Passkeys Solve Authentication — Not Identity. Here's Why.
15 billion accounts are passkey-enabled. But passkeys prove you have a device, not who you are. For cross-border and high-risk scenarios, that gap matters.
15 billion accounts are passkey-enabled and phishing is nearly eliminated, but passkeys prove a device is present, not who the person using it is. For cross-border business, regulated industries, AI agent delegation, and high-value transactions, that distinction matters. The fix is identity proofing at enrolment, alongside the passkey.
Passkeys are winning. Microsoft is making them the default for new accounts. Google pushes them prominently across Android and Chrome. Apple has built them into the operating system. The FIDO Alliance reports more than 15 billion online accounts are passkey-enabled as of 2025 — roughly double the year before — and FIDO CEO Andrew Shikiar estimates over 4 billion passkeys are actively in use worldwide. According to the FIDO Passkey Index, passkey login success rates hit 93% compared with 63% for other authentication methods, and sign-in time drops by 73% — from 31.2 seconds to 8.5 seconds on average. And they are, by design, phishing-proof.
The password is dying. Good riddance.
But here is the thing no one putting passkeys on a conference slide is saying clearly enough: passkeys solve authentication. They do not solve identity. And for a growing number of scenarios — cross-border business, regulated industries, AI agent delegation, high-value transactions — that distinction is the difference between security and theatre.
What Passkeys Actually Prove
A passkey proves three things. First, that a specific device is present. Second, that someone with biometric or PIN access to that device has approved the action. Third, that the request comes from the legitimate website or application, not a phishing clone.
This is enormously valuable. It eliminates credential stuffing (there is no password to stuff). It eliminates phishing (the credential is cryptographically bound to the origin). It eliminates shared secrets (the private key never leaves the device). By any measure, passkeys are the most significant improvement in consumer authentication in decades.
But notice what a passkey does not prove. It does not prove who the person using the device is. It proves that someone who can unlock the device with a face, a fingerprint, or a PIN has done so. That someone is almost always the legitimate user. But "almost always" is not "proven."
This matters less for logging into a streaming service. It matters profoundly when the action behind the authentication carries real consequences — a €500,000 bank transfer, a contract signature, an AI agent delegation, a cross-border KYC verification, or an identity proofing event where legal liability depends on knowing exactly who the person is.
The Gap: Authentication vs Identity Proofing
The identity industry distinguishes between two fundamentally different questions.
Authentication asks: "Is this the same person who registered?" A passkey answers this well. The cryptographic key pair, bound to the device and unlocked by biometrics, provides strong assurance of continuity — the person logging in today is the same person who enrolled the passkey.
Identity proofing asks: "Who is this person in the real world?" A passkey does not answer this at all. It inherits whatever assurance existed at the moment of enrollment. If enrollment was a username and email address, the passkey's identity assurance is username-and-email-level — regardless of how strong the cryptography is afterward.
1Kosmos captured this in their 2026 FIDO2 analysis: combining passkeys with identity verification closes one of the most dangerous gaps in passwordless security. Binding passkeys to a proven human identity closes impersonation gaps and supports Zero Trust at scale.
The Hypr State of Passwordless Identity Assurance report made the same point with a sharper edge: in 2026, automated agents will leak more passwords than people, shifting identity risk from human-scale errors to industrial-scale machine automation. Passkeys address the password problem. They do not address the identity problem. The NIST framework formalises this split as two independent axes of assurance — AAL and IAL.
Why Cross-Border Makes the Gap Visible
Within a single country, identity proofing often happens through national infrastructure. A Swedish BankID. An Estonian ID-kaart. A German eID. These systems verify who someone is at a high assurance level, and a passkey registered after that verification inherits the trust.
Cross-border is where the model breaks.
A Turkish supplier onboarding to a German fintech platform. A Ukrainian driver signing an eCMR at a loading dock in Belgium. A Nigerian contractor accessing a UK company's systems. An Indian developer being delegated AI agent permissions by a US enterprise. In each case, the person needs to prove their identity — not just authenticate with a device — and they have no access to the relying party's national identity infrastructure.
The EUDI wallet will cover 27 EU member states. That leaves around 150 countries with biometric passports but no European digital identity. Passkeys work on any smartphone, anywhere — but they cannot fill the identity proofing gap for someone whose country does not participate in the relying party's trust framework.
This is the cross-border identity problem that no amount of passkey adoption will solve. The device is verified. The person behind it is not.
The Account Recovery Paradox
There is another vulnerability that passkey advocates are increasingly honest about. Account recovery — what happens when someone loses their device — is the weakest link in the passkey chain.
A 2026 architecture analysis on Medium called it the "Account Recovery Paradox" — the inability to reset a client-side private key remains the primary hurdle for enterprise-grade deployment.
