Three announcements from the identity security space last week signal a shift in the industry's center of gravity - from getting rid of passwords toward governing what comes after them.
Passkeys Are Mainstream. Now What?
At the annual Identity & Policy Forum, FIDO Alliance CEO Andrew Shikiar declared the passkey chapter effectively won. Over 4 billion passkeys are now in active use worldwide, up from their introduction in 2022. 1Biometric Update: FIDO's Andrew Shikiar predicts the triumph of wallets in 2026 Major U.S. banks adopted passkeys for sign-up by late 2025, validating Shikiar's earlier prediction that the banking sector would be a tipping point. 1Biometric Update: FIDO's Andrew Shikiar predicts the triumph of wallets in 2026
With authentication largely addressed, FIDO is pivoting to digital credentials and wallets - the infrastructure for storing and presenting verifiable identity documents on a user's device. The Alliance announced it is developing a wallet certification profile, drawing on its existing FIDO certification program, to establish criteria ensuring wallets are secure, privacy-preserving, and interoperable across credential issuers and relying parties. 2FIDO Alliance – Verifiable Digital Credentials Initiative FIDO is collaborating with EMVCo, ISO, the OpenID Foundation, and W3C to align what remains a fragmented ecosystem. 2FIDO Alliance – Verifiable Digital Credentials Initiative
A Code of Conduct for Verifiable Credentials
As wallets proliferate, so does the risk that organizations will request more identity data than they need. The Better Identity Coalition has circulated a draft voluntary code of conduct - described as "rules of the road" - for how organizations request and use data from verifiable digital credentials (VDCs). 3ID Tech: Better Identity Coalition Circulates Draft Voluntary Code of Conduct for Verifiable Credentials
The draft framework aims to restrict overly broad or invasive data requests as VDCs move toward real-world deployment. 3ID Tech: Better Identity Coalition Circulates Draft Voluntary Code of Conduct for Verifiable Credentials The initiative emerged from a March 2025 workshop attended by roughly 60 stakeholders, and targets wallet providers - whether tech platforms, government agencies, or third parties - as the primary adopters. 4Better Identity Coalition – Verifiable Digital Credentials Voluntary Code of Conduct In the absence of comprehensive U.S. federal legislation on digital identity, the coalition is positioning the code as a self-regulatory stopgap that could influence future policy. 4Better Identity Coalition – Verifiable Digital Credentials Voluntary Code of Conduct
AI-Driven Impersonation Now the Top Identity Threat
HYPR's sixth annual State of Passwordless Identity Assurance report, produced with 451 Research (S&P Global), provides the threat-landscape backdrop for these standards efforts. Based on a survey of over 950 security and IT leaders, the report identifies a decisive shift: 53% of organizations now cite generative AI as their primary identity security concern, and 45% cite agentic AI - both overtaking stolen credentials for the first time. 5AI Displaces Stolen Credentials as Top Identity Concern – 451 Research / HYPR
AI-enabled impersonation, including deepfakes and voice cloning, has moved from theoretical risk to reported incident category, prompting organizations to invest in identity verification solutions designed for industrial-scale automated attacks. 6AI-Driven Identity Attacks Surpass Stolen Credentials as Top Enterprise Threat – HYPR The report frames the current moment as the "Age of Industrialization" for identity threats, arguing that enterprises must move beyond awareness into operational deployment of phishing-resistant, passwordless authentication. 7HYPR: The State of Passwordless Identity Assurance 2026
Looking Ahead
These three developments are connected. Passkeys solved the authentication problem; wallets and verifiable credentials extend that model to identity attributes beyond login. But broader adoption introduces new governance questions - who can ask for what data, how wallets are certified, and how identity systems withstand AI-powered attacks at scale. FIDO's wallet certification work, the Better Identity Coalition's code of conduct, and the HYPR report's threat data collectively outline an ecosystem moving from "passwords are dead" to the harder challenge of building trust frameworks for decentralized digital identity. Organizations tracking these developments should watch for the finalized FIDO certification criteria and the public comment period on the Better Identity Coalition's draft code.
Bild: towel.studio / Unsplash
