Authenticate 2025: Day 1 Recap

By FIDO staff

Authenticate 2025, the FIDO Alliance’s flagship conference, kicked off day one on strong footing as passkey adoption continues to grow.

The first day of Authenticate 2025 was loaded with insightful user stories, sessions on how to improve passkey adoption and technical sessions about the latest innovations.

Mastercard: Reimagining Online Checkout with Passkeys

Mastercard presented their ambitious vision to bring contactless payment-level security and convenience to online transactions through passkeys. The company is tackling three major e-commerce pain points: fraud from insecure authentication methods, cart abandonment and false declines of legitimate transactions. 

“There is no secret for this audience that one-time passwords are largely insecure and subject to phishing attacks,” Jonathan Grossar, Vice President of Product Management at Mastercard said. “So this is one big problem that we’re trying to address.”

Mastercard’s approach includes linking passkeys to payment card identities through bank KYC verification, adding device binding layers to meet regulatory requirements like PSD2, and ensuring banks retain control over authentication decisions even when Mastercard acts as the relying party on their behalf.

“When you have a passkey, that’s very easy, you can use it right away, and we see the conversion is just fantastic,” Gorssar said.

Passkey Mythbusters: Short Takes on Common Misunderstandings

As a relatively new technology, there are still a good deal of misunderstandings about passkeys.

In an engaging session led by Nishant Kaushik, CTO of the FIDO Alliance, Matthew Miller, Technical Lead at Cisco Duo and Tim Cappalli, Sr. Architect, Identity Standards at Okta debunked several key misconceptions about passkeys including:

Misconception #1 . Passkeys are stored in the cloud in the clear: The session clarified that passkeys are not stored in plain text. Reputable credential managers use strong end-to-end encryption, so even when passkeys are synced through the cloud, service providers cannot access the actual keys.

Misconception #2. Passkeys lock users into specific vendor ecosystems: The panel explained that new standards like the credential exchange protocol (CXP) and credential exchange format (CXF) enable secure transfer of passkeys between managers. 

Misconception #3. Phishing resistance depends solely on the relying party ID: Presenters emphasized that true phishing resistance comes from verifying the origin of authentication requests, not just matching the relying party ID. Proper server-side origin checks are essential for security.

Misconception #4 Cross-device passkey use enables remote attacks: The panel showed that cross-device authentication relies on proximity checks like Bluetooth, which prevent attackers from authenticating remotely even if they possess a QR code.

Misconception #5. Passkeys are not suitable for enterprise use: The panel highlighted that managed credential managers can offer strong policy control and high assurance for workforce applications, and that flexible management models fit both personal and enterprise contexts.

Misconception #6. Device management is always required for secure workforce passkeys: It was clarified that organizations can provide managed credential managers that enforce policies without requiring complete device management, allowing for greater flexibility.

Misconception #7. Passkeys cannot be used in mixed cloud and on-prem environments: The discussion explained that the right identity provider solutions and federation strategies can enable passkeys across a variety of application types.

What’s New in FIDO2: The New Features in WebAuthn and CTAP

There’s a lot going on with the underlying FIDO standards.

In his session, Nick Steele, Identity Architect at 1Password detailed the latest FIDO2, CTAP2.2 and WebAuthn updates. Steele explained how these new standards offer easier adoption, better security, and a smoother user experience for both enterprises and individuals.

Key technical improvements:

• Hybrid transport for flexible authenticator connections
• Signals API for better credential management
• Conditional passkey enrollment and improved autofill UI
• Stronger encryption and HMAC secret extension
• Broader support for smart cards and related origins

“We really want to increase the risk signalling and the trust that enterprises can get in a single go from a passkey,” Steele said.

Credential Exchange in the Wild

One of the key misconceptions about passkeys is that they lock users into a particular platform. 

Among the reasons why that’s not accurate is the Credential Exchange format effort which was detailed in a session led by Rene Leveille, Sr. Security Developer at 1Password.

Leveille explained how the credential exchange format is designed to help password managers understand and transfer numerous credential types, making it easier for users to migrate securely between different services. He highlighted how this format, paired with a secure protocol, is the foundation for cross-platform compatibility.

Leveille outlined recent progress, including the move from early drafts to a proposed industry standard in August 2025. He discussed how both Apple and Android platforms have introduced APIs that are paving the way for seamless transfers between apps. 

Emphasizing the importance of this work, Leveille stated, “It is an extremely easy way to migrate from one credential manager to another and it is secure.”

From the Trenches: eBay

Among the earliest adopters of passkeys is eBay, which has a long history with FIDO specifications.

Ilangovan Vairakkalai, Senior Member Technical Staff at eBay detailed his organization’s journey and how it has managed to increase adoption.

“Every percentage point we gain in Passkey adoption is another user freed from password frustration,” Vairakkalai said.

Passkey adoption among mobile and native app users has climbed to an impressive 55% to 60%, reflecting how intuitive, nearly invisible authentication is a win for users. Desktop adoption, while more modest at around 20%, is steadily rising as eBay continues to innovate and collaborate with browser and device makers. 

From the Trenches: Uber

Reducing user friction is a primary reason why Uber has embraced passkeys.

Ryan O’Laughlin, Senior Software Engineer at Uber Technologies detailed his organization’s journey to deploy passkeys as a secure and user-friendly login option across its global consumer platform. 

While there was some quick success there were also some early challenges. Despite passkeys offering faster and more secure logins compared to passwords, many users continued using traditional sign-in methods, raising concerns about adoption and the prevalence of phishing risks.

