success stories from industry leaders, and hosted a live AMA webinar.

In case you missed any of the action on social media, we’ve rounded up everything we shared to help promote the work of those leading the way with passkey deployments and to support everyone on their passkey journey.

Early Access: Authenticate 2025 Presentations

We released early access to select presentations from Authenticate 2025, our flagship conference held in October. These presentations showcase how leading organizations are deploying passkeys at scale and achieving measurable results. These talks are all available to watch on our YouTube channel.

• Apple: Ricky Mondello shared insights on how to “Get the Most out of Passkeys.”
• Google: Chirag Desai and Rohey Livine discussed “The Future of the User Account Lifecycle.”
• TikTok: Cherise Cen, Patrick Liao, and Yingran Xu presented on “Shipping passkeys for hundreds of millions” and shared what they learned during the process.
• Roblox: Yuki Bian and Dylan Siegler gave a fascinating look at “Bringing passkeys to all ages,” addressing deployment across a younger demographic.
• Uber: Ryan O’Laughlin discussed “Realizing the Full Potential of Passkeys at Uber.”
• PayPal: Mahendar Madhavan, Mohit Ganotra, and Walmik Deshpande shared “Learnings and best practices” from their deployment.
• DocuSign: Yuheng Huang and Dina Zheng presented on “Modernizing Authentication with True Passwordless.”
• Dashlane: We released two sessions from Dashlane. First, Tina Zhuo spoke on “Leveling up phishing resistance” using passkeys, confidential computing, and AI. Second, Rew Islam gave a talk titled “What’s wrong with passkeys?”

Success Stories

We also shone a spotlight on companies that have made progress on their Passkey Pledge – a call to action for organizations to accelerate passkey adoption. Here are just a few of the success stories we shared:

• Atlancube: The pledge accelerated their certification timelines, helping them prepare to launch a certified hardware security key.
• Dashlane: Integrated FIDO2 security keys to replace the master password with a hardware-backed secret.
• First Credit Union: After rolling out passkeys to their 60,000+ members, 54.5% of all authentications now use passkeys.
• Glide Identity: Achieved FIDO certification for new products to serve organizations seeking interoperable solutions.
• HYPR: Deployed passkeys at scale to Fortune 500 enterprises, including two of the four largest US banks.
• LY Corporation: Improved passkey sign-in rates to 41% and reduced SMS transmission costs by replacing OTPs.
• NTT DOCOMO: Confident of increasing passkey usage by 10% this year by refining user messaging on enrollment pages.
• Secfense: Enabled passkey sign-ins across banking and insurance sectors without modifying legacy applications.
• Thales: Extensively promoted the benefits of passwordless to customers through workshops and webinars.

You can read more about these success stories on our website. It’s not too late to take the Pledge, you can find out more here.

Resources

Throughout the week, we pointed to key resources to help those implementing passkeys, including:

• Design Guidelines: For consumer use cases, visit PasskeyCentral.org to access the FIDO Alliance Design Guidelines.
• Developer Hub: For technical resources brought to you by the W3C WebAuthn Community Adoption Group and FIDO Alliance, visit passkeys.dev.
• UX Research: Read our blog, “Beyond the Protocol,” co-authored by Patryk Les (Yubico) and Philip Corriveau (RSA), which highlights the human-centered shift defining the future of workforce security.

New Data

We shared new research from our Passkey Index, a confidential survey of nine FIDO Alliance member organizations—Amazon, Google, LY Corporation, Mercari Inc., Microsoft, NTT DOCOMO, PayPal, Target, and TikTok—that have deployed passkeys for 1 to 3 years on eight utilization and performance areas. It shows the adoption and business impact of passkeys from leading service providers. The data reveals that:

• 93% of accounts are now eligible for passkeys.
• 36% of accounts are enrolled with a passkey.
• 26% of all sign-ins now leverage passkeys.
• Read the full Index here.

We also highlighted Dashlane’s new report, which offers a one-of-a-kind look at the apps leading the move to passwordless across consumer and enterprise environments globally. You can read the report here.

The Passkeys AMA

To wrap up the educational aspect of the week, we hosted a live, interactive Ask Us Anything (AMA) session. With speakers from Dashlane, FIDO Alliance, Google, and Okta, this webinar was the perfect chance to bring questions about passkey implementation, UX, security, standards, and ecosystem adoption directly to the experts shaping the industry. If you missed the live session, you can still watch it here.

The challenge? Often, it’s the very first step. 

Passkey authentication is a system for accessing an account by verifying identity using a device, biometric information, PIN, etc. Since its introduction by NTT Docomo and PayPal in 2022, it has rapidly gained popularity as a secure method highly resistant to phishing attacks that target traditional authentication information such as IDs and passwords.

According to Executive Director and CEO Andrew Shikiar, the number of accounts using passkeys will reach over 3 billion by 2025, with approximately 15 billion potentially available accounts by 2024. Organizations such as the US National Institute of Standards and Technology (NIST) and the European Cybersecurity Agency (ENISA) have included passkeys in their security policies, and the system is also being increasingly adopted by government agencies, online services, and the private sector, particularly in the financial sector.

December 4, 2025 – The FIDO Alliance announced today the launch of a new digital credentials initiative, marking an expansion of its mission to accelerate the adoption of verifiable digital credentials and identity wallets. This initiative is poised to help the world simplify and secure online and in-person interactions by establishing a trusted, and interoperable identity wallet ecosystem.

Work on this new initiative will be carried out by the FIDO Alliance’s new Digital Credentials Working Group (DCWG). 

“FIDO Alliance united the industry to solve the password problem, and the world is now embracing the simplicity and security of passkeys – with billions of accounts now leveraging this seachange in user authentication. We’re now aiming to bring that same proven, collaborative model to the adjacent digital credentials landscape — working closely with partners including EMVCo,  ISO, OpenID Foundation, and W3C to align a fragmented ecosystem,” said Andrew Shikiar, CEO of FIDO Alliance. “Together, we aim to deliver trusted, interoperable digital wallets that make everyday interactions simpler, more secure, and privacy-preserving for everyone.”

Digital credentials have the potential to offer enhanced ease, security, and privacy to everyday interactions and transactions. Governments around the world are helping lead the way in issuing digital identity credentials — including the European Digital Identity Wallet program that will see all 27 member states offer citizens digital identities by the end of 2026, and with 18 departments of motor vehicles in the United States having deployed standards-based mobile drivers licenses to over 5 million American citizens.  

Widespread adoption has been hindered by ecosystem fragmentation, however, including a lack of global alignment and end-to-end certification. Building on its success with passkeys, the FIDO Alliance will address these challenges through its proven ability to unite stakeholders, develop specifications and certification programs, collaborate with other standards organizations, and implement global adoption initiatives. By applying these strategies to the digital credentials ecosystem, the FIDO Alliance aims to foster a future where digital credentials are as pervasive, trusted, and user-friendly as passkeys are today – helping secure the entire identity account lifecycle for consumers and businesses around the world. 

FIDO Alliance will focus on three foundational workstreams in partnership with ecosystem partners such as The OpenID Foundation, ISO, W3C, and EMVCo to unblock the digital credentials ecosystem: 

1. Wallet Certification: This program will establish certification criteria for digital wallets, ensuring they are secure, protect user privacy, and are interoperable with credential issuers and relying parties. This will provide crucial assurance that credentials are handled with proper security, privacy, and functionality.
2. Specification Development: FIDO will develop specifications to complement existing protocols and frameworks from industry partners such as OpenID Foundation, ISO and other standards organizations. For example, the Alliance will develop specifications for presenting credentials across devices by expanding the existing FIDO cross-device protocol. The Alliance also intends to define credential schemes (for example in payments and/or loyalty) as required to address new use cases as they emerge. 
3. Usability and Relying Party (RP) Enablement: This workstream will accelerate adoption by providing the industry with necessary tools, branding, and best practice guidelines for successful implementation. Drawing from its experience with passkeys, the FIDO Alliance will ensure a seamless user experience, which is critical for new technology adoption.

Through these efforts, the Alliance aims to reduce friction for issuers and relying parties, increase user trust in data security and privacy, and create a vibrant, interoperable market for issuers, wallet providers, and identity services.

Work has already commenced, with initial deliverables planned for 2026.

Industry partner comments:

Loffie Jordaan, Business Solutions Architect at AAMVA and Convenor of ISO/IEC JTC1/SC17/WG10 said, “WG10’s work includes standards for digital credential exchange protocols. Wallets, being one side of a credential exchange, have to support these protocols. In addition to requiring support for these protocols, issuing authorities often have additional requirements on the wallets into which they provision, covering things like device security, holder privacy, and credential life cycle management. The FIDO work will allow issuing authorities to confirm if a wallet being presented for provisioning has been certified against a profile representing the issuing authority’s protocol and other requirements. In doing so, the FIDO work will be of significant value to issuing authorities.”

Gail Hodges, Executive Director of the OpenID Foundation said, “OpenID Foundation welcomes FIDO Alliance’s new initiative on digital credentials as an important step toward advancing a secure and interoperable identity ecosystem. Our organizations have a long history of close collaboration on standards that make authentication simpler and more resilient, and we see the same opportunity to align our efforts as the market rapidly moves toward verifiable credentials and identity wallets. We look forward to working with FIDO and the broader community to help ensure that digital credentials are built on open, privacy-preserving standards that scale globally.”

Seth Dobbs, President & CEO, the World Wide Web Consortium (W3C) said, “It will take the cooperation of many to address the challenges and opportunities of Digital Identities on the Web. The W3C Verifiable Credentials and Digital Credentials API specifications are designed to help ensure the privacy and security of web users. W3C is pleased to work with FIDO Alliance and others on the technical foundation for interoperable, secure, privacy-preserving digital credentials that work across different platforms and systems.”

Daniel Goldscheider, Executive Director of the OpenWallet Foundation said, “FIDO Alliance specifications are already foundational to the wallet landscape. We warmly welcome this expansion into digital credentials and wallet certification.”

Patrik Smets, EMVCo Executive Committee Chair, commented: “Through our Digital Identity and Payment Task Force, EMVCo is engaging with industry partners to advance agentic payments, authentication, verifiable digital credentials, passkeys for payment, and digital wallets. Earlier this year, we shared our existing digital payment credential schema activity with FIDO to align and gather feedback from its members. This level of ongoing collaboration is crucial to promoting global interoperability across the ecosystem in how we use identity in payments, and we are committed to working on payments use cases with all stakeholders as this progresses at pace.”

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

This is especially useful to deploying organizations in regulated industries and organizations handling sensitive data. These organizations can use MDS to verify that accepted authenticators meet certain criteria, such as FIDO L1, L2 and L3 certifications for compliance, as well as leverage security issue notifications to determine suitable responses.

To support the continued evolution of the FIDO ecosystem, we have released an update to the MDS that provides new tools for relying parties (RPs) to verify authenticator compliance, improve interoperability and life cycle management, while enhancing the user experience. This includes several substantial enhancements to the existing service:

• Standardized Security Policy Enforcement: RPs can now ensure the correct level of FIPS compliance by verifying that authenticators meet their exact security criteria before granting access.
• Streamlined Cross-Provider Integration: RPs can dynamically discover and retrieve detailed information about the passkey provider’s Credential Exchange (CX) definitions, streamlining the process of cross-provider communication and setup.
• Authenticator Lifecycle Management: The addition of a new “retired” authenticator status value to accurately reflect MDS entries that are no longer actively supported or recommended for use. This status will help RPs maintain secure and up-to-date deployment strategies by clearly flagging deprecated metadata.
• MDS Version Check: Cuts processing times by introducing localCopySerial, a new parameter that can be specified to only return metadata if a new version of the MDS BLOB is available.

