If someone told you at the start of 2025 that by the end of it nearly 70% of users would have at least one passkey, you might have been skeptical. But here we are. 2025 wasn't just another year of incremental progress in the identity space. Regulatory mandates, technology maturity, and real-world adoption all converged.
Let's walk through what actually happened in the identity and authentication space this year, from government mandates that reshaped authentication strategies to the technology breakthroughs that made passwordless authentication viable at scale.
Governments worldwide banning SMS OTP
2025 was the year regulators worldwide said SMS OTP isn’t "good enough" for two-factor authentication.
The UAE led the charge. In June, the Central Bank issued a directive requiring all licensed financial institutions to eliminate SMS and email OTPs by March 2026. Banks began the transition in July, and by the end of 2025, major institutions like Emirates NBD, ADIB, and FAB had already moved customers to app-based authentication using biometrics and passkeys.
The numbers driving this weren't theoretical. Over 40,000 people were scammed in the UAE in 2023 alone, losing an average of $2,194 each. Fraud jumped 43% year over year, with SMS OTP serving as the primary attack vector.
India followed suit in September. The Reserve Bank of India announced new authentication rules effective April 1, 2026, signaling a move away from OTP-based authentication for digital payments. Given India's massive digital payments ecosystem, this mandate will affect hundreds of millions of users.
The Philippines made it official. In June, the Bangko Sentral ng Pilipinas issued Circular No. 1213, directly instructing banks to "limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction." Translation: stop using SMS and email OTPs. The deadline? June 2026.
Even the U.S. joined in. The USPTO discontinued SMS authentication on May 1, 2025. FINRA followed in July. The FBI and CISA both issued warnings against SMS for authentication, and the trend became clear. SMS OTP was officially on its way out.
NIST elevates phishing-resistant authentication in digital identity guidelines
In July 2025, NIST dropped the final version of SP 800-63-4, and it represented a fundamental shift in how the U.S. government (and by extension, many enterprises) approach authentication.
The key changes were significant. AAL2 (multi-factor authentication) must now offer a phishing-resistant option. Not "should" or "may." must. AAL3 requires phishing-resistant authenticators with non-exportable private keys. Hardware-backed security becomes the baseline for high-assurance scenarios. And syncable passkeys now qualify as AAL2 authenticators. This was huge, because it meant passkeys stored in iCloud Keychain, Google Password Manager, or similar services were officially recognized as legitimate strong authentication.
NIST also shifted from checklist-based compliance to a risk-based Digital Identity Risk Management (DIRM) framework. Organizations now need to continuously evaluate threats and adjust authentication requirements dynamically.
This wasn't just a U.S. thing. NIST guidelines influence security standards globally. When NIST says phishing-resistant MFA is the baseline, CISOs worldwide take note.
For us at Authsignal, this aligned perfectly with the architecture we'd been building. Adaptive, risk-based authentication with native passkey support and the flexibility to step up security based on actual risk signals, not just static rules.
Apple WWDC removes the last barriers to passkey adoption
Apple unveiled five major passkey improvements for iOS 26, iPadOS 26, macOS 26, and visionOS 26 that addressed the biggest barriers to passkey adoption.
First, the new account creation API. Users can now sign up with passkeys from day one. Instead of lengthy forms, they see a clean, pre-filled sheet with suggested defaults. One tap, Face ID confirmation, and they're registered with a passkey. No password ever created.
Second, automatic passkey upgrades. The biggest adoption challenge wasn't technical capability, it was migrating existing users. Apple solved this by allowing passkeys to be created automatically in the background when users sign in with their password. Zero friction. No extra steps.
Third, signal APIs. When account information changes (like email addresses or revoked passkeys), apps can now immediately notify credential managers to update their records. This prevents authentication failures from outdated information.
Fourth, passkey management endpoints. Direct links from credential managers to passkey enrollment pages, making it easier for users to discover and adopt passkeys.
Fifth, secure import and export. Users can move their passkeys between different credential managers, reducing platform lock-in concerns.
The statistics Apple shared were compelling. Passkeys work better than passwords in every measurable way. Higher success rates, better security, improved user experience. The missing piece had been adoption friction, and these updates directly addressed those challenges.
The passkey adoption numbers
On May 1, 2025, the FIDO Alliance celebrated World Passkey Day by releasing research that showed just how far passkeys had come.
69% of users now have at least one passkey, up from 39% awareness just two years prior. 48% of the top 100 websites now support passkeys, more than double the number from 2022. Passkeys achieve a 93% login success rate compared to 63% for traditional authentication methods. And when consumers adopt at least one passkey, 1 out of 4 enables passkeys whenever possible.
Google reported that passkey sign-ins are four times more successful than passwords. TikTok saw a 97% success rate with passkey authentication. These aren't theoretical improvements, they're real-world results.
The business case became impossible to ignore. 47% of consumers will abandon a purchase if they forget their password. That's an actual revenue miss.