To address these challenges, Uber introduced usability improvements such as clearer entry points for passkey login and proactive prompts encouraging registration. Experiments showed that enrolling users right after account sign-up or login led to a marked increase in adoption.

The company also piloted features like selfie-based account recovery, aiming for secure, phishing-resistant options as part of its broader vision for a passwordless future.

“Passwords just don’t really work for our platform. People forget them,” O’Laughlin 

said. “There is a very realistic future where we don’t have password passwords at all.”

From the Trenches: BankID

In Norway, the BankID system has been around for over two decades, providing a uniform authentication system for the country’s citizens.

Heikki Henriksen, Technology Partnership Manager, Stø AS (BankID BankAxept in Norway) explained that the BankID system started off with hardware devices but in recent years has made a move to mobile, software based approaches.

BankID began moving to passkeys after most users had adopted the BankID app. The transition away from SMS-based authentication finished in 2023. Passkeys were introduced quietly—users were not told about the technical change but were moved to the stronger, phishing-resistant credentials through regular app updates.

“We never bothered talking about passkeys, we got over half of the Norwegian population to use passkeys without ever using the term passkey,” Henriksen said. “People don’t know what passkeys are. They don’t need to understand it either. So they just use Bank ID and for us technical people we know that passkeys are running the tech behind it.”

Keynotes: FIDO Alliance Details the Path Forward

A highlight of every Authenticate event is the keynote address from Andrew Shikiar, Executive Director of the FIDO Alliance.

As part of his Day One keynote, Shikiar detailed the past, present and future of the organization he leads and the standards it develops.

“Our internal estimates point to over 3 billion passkeys securing consumer accounts – actual passkeys in use,” he said. “That’s a massive number, 3 billion in less than three years time.”

Shikiar also revealed new data from a new report, the Passkey Index, which aims to help quantify the impact of the technology. Among the standout figures:

• An average 93% sign-in success rate using passkeys, which is more than double that achieved with other methods.
• A 73% decrease in login time when using passkeys.
• Up to an 81% reduction in login-related Help Desk incidents reported by some organizations.

No technology conversation in 2025 is complete without mention of AI and Shikiar didn’t disappoint. He noted that the FIDO Alliance is actively addressing agentic AI by launching targeted initiatives including the creation of a subgroup focused on agentic commerce, aiming to ensure secure authentication for human-authorized agents.

“We spent the past dozen years or so contemplating how to prevent bots from authenticating, and now we have to figure out how to enable them to authenticate,” he said.

Looking ahead, the need to eliminate knowledge-based recovery methods and improve user experience was stressed. Shikiar also talked about emerging efforts for digital credentialing, with FIDO Alliance developing foundational standards and certification programs to advance the digitization of identity documents and secure mobile credentials.

“We will create foundational specifications that are applicable to the market, building from CTAP to create a new protocol for cross device credential presentation, we’ll focus on enablement and usability,” Shikiar said.

Keynotes: Google Securing the Future of Account Management

Google’s Authenticate 2025 keynote focused on how account security and user experience are improving with the adoption of passkeys. 

With more than a billion users now signed into Google services using passkeys, it is clear these solutions are quickly moving into the mainstream. Chirag Desai, Product Manager at Google emphasized that passkeys make the sign-in process faster and easier for users and provide new opportunities for businesses looking to enhance safety and streamline account access.

“Just as the world moved from horses and carriages to cars and now even self-driving cars, we as an industry need to help our customers do the same thing,” Desai said. “We need to help make that transition from passwords to passkeys, with minimal friction.”

Beyond just passkeys for authentication Rohey Livne, Group Product Manager at Google addressed the critical role of digital credentials for account creation and recovery. These digital, device-bound documents offer stronger protection than emails or SMS, enabling selective disclosure and simplifying verification. They allow organizations to move beyond fragile legacy methods and create a fully secured account lifecycle.

“We’re not really solving account creation and account recovery with passkeys,” Livne said. “And so we are essentially trying to look at how the entire account lifecycle could be aided with digital credentials.”

Keynotes: Apple Details How to Get the Most Out of Passkeys

Apple is all in on passkeys. 

“Simply put, the world would be a better place if the default credential, the one that we all reached for first, was a passkey instead of a password,” Ricky Mondello, Principal Software Engineer at Apple said.

Mondello detailed multiple approaches that Apple is using to accelerate passkey adoption including:

• Account Creation API (iOS/Mac apps): Pre-fills user information (name, email/phone) to create new accounts with passkeys in one step, avoiding passwords entirely from the start.
• Automatic Passkey Upgrades: Seamlessly adds passkeys to existing password-based accounts without showing upsell screens when users sign in with their password manager. Already supported on Apple platforms and Chrome desktop.
• Prefer Immediately Available Credentials: Shows users their saved credentials (passwords or passkeys) when opening an app, eliminating the “which button do I press?” problem.

The most provocative message centered on security. Mondello argued that simply adding passkeys alongside passwords doesn’t deliver true phishing resistance. Organizations must plan to drop passwords entirely for accounts with passkeys.

“The hard truth is that to actually deliver the phishing resistance benefit to any given account, all phishable methods of signing in or recovering it need to be eliminated or otherwise mitigated,” Mondello said.

Get Ready for Day 2!

Day 2 will have even more great content across multiple tracks, with no shortage of user stories. Look for user stories from TikTok, Roblox, Microsoft, Docusign and many others, alongside technical insights for implementation.Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 2 and 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.