In addition to these MDS updates, the FIDO Alliance also launched a new Convenience Metadata Service. This enables RPs to offer a consistent user experience so that end-users see the same presentation of their passkeys, no matter which service or platform they’re using, to simplify the process of selecting and managing their credentials. This includes standardized, user-friendly names for passkey providers, and high-quality logos for RPs to use in user interfaces and presentation layers.

The updated FIDO MDS and the new Convenience Metadata Service are now live. For more information, visit https://fidoalliance.org/metadata/. For technical questions, implementation guidance, or inquiries regarding the new MDS versions or the Convenience Metadata Service, please reach out to support@mymds.fidoalliance.org.

As part of Passkeys Week, which took place on November 17 – 21, 2025, FIDO Alliance hosted a live, interactive Ask Us Anything (AMA) session designed for developers, product managers, and anyone building—or buying—authentication products and services. Attendees were able to bring their questions about passkey implementation, UX, security, standards, and ecosystem adoption directly to the experts shaping the industry.

Members of the FIDO Alliance Korea Working Group (FKWG) submitted an official inquiry to the Korea Personal Information Protection Commission (KPIPC), which has responded by stating that the consent rules do not apply to biometric processes performed entirely on user-controlled devices. Since biometric data is not collected, stored or processed by the organization requesting FIDO authentication, the process does not qualify as processing personal information under the Personal Information Protection Act.

The FIDO Alliance Korea Working Group (FKWG) held its year-end workshop on November 14, 2025, at the Telecommunications Technology Association (TTA) office in Pangyo. Co-hosted by Samsung Electronics and TTA, the workshop brought together local FIDO members and invited guests to discuss the latest developments in passkey deployment, biometric authentication, and the accelerating momentum behind phishing-resistant authentication across the country.

With a half-day agenda featuring the Q4 member plenary, technical deep-dives, ecosystem updates, and a community networking session, the event highlighted the rapid expansion of Korea’s passkey landscape and the central role of the FKWG in driving adoption across industries.

One of the most important topics covered during the workshop was a newly clarified regulatory interpretation confirming that “FIDO authentication using on-device biometrics does not require separate user consent, since no biometric data leaves the device.”

This clarification removes a long-standing compliance concern for organizations and is expected to significantly accelerate enterprise adoption of FIDO-based biometrics across finance, telecom, commerce, and government services. The update has already drawn national and international attention, including coverage by Biometric Update, underscoring its significance to the broader authentication ecosystem.

Read the Coverage from Biometric Update

The technical presentations and updates from FIDO members provided insights into real-world deployments, new research, and ongoing product development:

• Samsung SDS shared lessons learned from large enterprise-scale passkey rollouts at Samsung Group Companies and UX refinement.
• LINE presented developer-focused guidance and demonstrated how they are using passkeys for end-to-end encryption (E2EE).
• TTA shared perspectives on AI privacy challenges and mitigation strategies, along with associated regulatory considerations.
• Korea Quantum Computing (KQC) discussed how they developed PQC-based FIDO security keys, offering a forward-looking view on post-quantum security.

These sessions demonstrated the depth of local technical expertise and the collaborative spirit that defines the FIDO Alliance Korea Working Group community.

The workshop concluded with a networking dinner, a quiz session, and a prize giveaway that added a fun and engaging community element to wrap up the day.

With clear regulatory support, growing cross-industry deployments, and an active technical ecosystem, the FIDO Alliance Korea Working Group is well positioned to accelerate the adoption of phishing-resistant authentication throughout 2026 and beyond.

The FIDO Alliance extends its appreciation to Samsung Electronics, TTA, all presenters, and all members and guests who contributed to this successful event.

SINGAPORE, 02 December – The FIDO Alliance today announced the expansion of its flagship event series with the launch of Authenticate APAC 2026. This marks the first time the industry’s only conference dedicated to digital identity and phishing-resistant authentication will be held in the Asia-Pacific region. The inaugural event will take place on June 2 – 3 2026, followed by a FIDO Member Plenary from June 4 – 5, 2026, at the Grand Hyatt in Singapore.

As organizations worldwide accelerate the shift from passwords to passkeys and begin to unlock the potential of verifiable digital credentials, Authenticate APAC will serve as a regional hub for education, collaboration, and innovation. The decision to bring Authenticate to the region builds on the success of the FIDO APAC Summit held over the last two years. It also reflects the region’s growing influence in the cybersecurity landscape, where recent momentum in government digital identity initiatives and widespread commercial passkey deployments are helping to drive the global standard for secure, user-friendly authentication.

“The FIDO Authenticate conference has become the defining event for the authentication community, and we are proud to extend this platform to the Asia-Pacific region,” said Andrew Shikiar, CEO of the FIDO Alliance. “There is tremendous innovation happening across APAC, and this event will provide a dedicated space for local and global leaders to collaborate and help build the future of a secure, user-friendly and interoperable internet.”

The Authenticate conference series delivers high-quality content with a highly engaged community of professionals committed to advancing passkeys, digital credentials and related technologies. It is designed to bring together CISOs, business leaders, product managers, security strategists, and identity architects to advance their knowledge of digital identity and shape the future of authentication. 

Call for Sponsors and Registration
The FIDO Alliance will offer a wide range of sponsorship opportunities designed to maximize brand exposure and reach target audiences. The 2026 Prospectus detailing sponsorship packages also launched today and is available here. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate conferences have the right content, and community, for you. Registration for attendees will open later this year.

To stay up to date on speakers, sponsorship opportunities, and registration details, please visit the Authenticate APAC 2026 website, @FIDOAlliance on X, and sign-up to the newsletter.

About Authenticate
Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact
press@fidoalliance.org

Members of the FIDO Alliance Korea Working Group (FKWG) submitted an official inquiry to the Korea Personal Information Protection Commission (KPIPC), which has responded by stating that the consent rules do not apply to biometric processes performed entirely on user-controlled devices. Since biometric data is not collected, stored or processed by the organization requesting FIDO authentication, the process does not qualify as processing personal information under the Personal Information Protection Act.

Listen to the podcast: https://www.identityatthecenter.com/listen/episode/29aaaa94/384-the-fido-alliances-next-frontier-digital-credentials-and-wallets

As we celebrate Passkeys Week 2025, the momentum around passwordless authentication is undeniable. Across industries, organizations are taking real steps toward a future where passwords – and the risks they bring – finally fade away.

Recent research from the FIDO Alliance and its members shows that over 85% of enterprises are implementing or evaluating passkeys. The question is no longer if your organization will deploy them – it’s how you’ll do it effectively.

And that’s where the next chapter begins. Because the hardest part of passwordless security isn’t the cryptography – it’s the culture.

People Are Not the Weakest Link – They’re the Strongest Asset

For years, cybersecurity has been framed as a struggle to “fix” users – those who forget passwords, fall for phishing, or sidestep controls. But people aren’t the problem. They’re responding to systems that often work against natural human behavior.

Passkeys flip that model. They align authentication with how people already act – using biometrics, devices, and gestures they trust. When security design works with human tendencies, compliance becomes intuitive and adoption accelerates.

This is more than a technical improvement. It’s a leadership opportunity.

Three Lessons from the Front Lines

The FIDO Enterprise UX Subgroup’s research with enterprise deployments uncovered one clear truth: the biggest challenges are human, not technical. Here’s what leading organizations are learning.

1. Enrollment Is the First Moment of Trust
The first time a user registers a passkey isn’t just a setup step – it’s their first interaction with your new security culture. Complex flows or unclear prompts can create frustration and mistrust before the rollout even begins.

Leaders who treat enrollment as change management – offering clarity, support, and communication – set the tone for success.

2. Users Need a Mental Model, Not a Cryptography Lesson
Practitioners told us: “Give me a one-sentence definition users actually understand.” That’s because awareness without understanding is ineffective. The best explanation we heard?

“A password is an easy-to-copy key you remember.
A passkey is a hard-to-copy key your device remembers.”

Simple, relatable language builds trust far better than technical jargon.

3. Consistency Builds Confidence
When authentication looks different across browsers and devices, it creates decision fatigue and confusion. This isn’t just a UX problem – it’s a behavioral one. Inconsistency erodes confidence; consistency builds it.

Forward-thinking leaders now recognize that usability isn’t a luxury – it’s a security control.

Redefining Success: From Compliance to Culture

Traditional cybersecurity programs measure success through compliance metrics: completed trainings, documented policies, audit readiness. But those measures miss what truly matters – behavioral outcomes.

Leading organizations are shifting to human metrics:

• Adoption and retention rates
• User satisfaction (CSAT)
• Reduced authentication-related support tickets

One organization exemplified this shift during the passkey rollout: when satisfaction dipped below their 4.0 target, they paused to improve the experience before resuming rollout. That’s human-centered leadership – prioritizing outcomes that strengthen both trust and security.

Leadership in the Human Era of Security

When deployments struggle, it’s rarely due to user resistance – it’s because systems weren’t designed with human behavior in mind.
Leaders now have a clear mandate:

• Simplify choices and reduce cognitive load
• Segment workforce experiences (field staff ≠ office staff)
• Establish feedback loops to learn and iterate

The most successful organizations treat passkey deployment as a cultural transformation, not a technical upgrade. They recognize that security performance is shaped by psychology, environment, and design – not just protocols.

The Path Forward: Share Your Voice

This Passkeys Week, we invite workforce leaders everywhere to help shape the next wave of adoption.

Your insights – what worked, what didn’t, and what surprised you – can help the entire community deploy smarter, faster, and more human-centered systems.

Share your experience and help shape the future of workforce authentication.

Your stories power our collective learning – and move the industry forward.

Closing Thought

The technology is ready. The future of workforce authentication now depends on how we lead.

When we design for human nature instead of against it, security becomes intuitive, sustainable, and strong. The workforce isn’t the weakest link – it’s our greatest asset.

Let’s make Passkeys Week 2025 the moment we prove it.

It’s no secret that Microsoft is on board with ushering in a fully passwordless computing future — specifically one that’s powered by a newfangled technology known as passkeys. Back in June, the tech giant confirmed its intention to bring so-called plugin passkey provider integration to Windows 11 in a future update, and, as of the recently-released November 2025 security update, the functionality is now live for a growing number of PC users running the latest version of the operating system.

Listen to the podcast.

Passkeys are part of the FIDO standard, a newer authentication method that replaces passwords with secure, device-bound cryptographic keys. Unlike passwords, passkeys can’t be phished, reused, or stolen from the cloud.

Addressing a key weakness in the company’s passwordless strategy, this move untethers passkeys from a single machine. By enabling cloud synchronization for these phishing-resistant credentials, Microsoft aims to make secure, password-free logins more practical for everyday use. F

or now, the feature is limited to Windows desktops, with support for other platforms planned for the future.

Ingenium carried out independent testing of iProov’s Dynamic Liveness technology, which uses patented Flashmark signals to confirm a user’s real-time presence. The European standard is the only one established for defending against deepfakes and synthetic media, and will be used as the starter document for a global ISO/IEC standard.

The FIDO Alliance, in collaboration with digital identity consultancy Liminal, has unveiled the Passkey Index — a new benchmarking tool that tracks the adoption, performance and impact of passkey authentication across leading online services.

Launched alongside Liminal’s Passkey Adoption Study 2025, the Index offers the most comprehensive view to date of how passkeys are reshaping digital authentication. “The data in the Passkey Index marks the first time we have been able to measure the actual utilization and performance of passkeys,” says Andrew Shikiar, CEO of the FIDO Alliance.

