NullSec.news// Cyber news for anyone

Beyond Adoption: The Infrastructure Upgrades Making Passkeys and AI Agent Authentication Production-Ready

While passkey adoption has crossed the mainstream threshold, the harder engineering work is now underway: portable credentials, standardized wallet certification, and cryptographic delegation chains for AI agent transactions. A wave of specification updates and new board appointments signals the ecosystem is solving the interoperability and governance problems that will determine whether passwordless authentication scales durably.

BYNULLSEC.NEWS DESK·2026-04-18T12:26Z·5 MIN READ·◉ BREAKING
Beyond Adoption: The Infrastructure Upgrades Making Passkeys and AI Agent Authentication Production-Ready
// mode

The Passkey Story Has Shifted From Adoption to Plumbing

With over 4 billion passkeys in active use 1Passkey Ecosystem Upgrades and Improvements — FIDO Alliance and major platforms defaulting to passwordless sign-in, the headline narrative around passkeys - can they replace passwords? - is largely settled. The harder, less visible work now is infrastructure: making passkeys portable, extending cryptographic authentication to AI agents, and building certification frameworks for the digital wallets that will store far more than login credentials.

A cluster of specification updates and governance changes published through the FIDO Alliance in April 2026 targets exactly these problems. None are individually dramatic. Together, they represent the engineering maturation that separates a promising technology from durable infrastructure.

Credential Exchange: Solving the Portability Problem

One of the most persistent criticisms of passkeys has been vendor lock-in. A passkey created in Apple's iCloud Keychain could not be transferred to a Google or third-party password manager, and vice versa. The Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF), currently in working draft at the FIDO Alliance, aim to resolve this. 2FIDO Credential Exchange Specifications — FIDO Alliance

CXP defines a secure channel for transferring passkeys between credential providers, while CXF standardizes the encrypted format for passkey export and import - replacing the insecure CSV-based transfers that credential managers have relied on for passwords. 2FIDO Credential Exchange Specifications — FIDO Alliance The specifications use encryption by default, ensuring credentials are never transferred in plaintext. Password managers including 1Password have publicly signaled support. 3Coming soon: Securely import and export passkeys — 1Password

For enterprises, this is consequential. Organizations deploying passkeys at scale need assurance that employees can migrate credentials during provider transitions without re-enrollment. Without CXP/CXF, every provider switch means starting over.

Mastercard's Verifiable Intent: Authenticating the Action, Not Just the User

While FIDO focuses on authenticating who a user is, Mastercard's Verifiable Intent (VI) standard addresses a different question: did an AI agent do what the user told it to do?

Verifiable Intent defines a layered SD-JWT (Selective Disclosure JSON Web Token) credential format that creates a tamper-evident chain binding an AI agent's commercial actions to a user's explicitly stated purchase intent. 4Mastercard Unveils Open Standard to Verify AI Agent Transactions — PYMNTS via FIDO Alliance The specification, published as a v0.1 draft on GitHub, is open to multi-stakeholder contribution. 5Verifiable Intent Specification — GitHub (agent-intent/verifiable-intent) Google, IBM, Fiserv, and Checkout.com have signed on as initial backers. 4Mastercard Unveils Open Standard to Verify AI Agent Transactions — PYMNTS via FIDO Alliance

The architecture uses four distinct layers, each building cryptographic proof on the last:

The specification supports two execution modes: an "immediate" mode where the user is present and signs final checkout values, and a "delegated" mode where the agent operates autonomously within pre-authorized scope. 5Verifiable Intent Specification — GitHub (agent-intent/verifiable-intent) The delegated mode is where the security challenge concentrates - the agent must prove it stayed within bounds, and the merchant must verify that proof before completing the transaction.

This is not a FIDO specification, but it operates in the same trust ecosystem. Where FIDO authenticates the human, VI authenticates the delegation chain from human to agent to action. Together, they address the full lifecycle of a transaction initiated by an AI agent on a user's behalf.