Credential stuffing attacks have become scary good
While passkeys were gaining ground, the threats that made them necessary were also evolving.
Credential stuffing attacks became significantly more sophisticated in 2025. According to Verizon's 2025 Data Breach Investigations Report, compromised credentials were an initial access vector in 22% of breaches. When analyzing SSO provider logs, they found that the median daily percentage of credential stuffing accounted for 19% of all authentication attempts.
Let that sink in. Nearly one in five login attempts is an attack.
The attacks got smarter too. AI agents now optimize credential selection, adapt login flows, and predict which accounts are most likely to reuse passwords. Attackers use residential proxies, rotate IP addresses, and mimic real user behavior to evade detection.
The research showed that 35% of users had at least one account compromised due to password vulnerabilities in 2025. The problem isn't that users are careless, it's that passwords are fundamentally broken as an authentication mechanism.
The defense evolved too. Behavioral biometrics emerged as a critical defense layer. By analyzing typing patterns, mouse movements, and navigation behavior, systems can now distinguish between legitimate users and automated attacks. Bots can steal credentials and rotate IPs, but they can't replicate the subtle patterns of how you type or move your mouse.
At Authsignal, we've built adaptive MFA that evaluates risk factors like device type, user behavior, login frequency, and historical access locations. Anomalous login attempts trigger additional verification dynamically, not statically. Combined with our AI assistant for the rules engine, teams can now understand complex rule logic in plain English, debug faster with rule backtesting, and fine-tune authentication policies without writing code.
The credential stuffing protection market is projected to reach $6 billion by 2033, growing at 15% CAGR. Organizations are finally realizing that rate limiting and CAPTCHAs aren't enough. You need adaptive authentication, behavioral analysis, and ultimately, elimination of passwords altogether.
Industry recognition and enterprise Validation
In September, Authsignal was recognized by KuppingerCole as a Rising Star in Consumer Identity and Access Management (CIAM) and Passwordless Authentication. From their report: "Authsignal is an emerging vendor in passwordless authentication, offering an API-driven, modular authentication service that integrates effortlessly with existing IDPs."
This recognition mattered because it validated the architectural approach we've been advocating. You don't need to rip and replace your entire identity stack to implement modern authentication. Our API-driven, modular approach lets organizations add passkeys, adaptive MFA, and risk-based authentication to their existing systems without major architectural changes.
We also became an AWS-certified partner and passed the Well-Architected Review Framework (WAFR) for our Cognito integration. For organizations building on AWS, this means they can implement passwordless authentication with confidence in the underlying architecture.
In October, we announced our partnership with ServiceNow, launching native passkey authentication for Contact Center workflows. Customer support teams can now verify callers using passkeys, push notifications, WhatsApp OTP, and biometric authentication directly within the ServiceNow platform. Call center authentication has historically been a weak point, relying on easily phishable knowledge-based authentication. This integration brings modern authentication to a space that desperately needed it.
Market maturity signals real change
The passwordless authentication market reached $24.1 billion in 2025 and is projected to grow at 18.24% CAGR to reach $55.7 billion by 2030.
Major enterprises across financial services, healthcare, and hospitality deployed passkeys at scale. Banks like Revolut led the way, governments in Australia and New Zealand made passkeys available to nearly 30 million people across the region, and the European Union launched the EU Digital Identity Wallet framework with €46 million in pilot funding.
The FIDO Alliance expanded beyond passkeys, launching a new Digital Credentials Working Group in December to work on verifiable digital credentials and identity wallets. They're also bringing their Authenticate conference to Asia-Pacific in June 2026, recognizing the tremendous innovation happening in the region.
This is what market maturity looks like. Standards bodies expanding their scope, major enterprises deploying at scale, regulatory frameworks aligning globally, and the infrastructure becoming universally available.
What organizations need to do in 2026
Multiple regulatory deadlines are approaching fast. UAE has a deadline of March 31, 2026. India follows on April 1, 2026. The Philippines must comply by June 2026. And the EU Digital Identity Wallet rollout happens by the end of 2026.
Organizations that haven't started their transition away from SMS OTP and towards phishing-resistant authentication are running out of time.
Passkeys achieve 93% login success rates. The infrastructure exists across devices and platforms. The user experience is actually better than what we're replacing. If you're wondering what is a passkey and how do passkeys work, we've created comprehensive guides to help. We've also covered specific implementation scenarios, like implementing passkeys for step-up authentication and understanding our actions & rules framework for contextual, risk-based authentication.
At Authsignal, we've spent 2025 helping organizations navigate these transitions. We've published guides on regulatory changes, built tools to make implementation straightforward, and processed millions of passkey transactions to validate that this works at scale.
Passwords aren't gone yet, but their decline is evident. The regulatory mandates are in place. The technology has matured. The users are ready. The organizations that move now will be positioned as leaders. The ones that wait will be scrambling to meet compliance deadlines.
.svg)