“The FIDO Alliance intends to grow this program over time as a benefit to service providers within our membership, a guideline for newer implementers and an industry benchmark to track ongoing growth of passkey utilization over time.”

One particular leaf of that nettle is authentication, and here I think we Brits can have some optimism. NCSC is working with the government and the FIDO Alliance on improving the adoption of “passkeys” across the public and private sectors. If you are not familiar with passkeys (which are already widely used), imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified (e.g., your phone). You don’t need to remember a password and no-one else can log in as you because they don’t have your phone.

Dashlane’s latest report about passkeys doesn’t offer fresh insights about why adoption of this account-security upgrade remains so uneven, but it does draw out two selfish reasons for sites to deploy it: either they’re afraid of a sign-in snafu costing them a single sale, or they fear a compromised login will cost them a customer’s money and then all of that person’s future business. In fewer words: Greed clarifies. 

The password problem persists, but the solution is accelerating

Despite years of warnings from security experts, passwords remain the Achilles’ heel of digital security. According to Dashlane data, the average person now manages 301 passwords across their personal and work accounts. Yet, credential abuse remains the most common initial attack vector.¹ For CISOs and IT leaders, the problem is clear: The authentication method designed to protect users has become their greatest liability.

“The FIDO Alliance’s own data shows that passkeys significantly reduce sign-in time and have a much higher success rate compared to other authentication methods, meaning customers are able to get to the checkout cart more easily.”

Andrew Shikiar, CEO and Executive Director, FIDO Alliance

Attendees joined this webcast to hear from members of the FIDO Alliance’s UX Working Group explore the critical UX considerations in designing and deploying passkeys at scale, from initial user onboarding to seamless cross-device synchronization. 

Speakers from Google, Microsoft and HID discussed how to address the challenges of simplifying complex security concepts for everyday users, and gain valuable insights into the future of authentication. 

Speakers shared insights about the key UX decisions, user research findings, and design strategies that are shaping the adoption of passkeys, and how the FIDO Alliance is working to make online security both powerful and effortless.

The Design Guidelines for Passkey Creation and Sign-ins are available at https://www.passkeycentral.org/design-guidelines/

Speakers included:

• James Hwang, Microsoft
• Mitchell Galavan, Google
• Adrian Castillo, HID

The certification affirms that Aware’s identity verification platform meets the FIDO Alliance’s standards for biometric performance, security and fairness. Testing was conducted by BixeLab — which recently revealed a new contract, CTO and facility — is one of only three labs globally accredited to evaluate biometric systems under the U.S. National Institute of Standards and Technology (NIST) NVLAP program.

“FIDO’s Face Verification Certification represents a powerful step toward a passwordless future built on trust, accuracy, and strong security,” said Ajay Amlani, CEO of Aware, Inc. “Earning this certification demonstrates not only our technological excellence but our deep commitment to transparency and innovation in biometrics.”

IDmelon software users can turn existing identifiers like biometrics, physical credentials and smartphones into enterprise-grade FIDO security keys. IDmelon also provides hardware to support passkeys and other FIDO standards for secure and convenient access control.

The first two days of Authenticate 2025 delivered strong technical content, user insights and lots of thoughtful discussions.

The final day of Authenticate 2025 went a step further taking attendees on a deep dive into really important current and emerging topics for authentication including biometrics, agentic AI and verifiable credentials.

Passkeys and Verifiable Digital Credentials are Not Competitors

A key theme across multiple sessions at Authenticate 2025 was the growing need and development of standards for Verifiable Digital Credentials.

In a session led by Christine Owen, Field CTO at 1Kosmos and Teresa Wu, Vice President, Smart Credentials & Access at IDEMIA Public Security, the roles of passkeys and verifiable digital credentials (VDCs) within the evolving landscape of secure digital identity were clarified.

They emphasized that passkeys and VDCs are not competing technologies. Instead, they are best used together to strengthen both authentication and identity verification processes. Passkeys offer privacy preservation and are resistant to phishing, while VDCs provide digital representations of identity attributes that can be selectively shared when needed.

Breaking Glass: Restoring Access After a Disaster

In a thought-provoking session, Dean H. Saxe, Principal Security Engineer, Identity & Access Management at Remitly, explored the challenges and importance of digital estate management, particularly in the context of disasters and emergencies. 

Saxe described how personal experiences and recent natural catastrophes highlight the necessity of preparing for sudden loss of access to digital assets.

A hands-on experiment conducted by Saxe tested how well a “break glass” process works when all personal devices are lost. The process included relying on physical identity documents and a safe deposit box to regain access to important accounts like 1Password, Apple iCloud, and Google services. Saxe faced unexpected obstacles, such as a missing credential and issues getting recovery codes, which illustrated the real-world difficulties of these situations.

The findings of Saxe’s experiment stressed the need for regular testing and updating of disaster preparedness plans.

“So the failure to test your backup strategy means that you do not have a valid backup strategy,” Saxe said.

From the Trenches: Passkeys at PayPal

PayPal is an early adopter of passkeys with the initial motivation being focused on reducing password reliance.

“It’s time to break free from the password prison,” Mahendar Madhavan, Director of Product, Identity at PayPal said.

PayPal launched passkeys in 2022, saw a surge in mid-2024, and now boasts more than 100 million enrolled users with a 96% login success rate. This surge has delivered results—phishing-related losses have dropped by nearly half compared to traditional password and OTP methods.

Mohit Ganotra, Identity PM Lead at PayPal explained that initial efforts zeroed in on user education and reducing friction during login. By optimizing the login experience and targeting enrollment prompts during checkouts and password recovery, PayPal now sees 300,000 incremental enrolments each month from checkout alone, plus 75,000 from automatic passkey upgrades.

“Passkeys is still a new technology, it needs to go through the adoption curve that every new technology has,” Madhavan said. “So you as a relying party need to nudge users, guide users, encourage users to adopt a passkey at various points in their journey and how you do it is, you hyper personalize the content for consumers and users, and you talk in their language.”

Safeguarding Enterprise Online Credentials Post Authentication

While passkeys solve authentication security, post-authentication remains vulnerable through bearer token theft and session hijacking. 

There are however numerous technical approaches that can help mitigate the risk, which were described in detail by An Ho, Software Solution Architect at IBM and Shane Weeden, Senior Technical Staff Member at IBM.

The session introduced two complementary technologies designed to address this vulnerability. DPoP (Demonstrating Proof of Possession) extends OAuth 2.0 to create sender-constrained access and refresh tokens for API flows, while DBSC (Device-Bound Session Credentials) binds browser session cookies to specific devices. Both technologies use asymmetric cryptography to ensure that stolen credentials become unusable by attackers, as they require proof of possession of private keys that only the legitimate client or browser holds.

“We believe that you need to look at a holistic view of your sessions,” Weeden said. “You need to look at not just how clients and users log in, but also how to maintain a form of continuous authentication with the client or browser that is utilizing that session.”

From the Trenches: Improving Experience and Security at Databricks with Passkeys  

Meir Wahnon, Co Founder of Descope, explored how Databricks approached the challenges of unifying authentication and improving security across multiple cloud-based apps.

Databricks partnered with Wahnon’s company to figure out the best approach. The fragmented login experience had made it hard for users and the IAM team to manage access and maintain full visibility. Databricks tackled this by adopting a centralized identity provider and federation to ensure a more seamless single sign-on process. A major focus was the decision to add passkeys as an optional multi-factor authentication method. This choice was driven by Databricks’ commitment to balancing strong security for customers with a smooth, low-friction user experience.

The deployment of passkeys came with careful attention to user adoption and support. Databricks made passkeys optional to minimize disruption, and included easy rollback options if customer uptake became a challenge.

“The balance between user experience and security is always a question when you build a user journey,” Wahnon said.

From the Trenches: Alibaba’s Passkey Story

Alibaba is expanding its use of passkey authentication across business units including AliExpress and DingTalk. 

Preeti Ohri Khemani, Senior Director at Infineon Technologies which works with Alibaba explained that the main goal was to improve security and user experience by reducing dependence on traditional passwords and costly SMS one-time passwords. The rollout has led to faster, more convenient logins and a smoother registration process for users.

On AliExpress, the deployment of passkeys simplified the login flow and eliminated extra steps for users. This change resulted in a reported 94% increase in login success rates along with an 85% reduction in login times. Users no longer need to manage passwords or wait for verification codes, which also lowered operational costs and security risks.

DingTalk, Alibaba’s internal messaging platform with 28 million daily active users, has similarly benefited from passkey integration. Engineers at Alibaba focused on making passkey adoption easy by sharing clear coding samples, open-source libraries, and helpful tools.

Keynotes: The Path to Digital Trust

Ashish Jain, CTO of OneSpan used his keynote to explore the ongoing challenge of establishing trust in digital interactions. Jain traced the journey from physical trust in face-to-face transactions to today’s anonymous digital world.

Ashish outlined the tension between user experience and security. He cited how complex password policies and frequent multi-factor authentication can frustrate users, yet they are essential for protection. The discussion highlighted how the industry is coming closer to a practical solution through the adoption of passkeys.

 “In the physical world, trust is emotional,” Jain said. “In the digital world, trust is an architecture.”

Keynote:  Biometrics Underpinning the Future of Digital Identity

Continuing on many of the same themes from Amlani’s keynote, Stephanie Shuckers, Director, Center for Identification Technology Research (CITeR), University of North Carolina – Charlotte and  Gordon Thomas, Sr. Director, Product Management, Qualcomm  provided more insights on the critical nature of biometrics.

Thomas noted that while face recognition remains popular, fingerprints offer enhanced privacy because they are less likely to be exposed online or through surveillance.

“It’s not really about proving who you are, but it’s about building and securing your digital identity layer by layer with trust every time you use it,” Thomas said.

Shuckers noted that there is a need for strong assurance levels in biometric technology on consumer devices. That’s where standards help ensure both user safety and usability. The FIDO Alliance’s programs test biometric systems for vulnerabilities such as deep fakes and injection attacks. These certifications are crucial for building trust in digital identity systems. 

Keynote: Microsoft Details What’s Needed to Authenticate Agentic AI

Pamela Dingle, Director of Identity Standards, Microsoft led a session on the challenges and opportunities in authenticating AI agents within enterprises. 

She stressed the importance of understanding what an agent is and pointed out that simply asking “who authenticates the agent” is not enough. Dingle highlighted the complexity that arises from having many agents running in different domains, each with unique tasks and identifiers. Administrators often struggle to see the full chain of actions, which complicates decision making and resource management.

Dingle introduced the idea of using “blueprints” and “task masters” to authenticate not just the agent but also the context and source of its tasks. She emphasized that knowing only the identifier is not enough. The future will require richer, composite data about each agent’s purpose and origin.

“The agentic AI push gives us an opportunity to build the tools enterprises need to run better.”

Keynote Panel: Digital Wallets and Verifiable Credentials: Defining What’s Next 

Verifiable credentials was a hot topic at Authenticate 2025 and it was one that was tackled in the final keynote panel.

The panel included Teresa Wu, Vice President, Smart Credentials and Access at IDEMIA Public Security, Loffie Jordaan, Business Solutions Architect at AAMVA, Christopher Goh, International Advisor, Digital Identity & Verifiable Credentials at Valid8 and Lee Campbell, Identity and Authentication Lead, Android at Google.

