
Authentication Trends in 2026: Passkeys, AI Agents, and Edge
This is the first part of a four-part series exploring the structural shifts in authentication during 2026. This installment examines the macro forces driving these changes and provides a deep dive into the mainstream adoption of passkeys and passwordless authentication.
What are the major authentication trends in 2026?
The three load-bearing shifts are (1) mainstream passkey adoption replacing passwords and SMS MFA, with 15 billion user accounts now passkey-enabled and Microsoft defaulting new consumer accounts to passkeys (FIDO Alliance); (2) OAuth 2.1 emerging as the baseline for authenticating AI agents — including Model Context Protocol servers, whose 2025-11-25 specification mandates OAuth 2.1 with PKCE and dynamic client registration (MCP); and (3) edge-centric ingress verification, where short-lived JWTs issued by a central identity provider are validated inside the CDN layer before requests ever reach origin. Each section below covers the primary data, the current standard, and concrete TypeScript-first implementation patterns for the matching shift.
The organizing frame throughout is a three-by-three matrix — three principal types (humans, machines, AI agents) crossed with three runtime environments (origin servers, serverless functions, CDN edge) — because most real 2026 design decisions are about which principal you are authenticating and which runtime is doing the verifying. One clarification before the deep dive: "edge authentication" in this article means ingress-layer JWT verification of tokens issued by a central IdP, not a replacement for browser session management — the IdP still owns durable session state and revocation authority.
Key Trends at a Glance
The three shifts below are the load-bearing structure of the rest of the article.
Each row is drawn from primary telemetry or specification, not vendor marketing. The passkey numbers come from the FIDO Alliance's ongoing passkey index and Microsoft's May 2025 security-blog update on default passkey enrollment (FIDO Passkey Index, Microsoft Security Blog). The agent-identity row reflects the MCP authorization specification finalized on 2025-11-25, which codifies OAuth 2.1 with PKCE as the baseline transport (MCP specification). The edge row reflects the Next.js 16 release, which renamed and re-scoped middleware.ts to proxy.ts to make its network-boundary role explicit (Next.js 16 release notes), alongside the now-conventional jose plus Web Crypto toolchain for JWT validation inside Cloudflare Workers and Vercel Edge Functions (SSOJet, Daily Dev Post).
Three caveats up front, because each trend has a failure mode and this article will not pretend otherwise. Passkeys solve phishing but do not solve account recovery, and recovery UX is where most 2026 passkey rollouts still stumble. Agent identity via OAuth 2.1 is the right direction, but token-exchange flows for delegated agent access are not yet uniformly implemented across IdPs. And edge verification buys latency, not authorization — any decision more complex than "is this JWT signed and unexpired" still belongs at the origin or in the IdP. Each deep-dive section below names the caveat alongside the benefit.
Why Authentication Needs to Evolve in 2026
Authentication in 2026 is not a single product problem. It is the intersection of a faster adversary, a new class of non-human caller, tightening regulation across every major jurisdiction, and a performance budget that no longer tolerates an origin round-trip. Each of those forces is moving independently, and each one pushes the same way: away from shared secrets, toward phishing-resistant credentials verified as close to the user as possible.
The forces reshaping authentication
Credential theft is still the dominant initial-access vector. The 2025 Verizon Data Breach Investigations Report is widely quoted as finding "88% of breaches involved stolen credentials", but that figure is scoped specifically to Basic Web Application Attacks; across the full corpus, credential abuse accounts for roughly 22% of initial access vectors (Verizon DBIR 2025). That caveat does not soften the finding — it sharpens it. For the internet-facing apps most readers of this article build, compromised credentials remain the single most common way in. IBM's 2025 X-Force Threat Index reinforces the trend: a 180% increase in phishing emails delivering infostealers measured against a 2023 baseline, with credential theft the outcome in one in three incidents (IBM X-Force 2025).
eCrime moves faster than humans can respond. CrowdStrike's 2026 Global Threat Report puts average eCrime breakout time at 29 minutes, with the fastest observed breakout at 22 seconds. Eighty-two percent of intrusions were malware-free — the attacker logged in with stolen credentials rather than dropping a binary — and the report measured an 89% year-over-year increase in AI-enabled attacks (CrowdStrike 2026). A 29-minute window does not give a SOC time to page a human; it demands authentication that refuses the attack in the first place.