When a user loses all devices where their passkeys are stored, the recovery process typically falls back to email verification, SMS codes, or helpdesk interaction — exactly the phishable, social-engineerable methods that passkeys were designed to eliminate. An attacker who can compromise the recovery flow can register their own passkey on the victim's account, and from that point forward, they have a cryptographically strong credential that proves they are the account holder.
This is not a theoretical attack. Helpdesk social engineering is one of the most common vectors for account takeover, as Nametag CEO Aaron Painter emphasised at RSAC 2026: the real risk lies in everything that happens around authentication systems — onboarding, account recovery, and helpdesk interactions are easy paths for attackers to exploit.
The fix is the same as the cross-border fix: identity proofing at the recovery point. Not "answer your security questions" but "prove you are the person who owns this account, using a credential that cannot be phished or social-engineered."
What "Passkey Plus Identity Proofing" Looks Like
The industry is converging on a model where passkeys handle day-to-day authentication and identity proofing handles high-assurance events — enrollment, recovery, high-risk transactions, and cross-border verification.
The practical architecture has three layers.
Day-to-day authentication: passkeys. Fast, phishing-resistant, device-bound. For logging in, accessing routine resources, and performing standard operations. This is where FIDO2/WebAuthn shines and where it should be the default.
High-assurance events: identity proofing. When a new account is created, when a passkey is recovered, when a high-value transaction is authorised, when a cross-border identity is verified. These events require proof of who the person is, not just that they have a device.
Continuous context: risk signals. Behavioural biometrics, device posture, location context, and anomaly detection provide ongoing confidence between explicit verification events.
The identity proofing layer is where the passport chip becomes relevant. A biometric passport's NFC chip provides the strongest widely-available proof of identity: government-issued, cryptographically signed, hardware-protected, and available in around 180 countries. It cannot be deepfaked, phished, or social-engineered.
At IdentiGate, we provide this layer. A person scans their biometric passport via NFC, completes liveness verification, and in 90 seconds receives a device-bound digital identity anchored to a government-issued cryptographic credential. That identity can then be used to enroll passkeys at a high assurance level, to recover accounts without falling back to phishable methods, to sign documents with Advanced Electronic Signatures, and to serve as the verified human root in AI agent delegation chains.
Passkeys handle what happens after identity is established. The passport chip establishes identity itself.
What This Means for Different Sectors
The authentication-vs-identity gap plays out differently depending on the use case.
Financial services and fintech. KYC regulations require knowing who the customer is — not just that they can unlock a device. Cross-border onboarding of customers from 150+ countries cannot rely on European eID infrastructure. Passkeys secure the account after onboarding. Identity proofing via passport chip secures the onboarding itself.
Logistics and freight. An eCMR signature requires a verifiable identity behind the electronic signature. A passkey proves the driver has their phone. A passport-chip-anchored identity proves the driver is who they claim to be — critical when phantom carrier fraud is surging across Europe.
Enterprise and AI agents. When AI agents act on behalf of humans, the delegation chain must trace back to a verified person. A passkey at the root proves a device was present. A proofed identity at the root proves a specific human authorised the agent.
Healthcare. Cross-border access to health records under EHDS requires strong identity assurance. A passkey authenticates a returning user. Identity proofing establishes who the person is when they first access the system.
The Takeaway
Passkeys are not the problem. They are the best solution the industry has produced for day-to-day authentication. The mistake is treating authentication as the entire identity stack — and assuming that phishing-resistant device access equals knowing who someone is.
For high-assurance scenarios, cross-border operations, and regulated industries, passkeys need a foundation: verified identity at enrollment, at recovery, and at high-risk decision points. The passport chip — government-issued, cryptographically signed, available in around 180 countries — provides that foundation.
The passwordless future is arriving. The identity-proofed future still has a gap. Closing it is not about replacing passkeys — it is about giving them the root of trust they need to deliver their full promise.
Sources
- FIDO Alliance — Passkeys — 15+ billion passkey-enabled accounts as of 2025
- FIDO Passkey Index 2025 — 93% vs 63% login success, 73% faster sign-in, 81% reduction in login-related help desk tickets
- Biometric Update — Shikiar at FIDO, February 2026 — 4+ billion passkeys actively in use
- ICAO — ePassport Basics — global ePassport deployment
- 1Kosmos — Top FIDO2 Passkey Solutions 2026 — passkeys + identity verification gap
- Hypr — State of Passwordless Identity Assurance 2026 — AI agents leaking credentials, passwordless adoption
- Nametag CEO at RSAC 2026 — account recovery as attack surface
- Medium — Architect's Guide to FIDO2 and Passkeys — Account Recovery Paradox
- HID Global — IAM Authentication 2026 — passwordless as baseline, identity-first security
IdentiGate provides the identity proofing layer that passkeys need — cryptographic human verification from biometric passports in around 180 countries, 90-second onboarding, zero personal data storage. Learn more at identigate.com
About the author
Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.