By: FIDO Staff
Following on the information-packed day one, day two of Authenticate 2025 continued the trend.
Over the course of the day, users from across different geographic areas and industry verticals detailed their experiences with passkeys. Discussion on how passkeys fit into the payment ecosystem and the intersection with agentic AI were also hot topics of discussion across multiple sessions.
Keynotes: A Brief History of Strong Authentication
Christopher Harrell, Chief Technology Officer at Yubico, kicked off the morning keynote tracing the journey of authentication practices from basic shared secrets to the modern era.
Harrell outlined how early systems based on shared secrets and memorized passwords often failed due to human error and simplicity. Multi-factor authentication was introduced to address these gaps by layering security, but still relied heavily on passwords or similar secrets. He noted that the evolution of the market to passkeys eliminates the vulnerabilities of shared secrets and reduces the chance of phishing, making access both safer and easier for users.
“Shared secrets were never meant for the internet, we need authentication that protects you without making you remember more,” Harrell said.
Keynotes: Passkey Adoption in the UK
The United Kingdom (UK) has taken a big leap into passkey, embracing its usage at the national level.
Darren Hutton, Identity Advisor for NHS England and Pelin Demir, UX Designer for NHS Login, detailed the adoption path and success of passkeys in the UK. The presenters shared how NHS Login serves as a nation-level identity provider for healthcare access, reaching almost the entire adult population. They discussed the evolution from passwords and OTPs to introducing passkeys. The move aimed to improve both security and accessibility for all users.
Insights from their user research revealed that although over three million users adopted passkeys within months, there were challenges. These included inconsistent user interfaces, confusion around technical terms, and accessibility barriers for screen reader users. The team found that clear guidance and familiar wording were critical to increasing adoption.
“Passkeys, is a beautiful balance of technology that brings security and usability together to create a really good service,” Hutton said.
Leaders from the National Cyber Security Center (NCSC) in the UK detailed the strong imperative to move to passkey, noting that the majority of cyber harm to UK citizens happened through abuse of legitimate credentials.
Keynote: Visa Details Payment Passkey Efforts
Ben Aquilino,VP, Global Head of Visa Payment Passkeys and Digital Identity at Visa explored the evolution of digital payment security from the earliest days of online commerce to the present.
Aquilino used the history of Pizza Hut’s first online order in 1994 as a gateway to highlight how payment experiences have changed due to rising concerns over fraud, describing how simple early processes became more complex to counter increasingly sophisticated threats.
A significant portion of the session focused on the technological advancements used to combat payment fraud.
Visa’s recent efforts to innovate further by launching Visa Payment Passkeys. This new approach leverages passkeys and biometrics for payment authentication, aiming to offer better protection along with a seamless user experience
“Authentication doesn’t have to be a compromise between security and convenience; it can have both,” Aquilino said.
Keynote Panel: Quantifying Passkey Benefits from Early Adopters
In a keynote panel session led by FIDO Alliance Executive Director Andrew Shikiar, industry leaders from PayPal, NTT DOCOMO and Liminal explored the ongoing shift in the authentication landscape.
Koichi Moriyama, Chief Security Architect at NTT DOCOMO and Rakan Khalid, Head of Product, Identity at PayPal, recounted the journey from initial pilots to broader adoption, detailing technical evolution and lessons learned. Khalid emphasized the impact of evolving authentication standards on customer experience, while Moriyama described Docomo’s commitment to ecosystem-wide security improvements.
A recurring message throughout was the proven effectiveness and industry momentum behind passkey authentication. Survey data from Liminal revealed that most decision-makers now rank passkeys as their top priority for authentication investments.
“The big surprise in the survey was that passkeys really have moved from pilot to priority,” Filip Verley, Chief Innovation Officer at Liminal said. “We’re seeing huge adoption and nearly every adopter is very satisfied.”
Both PayPal and Docomo shared that organizational and customer metrics improved after moving away from passwords, including increased sign-in success and reduced account takeovers.
“When customers use passkey, we see about a 10-point increase in sign-in success rate over a traditional multi factor authentication.” Khalid said.
From the Trenches: Shipping Passkeys for Hundreds of Millions of users at TikTok
TikTok’s session offered a comprehensive look at its journey to implement passkeys as a login method for hundreds of millions of users.
The team faced the challenge of introducing passkeys in a way that would not disrupt the user experience. TikTok chose to promote passkeys through a campaign on user profile pages, leading to high engagement rates and a marked increase in adoption. Most users who set up passkeys did so thanks to the visibility and education presented within the app.
Passkey login was not only made the default for users who had enabled it, but TikTok also streamlined the signup process.