SIM-swap fraud is scaling in the channels MFA still relies on. Cifas, operator of the UK's National Fraud Database, reported roughly 3,000 unauthorised SIM-swap cases in 2024 — a 1,055% year-over-year surge (Cifas). Action Fraud tracks the same phenomenon with a different methodology and reports roughly 2,037 cases for the period; the number you cite depends on the source, but both point the same direction.
Agentic software changes the threat model. Non-human callers with LLM reasoning now sit in front of APIs that assumed an interactive user session, and they do not behave like the CSRF-token-bearing browser clients those APIs were designed for.
Performance expectations have eaten origin auth. Global TTFB budgets now push session verification to the CDN edge. A documented case study reports that moving verification to the edge cut international checkout TTFB from roughly 2 seconds to ~45ms (Daily Dev Post).
Regulation is accelerating phishing-resistant authentication on parallel tracks. In the EU, the NIS2 Directive (EU) 2022/2555 had to be transposed by Member States by 17 October 2024 and applied from 18 October 2024, while DORA Regulation (EU) 2022/2554 reached its application date on 17 January 2025. NIST SP 800-63-4, released July 2025, for the first time formally qualifies syncable passkeys at AAL2. The EU AI Act (Regulation (EU) 2024/1689) is under phased application, with general application from 2 August 2026. The UAE's CBUAE Notice 2025/3057 requires licensed financial institutions to retire SMS and email OTP as a standalone authentication factor by 31 March 2026. India's RBI Authentication Directions 2025 require compliance by 1 April 2026 with additional cross-border card-not-present validation by 1 October 2026. Singapore's PDPC ruling requires organisations to cease NRIC-number-based authentication by 31 December 2026, with enforcement from 1 January 2027. The Philippines BSP Circular 1213 (2025) defines a one-year compliance window, with a derived deadline around 30 June 2026. Under eIDAS 2.0 (Regulation (EU) 2024/1183), Member States must provide EUDI Wallets within 24 months of the implementing acts — the commonly cited outside date is around 21 November 2026. For financial messaging, SWIFT CSP v2026 ships 26 mandatory plus 6 advisory controls, with Control 2.4 moved from advisory to mandatory. For payment data, PCI DSS 4.0.1 retired v4.0 on 1 January 2025, and v4.0's new requirements became effective 31 March 2025. Cyber insurance sits across all of this: Marsh McLennan's cyber-risk research consistently ranks MFA as a top insurer-required control.
Federal signal on agent identity. NIST's AI Agent Standards Initiative, announced February 2026, explicitly covers identity, authorization, and compliance for interoperable agents — the first federal standards work to treat agents as a first-class identity tier.
Contrarian callout. Gartner predicts that 30% of enterprises will consider identity verification unreliable in isolation by 2026, thanks to AI-generated deepfakes. The authentication layer alone is no longer the verification layer.
Foundational concepts, recapped succinctly
OAuth 2.1 versus OpenID Connect. OAuth 2.1 is an authorization framework; OpenID Connect is an identity layer built on top of it. OAuth 2.1 consolidates best-current-practice guidance from RFC 6749 and the various security BCPs into a single spec, with RFC 9700 codifying the OAuth 2.0 Security Best Current Practice that informs it. If your mental model is "OAuth is login", invert it: OAuth delegates access, OIDC carries identity.
JWT, JWS, JWKS in one paragraph. A JSON Web Token is a header, payload, and signature triple. The signature is a JSON Web Signature, produced with an asymmetric algorithm such as RS256, ES256, or EdDSA. Public verification keys are distributed through a JSON Web Key Set hosted at a well-known URL (conventionally /.well-known/jwks.json). Asymmetric signing is what makes edge verification viable: the public key can live in every CDN PoP, while the private key stays in the IdP. Symmetric signing requires the verifier to hold the signing key — a hard non-starter when the verifier is 300+ edge locations you do not want to be breach blast radius.