SK Telecom and the Mobile Carrier Dimension

SK Telecom has been appointed to the FIDO Alliance Board of Directors, making it one of the first major mobile network operators to take a governance role in the passwordless standards body. 6SK Telecom Joins FIDO Alliance Board as Passkeys Adoption Accelerates — ID Tech via FIDO Alliance The appointment, made at the FIDO Alliance general assembly in Paris, adds a telecom perspective to a board that already includes Apple, Google, Microsoft, Amazon, and Meta. 6SK Telecom Joins FIDO Alliance Board as Passkeys Adoption Accelerates — ID Tech via FIDO Alliance

The significance is structural. Mobile operators control the SIM infrastructure, device provisioning pipelines, and subscriber identity systems that underpin how billions of people authenticate in practice. SK Telecom operates the PASS authentication platform used by over 35 million subscribers in South Korea. 7SK Telecom Joins Board of Global Biometric Authentication Standard Body Integrating telecom-grade identity signals - SIM binding, network-level attestation, subscriber verification - into FIDO specifications could strengthen passkey security in markets where mobile is the dominant computing platform.

The Better Identity Coalition: Governing What Comes After Passwords

As passkeys and digital wallets proliferate, so does the risk of credential overreach. The Better Identity Coalition has circulated a draft voluntary code of conduct - described as "rules of the road" - for how organizations request and use data from verifiable digital credentials (VDCs). 8Better Identity Coalition Circulates Draft Voluntary Code of Conduct for Verifiable Credentials — ID Tech via FIDO Alliance

The draft framework emerged from a March 2025 workshop with roughly 60 stakeholders and targets wallet providers as the primary adopters, aiming to restrict overly broad or invasive data requests in the absence of comprehensive U.S. federal digital identity legislation. 8Better Identity Coalition Circulates Draft Voluntary Code of Conduct for Verifiable Credentials — ID Tech via FIDO Alliance The code positions itself as a self-regulatory stopgap: set norms before regulators impose them.

What This Means Going Forward

The passkey ecosystem is entering a phase where success depends less on adoption numbers and more on infrastructure quality. Credential portability, agent delegation standards, wallet certification, and data minimization governance are the problems that will determine whether the passwordless transition is durable or fragile.

For security architects, the practical takeaway is that passkey strategy now extends well beyond "enable FIDO2 in your identity provider." It includes evaluating credential exchange readiness, planning for agent authentication flows where users are not present, and monitoring the voluntary governance frameworks that will shape how verifiable credentials are requested and shared.

The specifications are still drafts. The board seats are still new. But the direction is clear: authentication infrastructure is being rebuilt not just for human logins, but for an economy where autonomous agents, digital wallets, and mobile-native identity systems are the norm.

Bild: towel.studio / Unsplash

Sources

  1. Passkey Ecosystem Upgrades and Improvements — FIDO Alliance
  2. FIDO Credential Exchange Specifications — FIDO Alliance
  3. Coming soon: Securely import and export passkeys — 1Password
  4. Mastercard Unveils Open Standard to Verify AI Agent Transactions — PYMNTS via FIDO Alliance
  5. Verifiable Intent Specification — GitHub (agent-intent/verifiable-intent)
  6. SK Telecom Joins FIDO Alliance Board as Passkeys Adoption Accelerates — ID Tech via FIDO Alliance
  7. SK Telecom Joins Board of Global Biometric Authentication Standard Body
  8. Better Identity Coalition Circulates Draft Voluntary Code of Conduct for Verifiable Credentials — ID Tech via FIDO Alliance

Related dispatches

more from the desk
The Passkey and Passwordless Movement: Are We Nearing the Death of the Password?
Standards·2026-04-18T12:23Z
The Passkey and Passwordless Movement: Are We Nearing the Death of the Password?
AI Agents in Shared Workspaces: Why Scope Violations Are Now Routine and What the Industry Is Building to Stop Them
Research·2026-04-18T12:22Z
AI Agents in Shared Workspaces: Why Scope Violations Are Now Routine and What the Industry Is Building to Stop Them
Debate Over AI Authorization Intensifies: From Industry Guidelines to Lessons Learned
Research·2026-04-18T12:19Z
Debate Over AI Authorization Intensifies: From Industry Guidelines to Lessons Learned
NullSec.news

// Cyber news for anyone

© 2026 Nukipa. NullSec.news is a Nukipa publication.2026-04-18T14:48Z

We use cookies to analyze and improve our website.