The discussion began with an overview of the ecosystem, emphasizing the interaction between the wallet, issuer, and relying party. This “triangle of trust” serves as the cornerstone for secure digital credential use. Panelists stressed the need for privacy, interoperability, and certification as this shift accelerates, highlighting lessons learned and ongoing challenges like fragmentation across platforms.

FIDO Alliance’s growing focus on digital credentials was described as a catalyst for industry progress. “FIDO is getting involved in the digital credential space,” Campbell said. “FIDO does an exceptional job at execution.”

That’s a Wrap!

Wrapping up the Authenticate 2025 program, FIDO Alliance Executive Director Andrew Shikiar emphasized that the event continues to grow year by years. 

For the 2025 event there were 150 sessions and 170 speakers. 

“Passkeys are driving measurable business outcomes,” Shikiar said. “One thing I thought was really cool this year about some of the presentations, it wasn’t just another ‘rah rah’ passkeys are great story, but also companies are coming back for their second time or third time, talking about progress and lessons learned and how they’re evolving, pivoting and growing.”

Speaking of growth, the Authenticate event is growing for 2026, with a new Authenticate APAC event set for June 2-3 in Singapore. Authenticate 2026 will be back in California at the same time next year.

Between now and then, the FIDO Alliance will be sharing lots of informative content and hosting educational events. Stay connected and sign up for updates.

Following on the information-packed day one, day two of Authenticate 2025 continued the trend.

Over the course of the day, users from across different geographic areas and industry verticals detailed their experiences with passkeys. Discussion on how passkeys fit into the payment ecosystem and the intersection with agentic AI were also hot topics of discussion across multiple sessions. 

Keynotes: A Brief History of Strong Authentication

Christopher Harrell, Chief Technology Officer at Yubico, kicked off the morning keynote tracing the journey of authentication practices from basic shared secrets to the modern era. 

Harrell outlined how early systems based on shared secrets and memorized passwords often failed due to human error and simplicity. Multi-factor authentication was introduced to address these gaps by layering security, but still relied heavily on passwords or similar secrets. He noted that the evolution of the market to passkeys eliminates the vulnerabilities of shared secrets and reduces the chance of phishing, making access both safer and easier for users.

“Shared secrets were never meant for the internet, we need authentication that protects you without making you remember more,” Harrell said.

Keynotes: Passkey Adoption in the UK

The United Kingdom (UK) has taken a big leap into passkey, embracing its usage at the national level.

Darren Hutton, Identity Advisor for NHS England and Pelin Demir, UX Designer for NHS Login, detailed the adoption path and success of passkeys in the UK. The presenters shared how NHS Login serves as a nation-level identity provider for healthcare access, reaching almost the entire adult population. They discussed the evolution from passwords and OTPs to introducing passkeys. The move aimed to improve both security and accessibility for all users.

Insights from their user research revealed that although over three million users adopted passkeys within months, there were challenges. These included inconsistent user interfaces, confusion around technical terms, and accessibility barriers for screen reader users. The team found that clear guidance and familiar wording were critical to increasing adoption.

“Passkeys, is a beautiful balance of technology that brings security and usability together to create a really good service,” Hutton said.

Leaders from the National Cyber Security Center (NCSC) in the UK detailed the strong imperative to move to passkey, noting that the majority of cyber harm to UK citizens happened through abuse of legitimate credentials.

Keynote: Visa Details Payment Passkey Efforts

Ben Aquilino,VP, Global Head of Visa Payment Passkeys and Digital Identity at Visa explored the evolution of digital payment security from the earliest days of online commerce to the present. 

Aquilino used the history of Pizza Hut’s first online order in 1994 as a gateway to highlight how payment experiences have changed due to rising concerns over fraud, describing how simple early processes became more complex to counter increasingly sophisticated threats.

A significant portion of the session focused on the technological advancements used to combat payment fraud.

Visa’s recent efforts to innovate further by launching Visa Payment Passkeys. This new approach leverages passkeys and biometrics for payment authentication, aiming to offer better protection along with a seamless user experience

“Authentication doesn’t have to be a compromise between security and convenience; it can have both,” Aquilino said.

Keynote Panel: Quantifying Passkey Benefits from Early Adopters 

In a keynote panel session led by FIDO Alliance Executive Director Andrew Shikiar, industry leaders from PayPal, NTT DOCOMO and Liminal explored the ongoing shift in the authentication landscape.

Koichi Moriyama, Chief Security Architect at NTT DOCOMO and Rakan Khalid, Head of Product, Identity at PayPal, recounted the journey from initial pilots to broader adoption, detailing technical evolution and lessons learned. Khalid emphasized the impact of evolving authentication standards on customer experience, while Moriyama described Docomo’s commitment to ecosystem-wide security improvements.

A recurring message throughout was the proven effectiveness and industry momentum behind passkey authentication. Survey data from Liminal revealed that most decision-makers now rank passkeys as their top priority for authentication investments. 

“The big surprise in the survey was that passkeys really have moved from pilot to priority,”  Filip Verley, Chief Innovation Officer at Liminal said. “We’re seeing  huge adoption and nearly every adopter is very satisfied.”

Both PayPal and Docomo shared that organizational and customer metrics improved after moving away from passwords, including increased sign-in success and reduced account takeovers.

“When customers use passkey, we see about a 10-point increase in sign-in success rate over a traditional multi factor authentication.” Khalid said.

From the Trenches: Shipping Passkeys for Hundreds of Millions of users at TikTok

TikTok’s session offered a comprehensive look at its journey to implement passkeys as a login method for hundreds of millions of users. 

The team faced the challenge of introducing passkeys in a way that would not disrupt the user experience. TikTok chose to promote passkeys through a campaign on user profile pages, leading to high engagement rates and a marked increase in adoption. Most users who set up passkeys did so thanks to the visibility and education presented within the app.

Passkey login was not only made the default for users who had enabled it, but TikTok also streamlined the signup process. 

“Overall, it has been a great journey with Passkeys and TikTok,” Yingran Xu, Software Engineer at TikTok said. “Passkey remains one of the authentication methods with the highest success rate and fastest login experience.”

From the Trenches: Lessons Learned from Roblox’s Passkey Deployment

Roblox’s effort to deploy passkeys across its platform is a response to the complex security needs of a massive and diverse user base. 

With more than half of Roblox users under 13, the challenge was to design an authentication system that is easy for children while still robust enough for professionals handling accounts with significant financial stakes. The team aimed to make access secure and simple without passwords, reducing both user frustration and customer support issues tied to account recovery.

Through a phased rollout that began with passkeys in user settings and later added passkey options during account sign-up, Roblox has shown measurable progress. Eighteen percent of active users have adopted passkeys, which led to greater engagement and higher login success rates. Experiments with the user interface revealed that highlighting passkeys at pivotal moments, such as account recovery, can drive adoption as long as users are guided clearly and are not forced through abrupt changes.

Ongoing improvements focus on making passkeys easier to use and more accessible, especially as many Roblox players move between multiple device types. An adaptive login flow led to more passkey logins and fewer users defaulting to traditional passwords. There are also new protections for top game creators, who are frequent phishing targets, ensuring only secure login methods are available for valuable accounts.

“Our vision is that all Roblox users should have secure and accessible accounts without passwords, powered by passkeys,” Yuki Bian, Product Manager at Roblox said.

From the Trenches: Using Windows Hello to Enable Passkeys for SSO

Single Sign-On (SSO) is a common approach enabling users in enterprise environments to use a single credential to get access to multiple applications.

In a deep dive session, Amandeep Nagra, Sr. Director, Identity and Access Management at Crowdstrike detailed how Windows Hello for Business was implemented as a passkey solution for seamless Single Sign-On across enterprise devices. By turning device logins into trusted passkeys, users no longer needed to remember passwords or manage separate app authentications.

The solution involves generating a device-level PRT token using Windows Hello for Business pins, which enables SSO across various apps. The project saved 78,000 hours of work annually, 

“We turned the device login into your passkey—one sign-in, access to everything,” Nagra said.

From the Trenches: Modernizing Authentication with True Passwordless at Docusign

DocuSign is a leading provider of electronic agreement solutions that help individuals and businesses sign documents and manage contracts online. Security and identity verification are critical to its platform, as users rely on DocuSign to complete transactions that often involve sensitive or high-value documents, such as home purchases, business contracts, and legal agreements.

To meet rising threats and user demand for easier, safer access, DocuSign is working to make passwordless authentication the default experience.

The company’s authentication team has introduced passkeys, enabled biometrics, and streamlined account recovery methods. Their goal is to give users secure, reliable, and effortless ways to verify identity, whether that’s logging in to review paperwork or using a mobile device to approve a high-stakes deal.

Yuheng Huang, Engineering Manager at Docusign noted that the login success rate for passkeys on DocuSign is 99%. In contrast, the password login success rate is only 76%.

Going beyond just authentication Dina Zheng, Product Manager at Docusign explained that DocuSign is using a passkey with the company’s identity wallet.

“By combining capabilities with identity wallet, we’ve created a fully frictionless experience, secure enough for identity verification, yet simple enough that users barely notice the authentication step at all,” Zheng said. “This is a perfect example of how passkeys can go beyond just authentication. They’re becoming an enabler of trusted high assurance workflows across Docusign.”

Panel: Industry Perspectives on Securing Agent-Based Authentication

With the emergence of agentic AI, there are new concerns and challenges about how to secure and authenticate agents.

A panel with Lee Campbell, Identity and Authentication Lead, Android at Google,  Rakan Khalid, Head of Product, Identity at PayPal and Reid Erickson, Product Management, Network API at T-Mobile that was moderated by Eran Haggiag, CEO at Glide Identity, discussed the challenges of trust and security in agent-based authentication.

Key points included the need for phishing-resistant authentication methods like passkeys and verifiable credentials to ensure user intent and prevent fraud. The discussion highlighted the importance of standardization, context-aware authentication, and human-in-the-loop verification to mitigate risks. 

“There’s lots of work going on, lots of companies are involved, lots of standards bodies involved with every single standards body out there today having some agentic group,” Campbell said. “Everybody’s talking about it, and one of the challenges is getting everyone and all the right players in the same room to have these conversations. And I think FIDO is actually quite a good place to do this.”

The Big Finale is Coming on Day 3!

While the first two days of Authenticate 2025 were stacked top to bottom with insightful sessions, Day 3 will deliver even more content.

With even more users stories coming, discussion on verifiable digital credentials and digital trust Day 3 will not disappoint.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 3 live via the remote attendee platform! See the full agenda and register.

Authenticate 2025, the FIDO Alliance’s flagship conference, kicked off day one on strong footing as passkey adoption continues to grow.

The first day of Authenticate 2025 was loaded with insightful user stories, sessions on how to improve passkey adoption and technical sessions about the latest innovations.

Mastercard: Reimagining Online Checkout with Passkeys

Mastercard presented their ambitious vision to bring contactless payment-level security and convenience to online transactions through passkeys. The company is tackling three major e-commerce pain points: fraud from insecure authentication methods, cart abandonment and false declines of legitimate transactions. 

“There is no secret for this audience that one-time passwords are largely insecure and subject to phishing attacks,” Jonathan Grossar, Vice President of Product Management at Mastercard said. “So this is one big problem that we’re trying to address.”

Mastercard’s approach includes linking passkeys to payment card identities through bank KYC verification, adding device binding layers to meet regulatory requirements like PSD2, and ensuring banks retain control over authentication decisions even when Mastercard acts as the relying party on their behalf.

“When you have a passkey, that’s very easy, you can use it right away, and we see the conversion is just fantastic,” Gorssar said.

