After Passkeys: What’s Left of the Digital Identity Problem

Passkeys are finally getting real adoption. They fix a lot of what was wrong with passwords: no more phishing of secrets, no more reused credentials, and a much better experience on the devices people actually use. But “log in without a password” isn’t the same as “digital identity is solved.” Once you’re authenticated, a whole other set of problems remains—who you are, what you’re allowed to do, and how that’s proven across services. Here’s what’s left after passkeys.

Authentication vs. Identity

Authentication answers “is this the same entity that signed up?” Identity is broader: it’s “who is this person, and what attributes or entitlements do they have?” Passkeys are great for the first. They don’t, by themselves, solve the second. You can sign in to a service with a passkey and still have no standard way to say “I am over 18,” “I am a resident of this country,” or “I am accredited to do X.” Those claims usually get re-proven every time—upload a document, enter a code, go through a vendor’s flow—and there’s no portable, reusable identity layer that sits on top of passkeys. So we’ve made “prove you’re you to this site” much better; we haven’t yet made “prove you’re you in a way that other sites and services can reuse” a reality for most people.

Attribution and Attributes

What’s left of the digital identity problem is largely about attributes and attribution. Governments and banks want to know you’re a real person and that you meet certain criteria (age, residency, profession). Employers and platforms want to know you’re the right person for a role or a permission. Today that’s done with one-off verification: show a driver’s license, complete a KYC flow, pass a background check. There’s no widely adopted way to carry verified attributes from one context to another without going through the whole dance again. Some initiatives—digital identity wallets, verifiable credentials, eIDAS 2.0 in Europe—are trying to change that. But we’re not there yet. Passkeys give you a strong, phishing-resistant way to authenticate; they don’t yet give you a standardized way to say “this credential attests that I have attribute X” in a way that other relying parties trust.

Recovery and Portability

Passkeys are bound to devices and ecosystems. If you lose your phone and your backup method, account recovery is still a hard problem. Some providers offer recovery through other passkeys, backup codes, or support flows—but there’s no universal, user-controlled recovery story that works across every service. And when you want to move from one ecosystem to another, or use a passkey from a new device, the experience can still be clunky. So “after passkeys” we still have work to do on: how do I recover access if my primary device is gone, and how do I own my identity in a way that isn’t locked to a single vendor?

Portability also touches identity. If your “identity” is a bundle of passkeys and verified attributes, who controls that bundle? Can you take it with you? Today, a lot of that is still in the hands of platforms. True portability would mean the user holds the keys and the credentials and can present them wherever they need to. We’re inching in that direction with passkeys and with efforts like verifiable credentials, but the infrastructure and adoption aren’t there yet.

Trust and Delegation

Another piece that’s left is trust and delegation. How does a service know it can trust an identity or an attribute? That usually means a chain of trust: someone (government, bank, employer) vouches for you, and that voucher is in a form that other parties can verify. Right now that’s ad hoc. After passkeys, we still need widely accepted standards and ecosystems for who can issue attestations and how they’re checked. We also need better patterns for delegation—e.g. “this legal entity is acting on behalf of that one,” or “this person is authorized to do X on behalf of Y.” That’s identity and authorization together, and it’s mostly unsolved at scale.

Privacy and Minimal Disclosure

Identity systems that work across domains have to handle privacy. You don’t want to hand over your entire identity when you only need to prove you’re over 18. So “what’s left” includes minimal disclosure: proving a claim (age, membership, qualification) without revealing everything else. Zero-knowledge and selective disclosure techniques are part of the conversation here, along with policy choices about what gets stored where. Passkeys don’t address this; they just make the “sign in” step secure. The next layer is making the “prove this one thing” step private and portable.

Where Things Are Heading

Regulation and standards are pushing the next phase. In Europe, eIDAS 2.0 is promoting digital identity wallets that can hold verified attributes and credentials issued by governments and other trusted parties. The idea is that you authenticate once, get attributes attested, and then reuse them across services without re-uploading documents every time. Similar efforts exist around verifiable credentials (W3C and others): a standard way to express “issuer X says subject Y has attribute Z” in a cryptographically verifiable form. If those ecosystems mature, we could see a world where passkeys handle “sign in” and wallets plus verifiable credentials handle “prove this claim.” We’re not there yet—adoption is fragmented and interoperability is still being built—but that’s the direction. For developers, the takeaway is that authentication (passkeys) is one layer; the next will be integrating with attribute and credential systems as they become available.

The Bottom Line

Passkeys are a big step forward for authentication. They remove a lot of the pain and risk of passwords. What’s left of the digital identity problem is the rest of the stack: verified attributes, recovery and portability, trust chains and delegation, and privacy-preserving disclosure. Those are the problems that will define the next phase of identity—and they’re the ones that passkeys alone don’t solve.