Session, access, and refresh tokens. A session token represents a logged-in user to your application and is typically an HttpOnly cookie. An access token is a short-lived bearer credential passed to an API to authorize a specific request. A refresh token is a longer-lived credential exchanged at the IdP for a fresh access token when the current one expires, keeping active sessions alive without re-prompting the user.
WebAuthn, FIDO2, passkey. WebAuthn is the W3C Web Authentication API that lets a browser talk to an authenticator. FIDO2 is the umbrella name for WebAuthn plus the Client to Authenticator Protocol (CTAP) that connects browsers to external authenticators. A passkey is the branded consumer UX layered on top of WebAuthn and FIDO2 — a discoverable credential, typically synced across a platform vendor's ecosystem, presented through a familiar system-level prompt.
Why these primitives remain load-bearing. The UX above them is changing fast, but the substrate — OAuth 2.1 for delegation, OIDC for identity, JWT/JWKS for portable claims, WebAuthn for origin-bound assertions — is what every trend in the rest of this article composes onto. Agent identity, edge auth, and passkey rollouts all assume these primitives work; they differ mainly in where the verification happens and what the authenticator is.
Trend 1: Passkeys and Passwordless Authentication Go Mainstream
2026 is the year passkeys stopped being a roadmap item and became the default sign-in for a material share of consumer and workforce traffic. The numbers below are bounded to primary sources — FIDO Alliance, the platform vendors themselves, and the specific case studies published on their developer blogs — because the passkey space has an unusually high volume of secondary and tertiary citations that have drifted from their original context.
Passkey adoption data for 2026
Consumer adoption and platform support
The FIDO Alliance reports 15 billion+ user accounts with passwordless access via passkeys, with more than 1 billion passkey activations across consumer platforms. The FIDO Passkey Index (October 2025) puts account eligibility at 93%, enrollment at 36%, and passkey-completed sign-ins at 26% of the total across participating services. In the same report, passkey sign-ins succeed 93% of the time against 63% for password sign-ins, and complete 73% faster — a median of 8.5 seconds against 31.2 seconds for passwords. Help-desk authentication incidents drop 81% for passkey-enabled populations.
Microsoft made passkeys the default for new consumer accounts in May 2025 and, according to its own security blog, is registering "nearly a million passkeys every day." In that same May 2025 post, Microsoft reports that passkey users are three times more successful at signing in than password users — about 98% versus 32% — and that passkey sign-ins are eight times faster than a password plus traditional MFA (Microsoft Security Blog). Consumer awareness has moved in step with the rollout: from 39% in 2023 to 57% in 2025 per the FIDO Alliance Consumer Insights survey (FIDO Alliance).
Platform support is effectively universal on the client side. Every evergreen browser supports WebAuthn and conditional UI; iOS, Android, macOS, and Windows all ship platform authenticators with synced passkey storage (caniuse.com, passkeys.dev).
Vendor case studies
Primary, vendor-published numbers hold up the clearest picture of the business case:
- Google. 800 million accounts use passkeys, with more than 2.5 billion sign-ins to date. Passkey sign-ins succeed 4× more often than password sign-ins, and Google measured a 352% increase in passkey usage after making passkeys the default sign-in option in October 2023 (Google Identity case studies).
- Mercari. 82.5% passkey success rate with sign-in 3.9× faster than SMS OTP — 4.4 seconds against 17 seconds (Google Identity case studies).
- Kayak. 50% reduction in sign-in time after rolling out passkeys (Google Identity case studies).
- Tokyu. Approximately 12× faster sign-in, to 12.2 seconds (web.dev).
- Dashlane. 70% increase in sign-in conversion rate for passkey flows compared with password flows (Google Developers Blog).
- DocuSign. 99% passkey success rate against 76% for passwords, as reported in the FIDO Authenticate 2025 Day 2 recap (FIDO Alliance) and on the DocuSign blog (DocuSign).
- Roblox. 18% of active users adopted passkeys per the FIDO Authenticate 2025 Day 2 recap (FIDO Alliance); Dashlane's Power 20 vault telemetry separately reported 856% year-over-year growth in Roblox passkey credentials stored in Dashlane (Dashlane).