Passkey Mythbusters: Short Takes on Common Misunderstandings

As a relatively new technology, there are still a good deal of misunderstandings about passkeys.

In an engaging session led by Nishant Kaushik, CTO of the FIDO Alliance, Matthew Miller, Technical Lead at Cisco Duo and Tim Cappalli, Sr. Architect, Identity Standards at Okta debunked several key misconceptions about passkeys including:

Misconception #1 . Passkeys are stored in the cloud in the clear: The session clarified that passkeys are not stored in plain text. Reputable credential managers use strong end-to-end encryption, so even when passkeys are synced through the cloud, service providers cannot access the actual keys.

Misconception #2. Passkeys lock users into specific vendor ecosystems: The panel explained that new standards like the credential exchange protocol (CXP) and credential exchange format (CXF) enable secure transfer of passkeys between managers. 

Misconception #3. Phishing resistance depends solely on the relying party ID: Presenters emphasized that true phishing resistance comes from verifying the origin of authentication requests, not just matching the relying party ID. Proper server-side origin checks are essential for security.

Misconception #4 Cross-device passkey use enables remote attacks: The panel showed that cross-device authentication relies on proximity checks like Bluetooth, which prevent attackers from authenticating remotely even if they possess a QR code.

Misconception #5. Passkeys are not suitable for enterprise use: The panel highlighted that managed credential managers can offer strong policy control and high assurance for workforce applications, and that flexible management models fit both personal and enterprise contexts.

Misconception #6. Device management is always required for secure workforce passkeys: It was clarified that organizations can provide managed credential managers that enforce policies without requiring complete device management, allowing for greater flexibility.

Misconception #7. Passkeys cannot be used in mixed cloud and on-prem environments: The discussion explained that the right identity provider solutions and federation strategies can enable passkeys across a variety of application types.

What’s New in FIDO2: The New Features in WebAuthn and CTAP

There’s a lot going on with the underlying FIDO standards.

In his session, Nick Steele, Identity Architect at 1Password detailed the latest FIDO2, CTAP2.2 and WebAuthn updates. Steele explained how these new standards offer easier adoption, better security, and a smoother user experience for both enterprises and individuals.

Key technical improvements:

• Hybrid transport for flexible authenticator connections
• Signals API for better credential management
• Conditional passkey enrollment and improved autofill UI
• Stronger encryption and HMAC secret extension
• Broader support for smart cards and related origins

“We really want to increase the risk signalling and the trust that enterprises can get in a single go from a passkey,” Steele said.

Credential Exchange in the Wild

One of the key misconceptions about passkeys is that they lock users into a particular platform. 

Among the reasons why that’s not accurate is the Credential Exchange format effort which was detailed in a session led by Rene Leveille, Sr. Security Developer at 1Password.

Leveille explained how the credential exchange format is designed to help password managers understand and transfer numerous credential types, making it easier for users to migrate securely between different services. He highlighted how this format, paired with a secure protocol, is the foundation for cross-platform compatibility.

Leveille outlined recent progress, including the move from early drafts to a proposed industry standard in August 2025. He discussed how both Apple and Android platforms have introduced APIs that are paving the way for seamless transfers between apps. 

Emphasizing the importance of this work, Leveille stated, “It is an extremely easy way to migrate from one credential manager to another and it is secure.”

From the Trenches: eBay

Among the earliest adopters of passkeys is eBay, which has a long history with FIDO specifications.

Ilangovan Vairakkalai, Senior Member Technical Staff at eBay detailed his organization’s journey and how it has managed to increase adoption.

“Every percentage point we gain in Passkey adoption is another user freed from password frustration,” Vairakkalai said.

Passkey adoption among mobile and native app users has climbed to an impressive 55% to 60%, reflecting how intuitive, nearly invisible authentication is a win for users. Desktop adoption, while more modest at around 20%, is steadily rising as eBay continues to innovate and collaborate with browser and device makers. 

From the Trenches: Uber

Reducing user friction is a primary reason why Uber has embraced passkeys.

Ryan O’Laughlin, Senior Software Engineer at Uber Technologies detailed his organization’s journey to deploy passkeys as a secure and user-friendly login option across its global consumer platform. 

While there was some quick success there were also some early challenges. Despite passkeys offering faster and more secure logins compared to passwords, many users continued using traditional sign-in methods, raising concerns about adoption and the prevalence of phishing risks.

To address these challenges, Uber introduced usability improvements such as clearer entry points for passkey login and proactive prompts encouraging registration. Experiments showed that enrolling users right after account sign-up or login led to a marked increase in adoption.

The company also piloted features like selfie-based account recovery, aiming for secure, phishing-resistant options as part of its broader vision for a passwordless future.

“Passwords just don’t really work for our platform. People forget them,” O’Laughlin 

said. “There is a very realistic future where we don’t have password passwords at all.”

From the Trenches: BankID

In Norway, the BankID system has been around for over two decades, providing a uniform authentication system for the country’s citizens.

Heikki Henriksen, Technology Partnership Manager, Stø AS (BankID BankAxept in Norway) explained that the BankID system started off with hardware devices but in recent years has made a move to mobile, software based approaches.

BankID began moving to passkeys after most users had adopted the BankID app. The transition away from SMS-based authentication finished in 2023. Passkeys were introduced quietly—users were not told about the technical change but were moved to the stronger, phishing-resistant credentials through regular app updates.

“We never bothered talking about passkeys, we got over half of the Norwegian population to use passkeys without ever using the term passkey,” Henriksen said. “People don’t know what passkeys are. They don’t need to understand it either. So they just use Bank ID and for us technical people we know that passkeys are running the tech behind it.”

Keynotes: FIDO Alliance Details the Path Forward

A highlight of every Authenticate event is the keynote address from Andrew Shikiar, Executive Director of the FIDO Alliance.

As part of his Day One keynote, Shikiar detailed the past, present and future of the organization he leads and the standards it develops.

“Our internal estimates point to over 3 billion passkeys securing consumer accounts – actual passkeys in use,” he said. “That’s a massive number, 3 billion in less than three years time.”

Shikiar also revealed new data from a new report, the Passkey Index, which aims to help quantify the impact of the technology. Among the standout figures:

• An average 93% sign-in success rate using passkeys, which is more than double that achieved with other methods.
• A 73% decrease in login time when using passkeys.
• Up to an 81% reduction in login-related Help Desk incidents reported by some organizations.

No technology conversation in 2025 is complete without mention of AI and Shikiar didn’t disappoint. He noted that the FIDO Alliance is actively addressing agentic AI by launching targeted initiatives including the creation of a subgroup focused on agentic commerce, aiming to ensure secure authentication for human-authorized agents.

“We spent the past dozen years or so contemplating how to prevent bots from authenticating, and now we have to figure out how to enable them to authenticate,” he said.

Looking ahead, the need to eliminate knowledge-based recovery methods and improve user experience was stressed. Shikiar also talked about emerging efforts for digital credentialing, with FIDO Alliance developing foundational standards and certification programs to advance the digitization of identity documents and secure mobile credentials.

“We will create foundational specifications that are applicable to the market, building from CTAP to create a new protocol for cross device credential presentation, we’ll focus on enablement and usability,” Shikiar said.

Keynotes: Google Securing the Future of Account Management

Google’s Authenticate 2025 keynote focused on how account security and user experience are improving with the adoption of passkeys. 

With more than a billion users now signed into Google services using passkeys, it is clear these solutions are quickly moving into the mainstream. Chirag Desai, Product Manager at Google emphasized that passkeys make the sign-in process faster and easier for users and provide new opportunities for businesses looking to enhance safety and streamline account access.

“Just as the world moved from horses and carriages to cars and now even self-driving cars, we as an industry need to help our customers do the same thing,” Desai said. “We need to help make that transition from passwords to passkeys, with minimal friction.”

Beyond just passkeys for authentication Rohey Livne, Group Product Manager at Google addressed the critical role of digital credentials for account creation and recovery. These digital, device-bound documents offer stronger protection than emails or SMS, enabling selective disclosure and simplifying verification. They allow organizations to move beyond fragile legacy methods and create a fully secured account lifecycle.

“We’re not really solving account creation and account recovery with passkeys,” Livne said. “And so we are essentially trying to look at how the entire account lifecycle could be aided with digital credentials.”

Keynotes: Apple Details How to Get the Most Out of Passkeys

Apple is all in on passkeys. 

“Simply put, the world would be a better place if the default credential, the one that we all reached for first, was a passkey instead of a password,” Ricky Mondello, Principal Software Engineer at Apple said.

Mondello detailed multiple approaches that Apple is using to accelerate passkey adoption including:

• Account Creation API (iOS/Mac apps): Pre-fills user information (name, email/phone) to create new accounts with passkeys in one step, avoiding passwords entirely from the start.
• Automatic Passkey Upgrades: Seamlessly adds passkeys to existing password-based accounts without showing upsell screens when users sign in with their password manager. Already supported on Apple platforms and Chrome desktop.
• Prefer Immediately Available Credentials: Shows users their saved credentials (passwords or passkeys) when opening an app, eliminating the “which button do I press?” problem.

The most provocative message centered on security. Mondello argued that simply adding passkeys alongside passwords doesn’t deliver true phishing resistance. Organizations must plan to drop passwords entirely for accounts with passkeys.

“The hard truth is that to actually deliver the phishing resistance benefit to any given account, all phishable methods of signing in or recovering it need to be eliminated or otherwise mitigated,” Mondello said.

Get Ready for Day 2!

Day 2 will have even more great content across multiple tracks, with no shortage of user stories. Look for user stories from TikTok, Roblox, Microsoft, Docusign and many others, alongside technical insights for implementation.Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 2 and 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.

CARLSBAD, Calif. – The FIDO Alliance today launched the Passkey Index, revealing significant passkey uptake and benefits for online services offering passkey sign-ins. Launched in partnership with Liminal, the Passkey Index provides a composite view of data from leading service providers on the adoption, utilization and business impacts of passkeys.

The Passkey Index was launched today in concert with Liminal’s Passkey Adoption Study 2025, a survey of 200 organizations either actively deploying passkeys or committed to doing so in the near future. Together, these new resources provide the most comprehensive view of passkey deployments yet, and strategic intelligence for organizations wanting to modernize and de-risk their authentication technology.

The Passkey Index is available at FIDOalliance.org and Liminal’s Passkey Adoption Study 2025 is available at Liminal.co. 

Passkey Index Companies Report Passkey Sign-in Rates and Benefits 

The Passkey Index comprises data from companies that have deployed passkeys over one to three years, including Amazon, Google, LY Corporation, Mercari Inc., Microsoft, NTT DOCOMO, PayPal, Target and TikTok across eight utilization and performance areas. 

The Index reveals that passkey eligibility is high: FIDO Alliance member companies contributing to the Index report that an average of 93% of accounts are now eligible for passkeys. The percentage of accounts with a passkey enrolled is over a third (36%), while more than a quarter (26%) of all sign-ins now leverage passkeys. 

Passkey Index companies also reported strong business benefits with passkeys: 

• Passkeys reduce sign-in time by 73% compared to other authentication methods, averaging just 8.5 seconds per login. Traditional approaches including email verification, SMS codes, and social login options took an average of 31.2 seconds. 
• Passkey sign-ins have a 93% success rate, compared to 63% for other methods; 30% higher success rates mean fewer failed attempts and greater throughput at critical checkpoints
• The Index also revealed that passkey adoption led to an 81% reduction in login-related help desk incidents. Reducing help desk burden allows IT and support teams to focus on higher-value issues.

