With passkeys now counted in the billions and major platforms defaulting to passwordless sign-in, the authentication industry's attention is shifting to harder questions: how do you authenticate an AI agent making a purchase on your behalf? How do you bring passkeys to a headset that has no scannable screen? And what does national-scale deployment look like when attackers use deepfakes?
A cluster of announcements in the past week reveals the answer taking shape - through new board members, open standards, and engineering workarounds that extend FIDO's model far beyond the browser login box.
OpenAI Joins FIDO to Tackle Agent Authentication
OpenAI has joined the FIDO Alliance and been appointed to its Board of Directors, making it the first major AI lab to take a governance role in the passwordless authentication body. 1Biometric Update: OpenAI joins FIDO Alliance to help AI agent authentication push The company said it plans "to participate in emerging work to evolve authentication for agentic intelligence." 1Biometric Update: OpenAI joins FIDO Alliance to help AI agent authentication push
The timing is deliberate. OpenAI launched its Operator AI agent tool in January 2026, and the broader industry is grappling with a fundamental problem: when an autonomous agent interacts with a service, how does that service verify the agent is acting within the scope of a real user's intent? FIDO Alliance CEO Andrew Shikiar framed the challenge directly: "The common thread is clear: making it simple and trustworthy for people to present verified credentials, whether directly or through agents acting on their behalf." 1Biometric Update: OpenAI joins FIDO Alliance to help AI agent authentication push
Mastercard's Verifiable Intent: Cryptographic Proof for Agent Commerce
Running on a parallel track, Mastercard has open-sourced "Verifiable Intent," a cryptographic framework that uses SD-JWT (Selective Disclosure JSON Web Tokens) to create tamper-evident proof that a consumer authorized an AI agent's transaction and that the agent executed the instructions as intended. 2Mastercard Unveils Open Standard to Verify AI Agent Transactions (GitHub: agent-intent/verifiable-intent) Google, IBM, Fiserv, and Checkout.com have signed on as initial backers, and the specification is available on GitHub under a draft v0.1 status. 2Mastercard Unveils Open Standard to Verify AI Agent Transactions (GitHub: agent-intent/verifiable-intent)
The standard addresses three questions that hang over every agent-initiated purchase: Did the consumer actually authorize this? Did the agent follow instructions exactly? And if something goes wrong, can anyone prove it? 3PYMNTS: Mastercard Unveils Open Standard to Verify AI Agent Transactions Unlike FIDO, which focuses on authenticating the user, Verifiable Intent focuses on authenticating the action - creating an auditable chain from human intent to agent execution.
Meta Solves the Display Problem for XR Passkeys
Passkeys typically rely on a cross-device flow where a user scans a QR code displayed on the device being authenticated. That works for laptops and TVs. It does not work for VR headsets strapped to your face. Meta's engineering team has published a novel method that bypasses QR codes entirely, enabling cross-device passkey authentication for XR devices without an on-device display, while still complying with FIDO's trust and proximity requirements. 4Meta Engineering: No Display? No Problem: Cross-Device Passkey Authentication for XR Devices
The approach uses a trusted companion app on a nearby phone to complete the WebAuthn handshake. It is a pragmatic adaptation that opens passkey support to an entire category of hardware - smart glasses, headsets, IoT devices - previously locked out of the ecosystem. 4Meta Engineering: No Display? No Problem: Cross-Device Passkey Authentication for XR Devices
Norway's BankID: Passkeys at National Scale, With Liveness
While Silicon Valley focuses on agents and headsets, Norway offers a case study in what mature passkey deployment looks like at population scale. BankID Norway, the de facto national digital ID used by 97% of citizens (4.7 million people), is transitioning to an app powered by FIDO passkeys combined with biometric liveness detection. 5FIDO Webinar: The Spectrum of Authentication: How BankID Norway Unifies Passkeys and Biometric Liveness
The combination is significant. Passkeys stop phishing. Liveness detection - confirming the user is physically present and not a deepfake or replay - stops the AI-powered impersonation attacks that have become the top identity threat. BankID's transition demonstrates that passkeys and advanced biometrics are not competing approaches but complementary layers in a defense-in-depth model. 5FIDO Webinar: The Spectrum of Authentication: How BankID Norway Unifies Passkeys and Biometric Liveness
The Payment Security Dimension
Separately, Stripe has joined the PCI Security Standards Council as a Principal Participating Organization, explicitly listing passkeys, agentic commerce security, and AI-driven fraud mitigation among its priority collaboration topics. 6PCI SSC Blog: Spotlight On Stripe, a New Principal Participating Organization Stripe's agenda includes defining the security boundaries for payment data protection when transactions are initiated by autonomous agent systems - essentially asking what a "Cardholder Data Environment" means when the cardholder is an AI. 6PCI SSC Blog: Spotlight On Stripe, a New Principal Participating Organization
Combined with SK Telecom's appointment to the FIDO Alliance Board - adding a major APAC mobile operator to the standards leadership - the pattern is clear: the organizations shaping the next generation of authentication span AI labs, payment networks, telecom carriers, and national identity providers. 7ID Tech: SK Telecom Joins FIDO Alliance Board as Passkeys Adoption Accelerates
The Catalyst: 16 Billion Stolen Credentials
Underlying all of this is a stark data point. In mid-2025, researchers uncovered approximately 16 billion stolen login credentials compiled into a single searchable dataset, harvested from infostealer malware, phishing operations, and years of accumulated breach archives. 8Financial News-UK: The Death of the Password - How Passkeys Secretly Took Over the Internet The dataset covered accounts across Google, Apple, Meta, and dozens of other platforms. It was not the result of a sophisticated zero-day exploit - just the quiet, cumulative failure of password-based authentication. 8Financial News-UK: The Death of the Password - How Passkeys Secretly Took Over the Internet
That breach data serves as the empirical justification for the industry's current velocity. Passwords did not fail spectacularly. They failed gradually, then all at once.
What Comes Next
The week's developments point to a passwordless ecosystem entering its second act. The first act was replacing passwords with passkeys for human logins. The second is extending cryptographic authentication to AI agents, immersive hardware, autonomous transactions, and national identity systems - each with distinct technical constraints and threat models.
For security teams, the practical implication is that authentication strategy can no longer be scoped to "user signs in with passkey." It must account for agent delegation, cross-device flows on unconventional hardware, and layered biometric verification. The standards bodies are moving fast. The question is whether enterprise implementations can keep pace.
Bild: towel.studio / Unsplash