- Air New Zealand. 50% abandonment reduction after introducing passkeys (FIDO Alliance).
Enterprise and workforce adoption
On the workforce side, the FIDO Alliance's State of Passkey Deployment in the Enterprise in the US and UK (February 2025) found that 87% of surveyed US and UK workforces are deploying passkeys for employee sign-ins. Corbado's separate analysis — secondary and illustrative — reports that organisations with dedicated adoption tooling reach 80%+ enrollment while those without stall at 5–10% (Corbado). Treat the gap between those two numbers as the project-management tax on passkey rollouts, not a ceiling on the technology.
Passwordless beyond passkeys
"Passwordless" in 2026 is a spectrum, not a single method. Magic links are still widely deployed, and social / OIDC federation is the de-facto passwordless consumer path for a large share of sites. Mojoauth's own State of Passwordless 2026 survey reports that 41% of passwordless implementations still use magic links — attribute that number to mojoauth's survey, not to the industry at large. In practice, "passwordless" in enterprise contexts now means "passkey-first with a fallback", and the interesting design question has shifted from "should we support passkeys" to "what is the recovery path when a passkey is not present".
Why passkeys outperform passwords and legacy MFA
Security outcomes
Passkeys are phishing-resistant by construction. Every WebAuthn assertion is bound to the origin it was created on, so a credential enrolled at example.com cannot be replayed against a lookalike domain — the browser refuses to produce the assertion. That one property eliminates the entire category of credential stuffing and password reuse, because there is no static secret on the client to steal in the first place.
The gap against legacy MFA is where 2026 gets interesting. Adversary-in-the-middle kits are now commodity: WorkOS's 2026 analysis reports that Tycoon 2FA accounts for roughly 62% of phishing volume and generates around 30 million fraudulent emails per month (WorkOS). These kits proxy the legitimate login flow in real time, harvest the user's SMS or TOTP code, and replay it against the real IdP inside the validity window. MFA-fatigue attacks time their push prompts to moments when the user is most likely to click through on autopilot. And SMS-based MFA is undermined at the carrier layer by the SIM-swap surge documented by Cifas. Passkeys collapse all of that because the assertion is origin-bound and proximity-bound — the AiTM proxy cannot produce an assertion for the real origin, the fatigue prompt has nothing to approve, and a SIM swap does not help you forge a WebAuthn signature.
UX and conversion outcomes
The conversion case is as strong as the security case. The FIDO Passkey Index numbers above are the anchor: 93% login success against 63% for passwords, and a median 8.5-second sign-in against 31.2 seconds for passwords, a 73% improvement. Vendor case studies round out the shape — Tokyu's roughly 12× faster sign-in on web.dev, Dashlane's 70% conversion uplift on the Google Developers Blog, and the 81% help-desk incident reduction in the FIDO Passkey Index. That last number is the line that moves CFO conversations: the faster sign-in saves seconds, the help-desk reduction saves salaries.
FIDO2 and WebAuthn in the enterprise
Synced versus device-bound authenticators. NIST SP 800-63-4 (July 2025) classifies syncable authenticators at AAL2 — the first version of the guideline to do so formally. AAL3, required for privileged access in federal systems, still demands device-bound authenticators. Microsoft Entra ID tracks the same distinction: device-bound passkeys shipped in January 2024 and synced passkeys followed in November 2025.
Attestation, AAGUIDs, and authenticator allowlists. Enterprise passkey programs typically lean on WebAuthn attestation statements and Authenticator Attestation GUIDs to restrict which authenticator models can be enrolled. The common patterns are allowlists for employee-issued devices, conditional allowlists keyed to assurance level, and separate policies for administrators. The FIDO Alliance's State of Passkey Deployment in the Enterprise puts workforce deployment at 87% across the US and UK enterprises surveyed.
Hardware security keys. YubiKey, Google Titan, and Feitian keys remain the dominant choice for admin and privileged accounts — device-bound, attestable, and immune to synced-credential-store attack vectors.