“The data in the Passkey Index marks the first time we have been able to measure the actual utilization and performance of passkeys. Thanks to this data from several early-adopting organizations, we can confidently say that passkeys are available, being used, and providing quantifiable benefits to deploying organizations,” said Andrew Shikiar, CEO of the FIDO Alliance. “The FIDO Alliance intends to grow this program over time as a benefit to service providers within our membership, a guideline for newer implementers and an industry benchmark to track ongoing growth of passkey utilization over time.”

Liminal’s Passkey Adoption Study 2025 Validates Passkey Index by the Broader Industry 

Liminal’s Passkey Adoption Study 2025 complements the Passkey Index with a look at the industry outlook on passkeys. The survey of 200 IT professionals either actively deploying passkeys or committed to doing so highlights how buyers are turning to Passkeys to modernize and de-risk authentication. It revealed the following key points:

• Passkeys are a strategic priority that delivers, with 63% of all respondents ranking passkeys as their top authentication investment priority for the next year. The majority (85%) of those that have already adopted passkeys report strong satisfaction with both their decision to implement and the business results they’ve seen so far.
• Organizations expect passkeys to deliver both ROI and risk reduction, as 63% of respondents believe strong authentication methods like passkeys can create cost savings and efficiency gains, while they are also expected to reduce risk (56%) and fraud (58%). 
• Passkeys deliver behavioral and business change. After passkeys had been deployed, a significant decline in password usage was reported by 43% of respondents, while the majority (89%) said more than half of their users are expected to opt in to passkeys after being prompted, demonstrating that adoption scales quickly after deployment.
• Organizations are willing and ready to adopt a fully passkey-based strategy, with almost all (97%) respondents reporting that their organization is willing to fully transition to a passkey-based authentication strategy in the future. Readiness to adopt is also widespread, with 86% of respondents stating their organization’s infrastructure is already fully or mostly prepared to support passkey authentication.
• They perform even better than expected. Nearly half of current implementers (49%) report adoption rates exceeding 75%, outperforming initial expectations.

Shikiar added: “It is in every company’s strategic interest to reduce reliance on passwords, and this study clearly illustrates that passkeys are doing exactly that: delivering tangible business benefits through enhanced sign-in success, improved user experience and decreased risk.”   

Passkey Index methodology

In collaboration with Liminal, the FIDO Alliance conducted a confidential survey of nine of its FIDO Member Alliance organizations to gain a deeper understanding of how passkeys are being deployed across their ecosystem and the outcomes being observed. This report offers an aggregate, anonymized view of current implementation patterns, opt-in performance, utilization, and organizational efficiency gains.

Liminal’s Passkey Adoption Study 2025 methodology 

Liminal conducted a proprietary survey of authentication decision-makers to understand how passkeys are being adopted, implemented, and evaluated across digital platforms. The research focuses on 200 organizations that have already deployed passkeys or are planning to adopt them within the next two years. This study examines key performance indicators, including adoption rates, opt-in behavior, user satisfaction, implementation challenges, and buyer priorities. It offers a data-driven perspective on how passkeys are performing in the market today and where the most important opportunities for improvement and growth exist.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact
press@fidoalliance.org

Passkey adoption is growing rapidly, with tens of billions of user accounts now equipped with the option to use a passkey instead of relying on passwords. We launched the Passkey Pledge to help rally the industry and accelerate adoption even further, helping even more organizations to realize the dual benefits of heightened security and a frictionless user experience.

When we launched the Pledge, we set out five goals to suit a range of organizations and use-cases, with the aim of achieving them over the next 12 months. Over 200 companies responded to our call and took the pledge. As we reach the halfway point in this journey, there have already been some incredible success stories and we wanted to highlight and share some of them with the community for inspiration.

Atlancube: The company’s commitment to the Passkey Pledge “accelerated our internal development and certification timelines” culminating in its product passing interoperability testing and successfully completing both FIDO2 CTAP2.1 and U2F L1 authenticator certifications. Primarily, this will help Atlancube prepare to launch a certified hardware security key that supports passkey sign-ins. It also helped increase awareness of the importance of passkeys among its engineering and business teams, strengthening cross-functional collaboration.

Dashlane: The password manager and credential security platform has upgraded the security of user passkeys it stores, by signing passkey challenges in a remote secure environment. The company has also integrated FIDO2 security keys into its product, replacing the master password with a hardware-backed secret to encrypt the user’s vault.

First Credit Union: The member-owned financial institution in New Zealand with over 60,000 members partnered with Authsignal to implement FIDO Certified passkey infrastructure. It adopted passkeys as it was the only approach that struck the right balance between security, usability and accessibility for its diverse membership base. Since rolling out passkeys, 58.4% of its members adopted the new authentication experience, with 54.5% of all authentications now using passkeys. In addition, over 23,500 members enrolled in multi-factor authentication. Read more in the First Credit Union case study. 

Glide identity: Glide Identity has achieved FIDO certification for its new products, joining the ranks of certified providers delivering standards-based authentication solutions. This certification validates Glide Identity’s commitment to interoperability and positions the company to serve organizations worldwide seeking reliable, FIDO-compliant authentication solutions.

HYPR: Took the Passkey Pledge to help realize a public good in eliminating shared secrets and passwords. The company has already delivered on its pledge, deploying passkeys at scale to Fortune 500 enterprises and beyond, including two of the four largest US banks.

LY Corporation: Made its Passkey Pledge to contribute to the industry-wide adoption of passkeys. During the last six months the company has increased the number of touchpoints where passkey sign-in is triggered, as well as publishing educational content to improve user literacy about passkeys. This has resulted in improved passkey sign-in rates of 41%, and reduced SMS transmission costs by replacing SMS OPTs with passkeys.

NTT DOCOMO: Has made significant progress on its Pledge to demonstrate actions that measurably increase the use of passkeys by users when signing into their services. The company has continuously improved the user experience by improving and refining messages on passkey enrollment and error pages to make them more customer friendly. NTT DOCOMO is confident of reaching its target to increase passkey usage ratio by 10% within the year since taking the Pledge.

Secfense: Has enabled support for passkey sign-ins across enterprise environments without requiring changes to existing applications. The company has implemented large-scale passwordless rollouts in highly regulated sectors, including banking and insurance, completing projects in just a few months. These deployments replaced passwords with phishing-resistant FIDO authentication, without modifying existing systems or disrupting users, proving that full passkey adoption is possible even in legacy infrastructures.

Thales: Over the last six months, Thales has extensively promoted the benefits of passwordless authentication and passkeys to its customer base  and other organizations through sponsored events, workshops, webinars and other channels. This is part of the company’s long-standing commitment to fight against phishing and improve both security and user convenience.

We’d like to extend a big thank you to all those who signed up to the pledge and for sharing an early snapshot of the progress you’ve made. We’ll provide more insights and updates as the Passkey Pledge moves into the final 6-month stretch. It’s not too late to take the Pledge this year – we’ve already seen how much can be achieved in such a short space of time. If you’ve already taken the Pledge, tell us about your progress as we’d love to share your success with others in the future.

October 2025

Authors:

Jacob Harlin, Microsoft
Josh Cigna, Yubico
Martin Gallo, HYPR
Sumana Malkapuram, Netflix
Apoorva Deshpande, Okta

Abstract

In today’s fragmented enterprise security landscape identity and access management (IAM) systems often operate in silos. The need for cohesive, real-time coordination across platforms is more critical than ever. This paper introduces a strategic approach that combines FIDO-based strong authentication with the OpenID Foundation’s Shared Signals Framework (SSF) to orchestrate agile and secure IAM workflows, enable stronger continuous authentication, and promote collaborative defense against identity threats.

FIDO protocols offer a robust foundation for user authentication as they leverage public-key cryptography to eliminate password-based vulnerabilities. However, authentication alone is insufficient for sustaining zero-trust principles. Once an authenticated session is established, its trustworthiness must be continuously evaluated. This broader need for continuous evaluation is where SSF comes in – enabling the secure exchange of identity and security events, such as risk signals and session revocations, across disparate systems and vendors.

This document explores how integrating SSF into IAM architectures enhances visibility and responsiveness throughout the user journey, including joiner-mover-leaver (JML) and account recovery scenarios. It also highlights how Continuous Access Evaluation Protocol (CAEP) and Risk Incident Sharing and Coordination (RISC) protocols, when layered atop FIDO2, empower organizations to make real-time, risk-informed decisions that reduce fraud and accelerate incident response.

This synthesis of FIDO and SSF represents a paradigm shift toward continuous, adaptive trust that enables organizations to move beyond static controls and toward dynamic, signal-driven security ecosystems.

Audience

This white paper is for enterprise security practitioners and identity and access management leaders whose responsibility is to protect the security and life cycle of online and identity access management. Specifically, the target audience should include those whose purviews cover activity monitoring for threat detection and response as well as IAM staff who support those goals. Additionally, IAM leadership and architects should review this document to understand opportunities the described technologies offer and the implications of implementing them.

1. Introduction

The FIDO Authentication protocol has a proven track record of securing initial session authentication by leveraging strong public key infrastructure (PKI) based cryptography. Adoption of this technology has been a leap forward as a unified approach for secure and usable session establishment, however the ability to maintain, monitor, and manage ongoing sessions has historically remained fractured. This challenge is exacerbated by the reality of today’s enterprise security landscape, where numerous security vendors and solutions often operate in silos with limited communication. These barriers hinder comprehensive security outcomes during adverse events, leading to localized mitigations rather than unified responses. 

Shared signals offer a crucial pathway to facilitate a more holistic and effective response by providing a way to exchange security events across vendor boundaries. Ongoing management and monitoring are required to adopt the full zero-trust model.  The OpenID Foundation’s Shared Signals Framework (SSF) aims to address these challenges. If you root an IAM program with a strong footing, such as FIDO based authentication, and combine it with strong ongoing activity monitoring enabled by an SSF, you can achieve substantial changes that reduce (and enable you to react to) fraud and maligned activities.

2. What is the Shared Signals Framework?

The Shared Signals Framework (SSF) standard simplifies the sharing of security events across related and disparate systems. The framework allows organizations to share actionable security events and enables a coordinated response to potential threats and security incidents. SSF is defined by the OpenID Foundation’s Shared Signals Working Group (SSWG). The SSF standards are still evolving, but evaluation of the specifications provides a clear picture of what the SSWG hopes to achieve and can inform practitioners around what can be done with these tools today. The goal of this framework is to define a common language and mechanism for communicating actionable security events in near real-time, that allows systems to respond more effectively and in a coordinated way to potential threats.

SSF helps bridge gaps between identity providers, relying parties, and other services by creating a unified way for entities to notify each other of relevant changes, such as risk signals or session status updates. 

For example, Mobile Device Management (MDM) tools can transmit a device compliance change event to indicate a user’s laptop is no longer compliant with corporate policies. When this event is received by a downstream system, that service may determine that the user’s authenticated session should be terminated until such a time as the device moves back into a healthy state. 

Note: It is important to remember that SSF security events standardize and facilitate the sharing of information. They are not directives. Recipients need to determine the actions to take in case of a security event.

The SSF standard describes how to create and manage streams, which are used to deliver notification of events to the receiver using push (RFC 9835) and poll (RFC 8936) mechanisms. From a technical perspective, SSF describes using secure, privacy protected generic webhook transit with events delivered via HTTP in streams. 

Software vendors can act as transmitters and receivers; however, they must establish independent unidirectional streams. Events are formatted as Security Event Tokens (SETs) (RFC 8417) and the entities involved are identified by Subject Identifiers for Security Event Tokens (RFC 9493). Additional Subject Members are also defined in the OpenID Shared Signals Framework Specification 1.0. 

