Passkeys Are Here to Stay. But Don’t Bet Everything on Them

1 September 2025

Passkeys have become the go-to buzzword in authentication.
Built on FIDO standards and designed to eliminate passwords, passkeys offer phishing resistance and better UX - especially on mobile. With support from Apple, Google, and Microsoft, their adoption is only going to grow.
But are passkeys ready for every use case?
Not quite.
Passkeys work well in low-risk scenarios, like logging into a music streaming service or a loyalty account. But for high-risk actions like large transactions, sensitive account changes, or recovery on a new device, there are real limitations.
The main issue? Device dependency.
When a passkey is stored on a phone, accessing it on another device involves using CTAP (Client-to-Authenticator Protocol). But CTAP often creates friction and confusion for users, leading to drop-off or fallback to SMS.
And while passkeys can prove access to a device, they can’t prove identity. They don’t link the credential to a real human. If the device is compromised, so is the account.
By contrast, third-party biometrics, particularly decentralized ones, can:
  • Tie authentication to both the face and the device.
  • Offer seamless recovery if a device is lost.
  • Provide strong identity assurance for high-risk actions.
In our October report, we compare passkeys and biometrics side by side, and show where each makes the most sense.
The future of authentication isn’t passkeys or biometrics - it’s both, used in the right way.
Don’t miss our full analysis in The State of Authentication 2026, launching this October. The State of Authentication 2026 report will cover the five key forces reshaping authentication in the year ahead.
  • Stricter privacy and biometric compliance laws – and why decentralized biometrics are emerging as the only viable long-term solution.
  • Digital identity wallets – and how they’re set to replace traditional KYC and recovery flows.
  • The collision of IPR and PSD3 – and what it means for fraud, liability, and real-time authentication.
  • The evolving deepfake threat – and how organizations can future-proof their biometric systems today.
  • The limitations of passkeys – and why they’re not enough for high-risk scenarios.
Read Next
Blog
Passkeys Are Here to Stay. But Don’t Bet Everything on Them
In this blog, we’ll explain what phishing-resistant MFA is, why it’s essential for securing accounts and preventing breaches, and how businesses can implement it to protect both users and sensitive data.
Read Now
Blog
Deepfakes in 2026: What’s Real, What’s Hype?
Deepfakes are surging, but are they a real threat to biometric authentication yet? Explore the risks, the hype, and what’s next. Read our preview blog ahead of the publication of the 2026 Authentication Trends Report.
Read Now
Blog
IPR + PSD3 Combined: A Perfect Storm for European PSPs
Instant payments in <10 seconds and new liability for scams under PSD3 will reshape the European payments landscape in 2026. Where does this leave authentication? Read our preview blog ahead of the publication of the 2026 Authentication Trends Report.
Read Now
Consumer SolutionsWorkforce SolutionsTechnologyIndustriesResourcesCompanySupport Center
PSD2/SCA CompliantPSD2/SCA Compliant
GDPR CompliantGDPR Compliant
CCPA CompliantCCPA Compliant
FIDO2 CertifiedFIDO2 Certified
FIDO Biometrics CertifiedFIDO Biometrics Certified
ISO 27001 CertifiedISO 27001 Certified
ISO 9001 CertifiedISO 9001 Certified
ISO/IEC 30107-3 CertifiedISO/IEC 30107-3 Certified
NIST AccreditedNIST Accredited
eIDAS Module CertifiedeIDAS Module Certified
© 2025 Keyless. All rights reserved.
Cookie Settings