Passkeys Are Here to Stay. But Don’t Bet Everything on Them

1 September 2025

Passkeys have become the go-to buzzword in authentication.
Built on FIDO standards and designed to eliminate passwords, passkeys offer phishing resistance and better UX - especially on mobile. With support from Apple, Google, and Microsoft, their adoption is only going to grow.
But are passkeys ready for every use case?
Not quite.
Passkeys work well in low-risk scenarios, like logging into a music streaming service or a loyalty account. But for high-risk actions like large transactions, sensitive account changes, or recovery on a new device, there are real limitations.
The main issue? Device dependency.
When a passkey is stored on a phone, accessing it on another device involves using CTAP (Client-to-Authenticator Protocol). But CTAP often creates friction and confusion for users, leading to drop-off or fallback to SMS.
And while passkeys can prove access to a device, they can’t prove identity. They don’t link the credential to a real human. If the device is compromised, so is the account.
By contrast, third-party biometrics, particularly decentralized ones, can:
  • Tie authentication to both the face and the device.
  • Offer seamless recovery if a device is lost.
  • Provide strong identity assurance for high-risk actions.
In our October report, we compare passkeys and biometrics side by side, and show where each makes the most sense.
The future of authentication isn’t passkeys or biometrics - it’s both, used in the right way.
Don’t miss our full analysis in The State of Authentication 2026, launching this October. The State of Authentication 2026 report will cover the five key forces reshaping authentication in the year ahead.
  • Stricter privacy and biometric compliance laws – and why decentralized biometrics are emerging as the only viable long-term solution.
  • Digital identity wallets – and how they’re set to replace traditional KYC and recovery flows.
  • The collision of IPR and PSD3 – and what it means for fraud, liability, and real-time authentication.
  • The evolving deepfake threat – and how organizations can future-proof their biometric systems today.
  • The limitations of passkeys – and why they’re not enough for high-risk scenarios.