Since SETs do not describe the content or semantics of events, the SSWG is developing two standard profiles under SSF: 
Continuous Access Evaluation Profile (CAEP): For sharing access relevant state changes like token revocation or device posture.
Risk Incident Sharing and Coordination (RISC): For sharing signals about “risky” behaviors, such as account compromise.

2.1 Continuous Access Evaluation Profile (CAEP)
To further simplify interoperability between various vendors, the SSWG has also defined the CAEP Interoperability Profile. This specification “defines the minimum required features from SSF and CAEP that an implementation MUST offer in order to be considered as an interoperable implementation”. (CAEP Interoperability Profile).

Federated systems commonly assert the login only during initial authentication, which can create security risks if user properties (such as location, token claims, device status, or org membership) change during an active session. CAEP aims to enhance the “verify, then trust” mantra by defining a common event profile to communicate such changes as they happen. For example, early proposed examples suggest CAEP events can be used to:

• Tie risk signals to known identities (users and non-human identities (NHIs)
• Track sessions and behavioral changes over time
• Dynamically adjust access without requiring the user to re-authenticate

This list is non-exhaustive, and capabilities are expected to grow and evolve as CAEP is more widely adopted. Because CAEP is built upon SSF principles, interoperable push and poll of SETs can be sent in real-time between trusted entities. These entities can include identity providers, relying parties (RP), monitoring systems like Security Information and Event Management (SIEM) systems, MDM systems, or any security-focused software vendor. 

When an entity receives a SET, they can then evaluate the event and decide whether to revoke tokens or transmit an updated security status to other services. Monitoring systems such as MDM, endpoint detection and response (EDR)/extended detection and response (XDR), SIEMs, or any security-focused software vendor can emit/consume CAEP events. As enterprise architectures evolve, CAEP can serve as a foundational tool for zero-trust strategies, enabling continuous and adaptive access evaluation that is informed by real-time context.

2.2 Key components of the Security Token Event (SET)

At the core of SSF is the Security Event Token (SET), a JWT based envelope defined by RFC 8417, that provides the foundational format for encoding and transporting these events.

“The intent of this specification is to define a syntax for statements of fact that SET recipients may interpret for their own purposes.” (RFC 8417)

Based on this principle, SETs provide a structured, interoperable format to convey claims (statements of fact) such as account changes, credential updates, or suspicious activity, without prescribing any particular enforcement action. This allows recipient systems to evaluate and respond to events in accordance with their own policies. Each profile (CAEP, RISC, SCIM) imposes specific constraints on the base SET and its associated subject identifiers (per RFC 9493), thereby defining clear semantics and expected behaviors for particular use cases. 

The SET itself is composed of several key claims, which together define the issuer, audience, subject, and event full context. A full description is available within the official documentation from the OpenID foundation, RFC 8417, and RFC 9493. The following is a brief outline of these claims. 

• iss (issuer) – Represents the entity that issued the token, such as https://idp.example.com/ (as per SET examples). This is used by the receiving service to verify that the event originates from a trusted provider.
• aud (audience) – Specifies the intended recipient of the token. Depending on the deployment, the recipient may be the relying party application, an identity provider, or another trusted service. This helps ensure that only the designated service processes the security event.
• jti (JWT ID – unique event identifier) – A unique identifier for this specific event within the security stream. Helps with tracking and deduplicating events to avoid processing the same event multiple times.
• iat (Issued At Timestamp) – Indicates the exact Unix timestamp when the event was generated. Helps determine the event’s freshness and prevent replay attacks.
• sub_id (subject identifier) – Structured information that describes the subject of the security event. 
• events (Security Events Information) – The core claim that contains details about the specific security event. This is a mapping from an event type identifier (for example, https://schemas.openid.net/secevent/risc/event-type/account-disabled) to an event-specific JSON object that typically includes attributes such as subject, contextual metadata (for example, reason, timestamp, and risk level), and any profile-defined parameters required to interpret and act on the event.
• event_timestamp – Represents the date and time of an event. Uses NumericDate 
• txn (Transaction Identifier) – OPTIONAL – Represents a unique transaction value. Used to correlate SETs to singular events.

2.3 Risk Incident Sharing and Coordination (RISC)

While CAEP defines a standardized messaging transport for communicating session-related state changes between trusted parties during active sessions, additional security events that might compromise an identity outside of a single session must also be addressed. This is where Risk Incident Sharing and Coordination (RISC) comes into play. 

RISC is designed to share security events that are related to potential threats, credential compromises, and account integrity across federated systems. RISC hopes to define profiles that enable each recipient system to assess and act upon security events based on their unique risk policies, rather than mandating specific enforcement actions. 

RISC SETs might also empower standards compliant systems (via the System for Cross-Domain Identity Management (SCIM) standard for example) to communicate “statement of fact” assertions, with the goal to enable simpler automation and coordination across an asynchronous federated environment.

It is important to remember that RISC, like CAEP, suggests a framework of profiles and roles for platforms to leverage.

• SETs only state provable assertions. They do not issue specific directives.
• Receivers may need to leverage profiles that are not yet established, to always take prescribed actions based on SETs received from transmitters. However, those profiles need to be understood by the transmitter/receiver pair.
• The ultimate goal is to enable more automation and faster reactivity across sessions through the sharing of SETs.

3. SSF and user journeys 

When you plan for implementation of IAM tools and capabilities, it is a common practice to consider the user journeys that need to be supported. These user journeys include day-to-day authentication and authorization processes, as well as more impactful (but less common) JML and recovery processes. Both CAEP and RISC methodologies can be used to enhance these workflows, building off strong authentication backed with FIDO2. With FIDO2 you are able to make decisions about users with certainty and with SSF you can track actions and react more quickly and accurately based on identity signals and user behaviors.

While the adoption of SSF is expected to grow, it will be up to the individual practitioner or organization to best determine how to leverage these capabilities. At the time of writing, the proposed workflows (as well as many of the transmitter and receiver interfaces) all need to be manually created and configured. Instead, it is recommended that you evaluate how these suggestions can enrich existing workflows and request delivery of these capabilities from your vendors and implementers.

3.1 Onboarding (joiners) and upgrading (movers) access

One journey that affects every end user is the joiner, or onboarding, process which generally establishes accounts for a user before they start at an organization. Accounts are created and entitlements are granted, with the expectation that they will not be used immediately. This timeframe is normally documented as “Day Zero -1.” This timeframe varies depending on organizational practices, but in order to ensure a speedy onboarding process most mid to large sized organizations follow this trend. 

The risk here is that it is easy to perform OpenSource Intelligence Gathering (OSINT) and enumerate accounts that fall into the “pending start day” category. The current set of IAM tools may lack the intelligence or agility to dynamically enable and disable accounts based on a strong identity proofing workflow and business demands of “hitting the ground running” often mean that these accounts are active and unmonitored before a user starts.

Profiles built on Shared Signal Frameworks (specifically RISC) can be leveraged to enhance this process. You can develop workflows that use the successful establishment of FIDO credentials via strong ID Proofing workflows, or initial detection of the use of pre-registered FIDO credentials, to trigger account enablement via IAM systems. With this workflow, accounts can sit inactive during the Day Zero – time frame and will only be dynamically activated once a successful strong authentication has been detected.

Role or access changes (known as mover workflows) can follow a pattern similar to that of the onboarding enhancement. New accounts can be created in a disabled state, awaiting specific triggers (such as date and time) in conjunction with authentication. RISC also opens the door to more dynamic access elevation, where the signaling framework can be used to trigger approval workflows in IAM ticketing and provision systems to temporarily grant higher privileges or roles.

Creative use of the shared signals frameworks, paired with a FIDO backed Root of Trust (RoT), can strengthen and enhance joiner and mover user journeys. These emerging techniques should be evaluated and adopted in a timely manner, to raise the bar for all IAM practitioners.

3.2 Device recovery/replacement

Another common user journey is establishment of a user on a new device. While it is similar to the onboarding journey, pre-existing permissions, accounts, and roles add complexity to this journey. This is also a common area of attack as attackers can abuse this workflow to enroll their own devices or otherwise compromise the pre-existing identity via unsecured channels. 
A best practice for device loss workflows is to lock down access as soon as a lost device is reported. You can leverage RISC signals to inform RISC consumer systems of the new device registration activity as part of an automated workflow that helps disable access as needed. Once a new device is issued, an identity can be re-established on the new device with a FIDO2 authentication workflow. The workflow can then leverage RISC signals to have IAM provisioning systems re-enable access.

Similar workflows can be leveraged if the FIDO2 authenticator needs to be replaced. This includes the loss of a device that contains a synced credential or a hardware token that contains a device-bound credential. Identity proofing workflows need to be leveraged to securely re-establish identity before a new credential can be bound to a user’s account. After this workflow is complete, RISC signals can be leveraged to re-enable sensitive access that was disabled when the credential was reported missing.

3.3 Offboarding (Leaver events in JML)

Offboarding workflows fall into two categories: planned and unplanned. Planned offboarding remains fairly unimpacted by SSF. It is possible to leverage CAEP signals to trigger termination of any active sessions after the user signs off for the last time. However, the SSF is more useful for unplanned offboarding events. A workflow can evaluate CAEP signals, and any open sessions can be identified and ended. As part of this workflow FIDO credentials should be de-associated from the user’s accounts, ensuring that the user can no longer log in. Both of these controls can ensure that unplanned offboarding events are well controlled and executed across the board.

3.4 Session tracking

Within the scope of modern identity security, session tracking plays a pivotal role in maintaining the integrity and security of user sessions. While authentication methods like FIDO effectively protect the initial login, they are significantly enhanced when complemented by session tracking. This involves the continuous monitoring of a session’s behavior and context throughout its entire lifecycle, from creation to termination. Such ongoing evaluation is crucial for identifying risk signals that may indicate potential security threats, such as session hijacking or unauthorized access attempts.

Platforms within a networked environment use CAEP events to send a range of signals to an authentication system responsible for managing sessions. You can utilize session tracking data so that as events are received, the authentication system can implement appropriate security measures, such as enforcing step-up authentication or terminating sessions. These events originate from multiple, diverse platforms, which each act as both transmitters and receivers within the SSF. This interconnected network offers valuable insights into potential security threats, enabling each platform to contribute to and enhance session tracking across the entire network.

To illustrate the impact of session tracking, we will explore use cases that compare an environment that uses only WebAuthn authentication with an environment that uses an enhanced approach that incorporates continuous authentication and shared signals. This comparison highlights how continuous session tracking can significantly bolster security and mitigate risks. 

The following table describes some possible ways to design these workflows. The table outlines the traditionally observed behaviors of systems and how security policies can be enhanced with the inclusion of SSF capabilities. When compared side by side, you can see the advantages provided by the adoption of SSF signaling. 

User Journey – Adding continuous access and session evaluation to a high assurance authentication.

4. Filling gaps – compliments to FIDO and conclusion

As demonstrated, by the use cases outlined above, both CAEP and RISC pair well with FIDO authentication standards to improve overall security postures and practices for enterprises and organizations. These cases only cover the largest areas where these frameworks should be adopted and integrated into current tools and workflows. In addition to our recommendation of implementing these standards, a robust and well planned SSF/FIDO program can provide buffers/flagging against potential false positive signaling and help make the tasks of attributing improper activities and detection of rogue actors easier for Network Operations Centers (NOCs). 