“Overall, it has been a great journey with Passkeys and TikTok,” Yingran Xu, Software Engineer at TikTok said. “Passkey remains one of the authentication methods with the highest success rate and fastest login experience.”
From the Trenches: Lessons Learned from Roblox’s Passkey Deployment
Roblox’s effort to deploy passkeys across its platform is a response to the complex security needs of a massive and diverse user base.
With more than half of Roblox users under 13, the challenge was to design an authentication system that is easy for children while still robust enough for professionals handling accounts with significant financial stakes. The team aimed to make access secure and simple without passwords, reducing both user frustration and customer support issues tied to account recovery.
Through a phased rollout that began with passkeys in user settings and later added passkey options during account sign-up, Roblox has shown measurable progress. Eighteen percent of active users have adopted passkeys, which led to greater engagement and higher login success rates. Experiments with the user interface revealed that highlighting passkeys at pivotal moments, such as account recovery, can drive adoption as long as users are guided clearly and are not forced through abrupt changes.
Ongoing improvements focus on making passkeys easier to use and more accessible, especially as many Roblox players move between multiple device types. An adaptive login flow led to more passkey logins and fewer users defaulting to traditional passwords. There are also new protections for top game creators, who are frequent phishing targets, ensuring only secure login methods are available for valuable accounts.
“Our vision is that all Roblox users should have secure and accessible accounts without passwords, powered by passkeys,” Yuki Bian, Product Manager at Roblox said.
From the Trenches: Using Windows Hello to Enable Passkeys for SSO
Single Sign-On (SSO) is a common approach enabling users in enterprise environments to use a single credential to get access to multiple applications.
In a deep dive session, Amandeep Nagra, Sr. Director, Identity and Access Management at Crowdstrike detailed how Windows Hello for Business was implemented as a passkey solution for seamless Single Sign-On across enterprise devices. By turning device logins into trusted passkeys, users no longer needed to remember passwords or manage separate app authentications.
The solution involves generating a device-level PRT token using Windows Hello for Business pins, which enables SSO across various apps. The project saved 78,000 hours of work annually,
“We turned the device login into your passkey—one sign-in, access to everything,” Nagra said.
From the Trenches: Modernizing Authentication with True Passwordless at Docusign
DocuSign is a leading provider of electronic agreement solutions that help individuals and businesses sign documents and manage contracts online. Security and identity verification are critical to its platform, as users rely on DocuSign to complete transactions that often involve sensitive or high-value documents, such as home purchases, business contracts, and legal agreements.
To meet rising threats and user demand for easier, safer access, DocuSign is working to make passwordless authentication the default experience.
The company’s authentication team has introduced passkeys, enabled biometrics, and streamlined account recovery methods. Their goal is to give users secure, reliable, and effortless ways to verify identity, whether that’s logging in to review paperwork or using a mobile device to approve a high-stakes deal.
Yuheng Huang, Engineering Manager at Docusign noted that the login success rate for passkeys on DocuSign is 99%. In contrast, the password login success rate is only 76%.
Going beyond just authentication Dina Zheng, Product Manager at Docusign explained that DocuSign is using a passkey with the company’s identity wallet.
“By combining capabilities with identity wallet, we’ve created a fully frictionless experience, secure enough for identity verification, yet simple enough that users barely notice the authentication step at all,” Zheng said. “This is a perfect example of how passkeys can go beyond just authentication. They’re becoming an enabler of trusted high assurance workflows across Docusign.”
Panel: Industry Perspectives on Securing Agent-Based Authentication
With the emergence of agentic AI, there are new concerns and challenges about how to secure and authenticate agents.
A panel with Lee Campbell, Identity and Authentication Lead, Android at Google, Rakan Khalid, Head of Product, Identity at PayPal and Reid Erickson, Product Management, Network API at T-Mobile that was moderated by Eran Haggiag, CEO at Glide Identity, discussed the challenges of trust and security in agent-based authentication.
Key points included the need for phishing-resistant authentication methods like passkeys and verifiable credentials to ensure user intent and prevent fraud. The discussion highlighted the importance of standardization, context-aware authentication, and human-in-the-loop verification to mitigate risks.
“There’s lots of work going on, lots of companies are involved, lots of standards bodies involved with every single standards body out there today having some agentic group,” Campbell said. “Everybody’s talking about it, and one of the challenges is getting everyone and all the right players in the same room to have these conversations. And I think FIDO is actually quite a good place to do this.”
The Big Finale is Coming on Day 3!
While the first two days of Authenticate 2025 were stacked top to bottom with insightful sessions, Day 3 will deliver even more content.
With even more users stories coming, discussion on verifiable digital credentials and digital trust Day 3 will not disappoint.
Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 3 live via the remote attendee platform! See the full agenda and register.
