Passkeys vs verified identity: the gap in passwordless authentication

Passkeys are everywhere right now, and the hype is well-deserved. They’re paswordless, phishing resistant, and deliver seamless login experiences. Major platforms from Apple to Google are racing to implement them. But if you're planning your organisation's passwordless strategy, there's a critical distinction you need to understand: passkeys authenticate devices, not people. And the moment you move beyond basic login, that difference can become expensive.

What passkeys do well

Here’s what passkeys get right:

• Phishing resistance: cryptographic authentication prevents credential theft
• Reduced support costs: password resets are a thing of the past
• Fast, frictionless login: typically under 5 seconds
• Improved user experience: biometric unlock feels effortless

For low-risk scenarios and consumer-facing applications, these benefits are substantial. Passkeys represent genuine progress over traditional passwords. But they only solve part of the authentication challenge.

The critical gap: authentication vs identity

To properly evaluate paswordless solutions, you have to distinguish between authentication and identiy verification:

Passkeys excel at authentication. They cryptographically prove that someone controls a specific device. But they don't – and can't – verify the identity behind that device. This isn't a technical limitation to be fixed in the next version but a fundamental design characteristic.

Why this matters

To be fair, the identity gap doesn't matter for every use case. But it surfaces quickly in scenarios that define most enterprise and regulated environments:

• Regulatory compliance: Financial services, healthcare, insurance, and government workflows require identity assurance that meets legal standards like eIDAS High. Passkeys don't satisfy these requirements because they lack verified identity claims.
• High-value transactions: When transaction risk increases – approving payments, modifying account access, sharing sensitive data – you need more than just device authentication. You need confirmed identity assurance.
• Step-up authentication: Risk-based flows require the ability to escalate verification as context demands it. A passkey alone can't provide identity assurance because it carries no identity claims to begin with.
• Account recovery: Passkeys are tied to devices. When a user loses access to their device, how do you re-establish their identity securely? Without an identity anchor, recovery becomes a complex trade-off between security and user experience.

These aren't edge cases. They represent the majority of real-world authentication needs in organisations handling sensitive operations.

What a complete solution looks like

You don't need to completely abandon passkeys. You just need to know where they fit into your broader identity strategy. A comprehensive passwordless approach requires verified mobile identity at its foundation. This means: a one-time identity verification that confirms a person's legal identity through regulated processes, then securely reuses that verified identity across your entire customer journey.

This approach delivers what passkeys alone cannot:

• Legal identity assurance that meets eIDAS High and equivalent standards
• Reusable identity claims for login, onboarding, transactions, and digital signing
• Built-in compliance by design, not as an afterthought
• Simplified risk management with cryptographically verified identity backing every interaction
• Seamless recovery flows anchored to verified identity, not just device possession

The user experience remains frictionless, but is now backed by genuine identity assurance.

Choosing the right approach

Passkeys have an important role to play. They're excellent for:

• Consumer-facing applications with low risk profiles
• Reducing password-related support costs
• Improving UX for public-facing services
• Secondary authentication alongside verified identity

However, they're insufficient for:

• Regulated industries requiring identity assurance
• High-value or sensitive transactions
• Workflows requiring legal signatures or consent
• Any scenario where "Who is this person?" matters as much as "Can they log in?"

Building your passwordless strategy

The path forward isn't choosing between security and convenience. It's understanding that authentication without identity verification creates risk and friction downstream.

A complete passwordless strategy starts with these questions:

1. Do we operate in a regulated environment requiring identity assurance?
2. Do we handle transactions or data that require verified identity?
3. What happens when users need to recover access or prove who they are?
4. How do we handle step-up authentication for high-risk actions?

If any of these apply to your organisation, you need a verified mobile identity platform that provides cryptographic identity assurance from the start.