SIEM systems rely on credible data from endpoints. SSF helps to normalize the structure of many tasks that historically have required bespoke connectors. Shared signals (such as CAEP session state changes or RISC credential-compromise events) can add clarity and deeper insight into principal (the user or entity associated with the event) and system behavior. Additionally, SSF-enabled SIEM or IAM tools can be leveraged to strengthen current step-up authentication practices, providing native ways to track high privilege interactions without the need for full reliance on single point of failure third party systems. 

In the past, passive signals were used for dark web monitoring. With shared signals coordination we now have the capabilities to send notifications and cycle credentials automatically for systems that do not support strong authentication. Accounts with leaked credentials can either be auto-disabled and shunted to a reset workflow that is backed by a strong authentication with FIDO or automatically rotated with credentials that are vaulted and retrievable with IDV or FIDO authentication. Stolen credentials may not be limited to usernames and passwords and can also include stolen synced passkeys and or certificates. CAEP can be leveraged to communicate out of context credentials, and the shared signals should be leveraged as part of a risk-based authentication workflow.

CAEP, RISC, and FIDO provide a risk-averse way to enable federated login. Implementation of both enhanced session tracking and strong authentication creates a workflow in which external users can leverage federated login processes and security teams can more closely monitor and attribute activity and behavior. In the Customer Identity space, these enhanced signals can provide more secure ways to allow end users to authenticate using their existing trusted identity provider accounts (for example Google, Apple or enterprise Identity Providers) instead of creating new local credentials, through enhanced session tracking and strong, phishing resistant authentication.

When practitioners and vendors embrace RISC and CAEP frameworks for signaling, they strengthen not only their own environments but also the broader information security ecosystem. A common, interoperable signaling language increases the ability of systems across organizational boundaries to track and correlate user and process activity, detect inappropriate behavior, and respond consistently. In this way, the adoption of SSF moves security practice toward a more collaborative, standards-based model that prioritizes shared defense and ecosystem resilience. When SSF is put into practice, it enables external entities to be better informed in real time, improving collective security and ensuring that end users are more effectively protected.

5. SET examples

This section contains several mockup examples of the makeup of SETs. These are provided to add clarity to the contents and capabilities of each component of the SSF. They describe the information systems can expect to receive and what data points can be included in a token.

5.1 CAEP example tokens

CAEP provides a standardized way to communicate access property changes in real time. It defines Security Event Tokens (SETs), which are sent by transmitters using the SSF framework. Upon receiving a CAEP event, the receiver can dynamically adjust access permissions, which reinforces zero-trust security principles and ensures security decisions remain context aware and adaptive. 

The following are examples of key CAEP Security Event Tokens (SETs).

5.1.1 Session revoked

Session revoked: Indicates an active session has been terminated

Event transmission example.

5.1.2 Credential changes

Token claims change: Signals changes in token claims such as roles, entitlements, and group memberships that affect access control.

Credential change: Signals that a user’s credentials have been changed (for example, deleted, updated, created, or revoked). Examples of credentials include passwords, fido2-platform, and fido2-roaming. 

Event transmission example

5.1.3 Assurance level or compliance change

Assurance level change: Indicates that the assurance level of user’s authentication has changed, impacting session security.

Device compliance change: Signals a change in the security posture of a user’s device. For example, a previously compliant device is now non-compliant.

Transmission event for device compliance example.

5.2 RISC example tokens 

The following examples show the key RISC SETs.

5.2.1 Account credential change required

Indicates an event requiring a credential update for the subject, typically due to detected compromise or reuse. For example, this helps prevent credential stuffing attacks across federated accounts. 

5.2.2 Account enabled

Notifies that a previously disabled account has been re-enabled. This allows relying parties to reinstate access where appropriate (for example, after resolving a false positive).

5.2.3 Account purged

Notifies that the subject’s account has been permanently deleted and should no longer be recognized by relying parties.

5.2.4 Account disabled

Notifies that the subject’s account has been disabled and is no longer accessible. This helps prevent unauthorized access (for example, after fraud detection or HR termination).

Transmission event for account disabled for fraud detection.

5.2.5 Identifier changed/recycled

Notifies when a user’s identifier (for example, email or username) has changed or is reassigned. Helps prevent unauthorized access using outdated identifiers.

6. Document history

7. References

Internet Engineering Task Force (IETF). (2020, November 30). Poll-Based Security Event Token (SET) Delivery Using HTTP. IETF Datatracker. https://datatracker.ietf.org/doc/rfc8936/

Internet Engineering Task Force (IETF). (2020, November). Push-Based Security Event Token (SET) Delivery Using HTTP. IETF Datatracker. https://datatracker.ietf.org/doc/html/rfc8935

Internet Engineering Task Force (IETF). (2018, July). Security Event Token (SET). IETF Datatracker. RFC 8417https://datatracker.ietf.org/doc/html/rfc8417

Internet Engineering Task Force (IETF). (2023, December). Subject Identifiers for Security Event Tokens. IETF Datatracker. https://datatracker.ietf.org/doc/rfc9493/

OpenID. (2025, August 29). OpenID Continuous Access Evaluation Profile 1.0. OpenID. 
https://openid.net/specs/openid-caep-1_0-final.html 

OpenID. (2024, June 25). CAEP Interoperability Profile 1.0 – draft 00. OpenID. https://openid.net/specs/openid-caep-interoperability-profile-1_0-ID1.html

OpenID. (2025, August 29). OpenID RISC Profile Specification 1.0. OpenID. 
https://openid.github.io/sharedsignals/openid-risc-1_0.html

OpenID. (2025, August 29). OpenID Shared Signals Framework Specification 1.0. OpenID. https://openid.net/specs/openid-caep-1_0-final.html

The draft was published on September 30 and seeks to get inputs from relevant stakeholders, the BSI said in a news release.

The BSI TR-03188 Passkey Server guidelines are available as a draft in version 0.9, the BSI says. It was drafted within the scope of FIDO2 and WebAuthn standards, among others.

There’s a reason everyone is working on a way to replace passwords. They’re often easy to guess, hard to remember, and changing them after every data breach is a pain, even if you do have a password manager. Thankfully, the Fast Identity Online (FIDO) Alliance developed passkeys, a new authentication technology that eliminates the need to enter your email address or a password into login fields around the web, and they’re gaining popularity. For example, Microsoft deleted passwords from its authenticator app in August, but left in support for passkeys.

Founded in 1955, First Credit Union is a member-owned financial institution in New Zealand with over 60,000 members. The organization delivers secure and innovative digital banking experiences through its comprehensive online banking platform. Members access their accounts via mobile app and browser options to manage finances anytime, anywhere. The credit union has embraced cutting-edge authentication technology to enhance both security and user experience for its diverse membership base.

Executive Perspective

“Implementing FIDO authentication through Authsignal has been a game-changer for our members’ digital experience. It’s secure, seamless and sets a new standard for trust in online banking.” – Herb Wulff, Treasury and Agency Banking Manager, First Credit Union

The Business Challenge

As a progressive modern financial institution, First Credit Union has embraced a path toward digital transformation. As part of its journey, it identified several critical challenges impacting both security and user experience.

Those challenges include:

• Cybersecurity Risks. The organization wanted to reduce reliance on passwords, which is one of the most common attack vectors. First Credit Union sought phishing-resistant authentication methods to mitigate growing security threats.
• User Experience Friction. Traditional multi-factor authentication methods often create friction in the login process. The credit union aimed to make secure access feel seamless and intuitive for members with varying technical comfort levels.
• Cross-Platform Compatibility. Members access the platform across diverse devices and operating systems. First Credit Union needed a solution that worked consistently across mobile apps and web browsers.
• Integration Complexity. The new authentication solution had to integrate smoothly with existing infrastructure. This approach would minimize disruption to internal teams and members during deployment.

Why First Credit Union Chose Passkeys

First Credit Union conducted a thorough evaluation of several traditional and emerging authentication methods. The goal was to find the right balance between security, usability and accessibility for its diverse membership base.

Traditional Options Fell Short

The team explored multiple multi-factor authentication (MFA) methods but found significant drawbacks with each approach. Authenticator apps can enhance security but have vulnerabilities that can be exploited due to their reliance upon one-time codes. They also require members to install and manage a separate app, which added complexity and friction. Email magic links provided convenience but created usability challenges and vulnerability to phishing and email interception risks.

Device credentials delivered a more seamless experience but lacked the standards-based interoperability needed across platforms. The credit union also considered standalone biometric authentication, but these solutions lacked the robust security guarantees and cross-platform compatibility that FIDO standards provide.

A critical insight emerged: offering too many authentication options risked confusing members, especially given the wide range of technical comfort levels across their demographic. A fragmented experience could lead to frustration, support overhead and reduced adoption.

FIDO Delivered What Others Couldn’t

FIDO authentication stood apart from alternatives that still presented significant vulnerabilities to phishing and lacked seamless, standards-based interoperability. The technology offered compelling advantages:

Phishing resistance eliminates shared secrets like passwords or OTPs that attackers can intercept or steal. The passwordless experience reduces friction for members while making access to online banking quicker and more secure. FIDO2 specification ensures seamless authentication across a wide range of devices and platforms, supporting both their app and browser-based services.

The solution improved member trust and satisfaction through enhanced security and streamlined login processes. It also reduced support overhead from password resets and login issues, allowing the team to allocate resources more efficiently and improve overall service quality.

Implementation Overview

First Credit Union partnered with Authsignal to implement a FIDO Certified passkey infrastructure. The team followed a structured rollout approach:

Phase 1: Internal Testing and Validation

The organization conducted rigorous internal testing to validate passkey integration across mobile and browser platforms. This phase ensured technical stability and compatibility.

Phase 2: Member Education and Communication

First Credit Union launched a targeted communication campaign that included:

• Clear messaging about passkey benefits
• Step-by-step setup and usage guides
• Comprehensive support resources for onboarding

Phase 3: Gradual Branch Network Rollout

The team introduced passkeys in phases across the branch network. This approach allowed for performance monitoring, feedback collection and iterative improvements.

Phase 4: Monitoring and Optimization

Post-launch activities included tracking adoption metrics and authentication usage patterns. Member feedback drove user experience refinements.

Results and Impact

First Credit Union achieved impressive adoption and security outcomes since launching passkeys:

Adoption Metrics

• 58.4% of members adopted the new authentication experience
• 54.5% of all authentications now use passkeys
• Over 23,500 members enrolled in multi-factor authentication

Member Experience

Most members provided positive feedback citing ease of use and improved trust. Passkeys enabled simplified login through device-native biometrics like facial and fingerprint recognition. Members enjoy seamless experience across mobile and web platforms.

Operational Benefits

The organization reduced support overhead from password-related issues. First Credit Union enhanced its security posture with phishing-resistant authentication. The infrastructure now aligns with global standards for future readiness.

Future Vision

FIDO authentication serves as the cornerstone of First Credit Union’s long-term digital security strategy. The organization plans these expansions:

• Secure Transaction Authentication: Extending passkeys to high-risk actions like transaction approvals
• Internal Systems Access: Implementing FIDO-based authentication for staff systems
• Third-Party Integrations: Leveraging FIDO’s interoperability for future service integrations

Key Recommendations

First Credit Union offers these insights for organizations considering FIDO implementation:

1. Understand Your User Base: Assess members’ devices, digital habits and comfort levels to tailor the experience appropriately

2. Simplify the Experience: Avoid overwhelming users with too many authentication options

3. Choose the Right Partner: Work with trusted providers who offer expertise in passkey infrastructure

4. Communicate Clearly: Educate users early with clear messaging about benefits and simple setup guides

5. Test Thoroughly: Conduct comprehensive internal testing across platforms before member-facing deployment