Integrating with SAML/OIDC federation. The pragmatic pattern for 2026 is passkey-at-IdP plus OIDC to downstream apps: the IdP owns the WebAuthn ceremony and issues an ID token or SAML assertion that downstream applications trust.
What's still holding back universal passkey adoption
Passkeys are the right default. They are not yet a solved problem.
Account recovery is the hardest unsolved problem. There is no universal best practice. Vendors variously fall back to backup codes, email magic links, phone-number verification, knowledge-based questions, or human-assisted identity proofing — each of which reintroduces part of the attack surface the passkey was meant to eliminate. A 2025 peer-reviewed literature review identifies account recovery, sharing and delegation, and misaligned user perception as the core challenges to wider adoption (MDPI Applied Sciences — Matzen et al. 2025).
Cross-device and cross-ecosystem sync. Apple, Google, and Microsoft each run their own synced credential stores, and portability between them has historically required the user to re-enroll on each platform. The Credential Exchange Protocol and Credential Exchange Format (CXP/CXF) were published as a FIDO Alliance Proposed Standard in August 2025, and Apple shipped CXF in iOS and macOS 26. Portability is improving, but it is not yet universal in 2026.
Legacy clients and call-center channels. Desktop applications stuck on older WebAuthn-incompatible runtimes, IVR call flows, and phone-based account recovery still require knowledge factors. These do not go away because passkeys got better; they require parallel hardening.
Change-management friction. In the FIDO Alliance / Thales 2025 enterprise deployment study, groups that do not have active passkey projects cite complexity (43%), costs (33%), and lack of clarity on how to start (29%) as the top reasons for holding off (FIDO Alliance — State of Passkey Deployment in the Enterprise).
Emerging passkey attacks. Honest caveat: 2025 produced the first wave of practical passkey-targeted research. Proofpoint documented synced-passkey downgrade attacks against Microsoft Entra in which browser spoofing is used to force the user into a weaker fallback method. SquareX demonstrated passkey hijacking via WebAuthn API interception at DEF CON 2025. Prove published analysis of SIM-swap-enabled passkey-sync recovery fraud — attacking the recovery path rather than the passkey itself. None of this undermines the recommendation to deploy passkeys; all of it underscores that passkey security depends on closing fallback paths, hardening recovery, and treating the synced credential store as part of the trust boundary.
Trajectory: passwordless by default in 2027–2028
Per the Gartner Market Guide for User Authentication (Hoover & Allan, November 2024), more than 90% of MFA transactions will be completed via FIDO passkey by 2027. Insurance pressure and the regulatory deadlines listed earlier in this article will keep pushing enterprise rollouts through 2027 and into 2028, when the default corporate sign-in is a synced passkey with device-bound escalation for admins.
The open questions for the next two years are not whether passkeys win but how cleanly they compose: whether CXP/CXF adoption reaches every major platform, how workforce SSO converges around passkey-at-IdP, and how organisations govern synced credential stores when the credential lives in a consumer cloud account rather than a corporate device.
Conclusion
Passkeys have crossed the threshold from early adoption to mainstream default, fundamentally altering the security and UX baseline for consumer and workforce identities alike. However, human users are no longer the only principals that matter. In the next part of this series, we will examine the second major trend of 2026: the rise of AI agents as first-class authentication principals and the standards evolving to secure them.
FAQ
Are passwords completely dead in 2026?
No. While passkeys are the default for new accounts on major platforms, passwords remain as a fallback for legacy systems and account recovery flows where device syncing is unavailable.
Why is account recovery harder with passkeys?
Because passkeys eliminate shared secrets, losing all enrolled devices means the user has no cryptographic proof of identity. Fallback methods like magic links or backup codes are required, which reintroduce some of the attack surface passkeys were designed to close.
In this series
- Authentication Trends in 2026: Passkeys, AI Agents, and Edge (you are here)
- Authentication Trends in 2026: Passkeys, AI Agents, and Edge - Part 2
- Authentication Trends in 2026: Passkeys, AI Agents, and Edge - Part 3
- Authentication Trends in 2026: Passkeys, AI Agents, and Edge - Part 4