How Digital Identity Will Move Beyond Passwords and Passkeys

Where We Are Now

Passwords are still the default, but they’re a broken foundation: reused, leaked, phished. Passkeys—cryptographic keys bound to your device or a security key—fix a lot of that: no shared secrets, resistance to phishing, and a better experience when they work. But passkeys are only one step. Digital identity is moving toward a world where “who you are” is verified in richer, more portable ways. Here’s what’s coming next.

What Passkeys Solved (and Didn’t)

Passkeys replace the password with a key pair. The server holds the public key; your device holds the private key. You authenticate with a biometric or PIN. No password to steal or phish. Adoption is growing: Apple, Google, Microsoft, and major sites are rolling them out. The gaps: passkeys are still tied to ecosystems (Apple vs Google vs Microsoft), recovery is messy if you lose devices, and “identity” is still “I control this key.” We don’t yet have a standard way to say “this is the same person across every app” without handing that claim to a handful of tech giants.

Portable Credentials and Verifiable Claims

The next layer is credentials you carry and present when needed—like a digital wallet of attestations. Your government or employer signs a claim (“this person is over 18,” “this person works at X”); you show it to a service without revealing everything. Standards like W3C Verifiable Credentials and implementations (e.g. digital driver’s licenses, mDL) are moving in that direction. The idea: prove what’s necessary, minimize what you share. That’s a shift from “log in with Google” to “here’s a signed claim that I’m eligible for this.”

Self-Sovereign and Decentralized Identity

Self-sovereign identity (SSI) pushes the idea further: you hold your own identity data and decide who gets which slice. Blockchains and decentralized identifiers (DIDs) sometimes get bundled into this, but the core is ownership and consent. In practice, we’re still early. Interop is hard, and someone has to issue and verify credentials. The direction is right—users controlling their identity data—but the infrastructure and UX aren’t there yet for most people.

Biometrics and Behavioral Signals

Biometrics (face, fingerprint) are already part of passkeys and device unlock. The next step is continuous or behavioral signals: how you type, how you move the mouse, device and location patterns. Used well, they can reduce friction and catch account takeover. Used badly, they’re creepy and brittle. The line between “better security” and “surveillance” is thin. Regulation and norms will shape how far this goes.

Recovery and Account Portability

Today, if you lose the device that holds your passkeys, you depend on sync (Apple, Google) or a few recovery options. That’s better than losing a password manager, but it’s still fragile. The next phase needs robust recovery that doesn’t hand everything to one vendor: escrow, social recovery, or hardware backup keys that you can use to restore access. Portability matters too—moving your identity and credentials between providers without starting over. Without that, “beyond passwords” just means a new lock-in.

Enterprise vs Consumer

Enterprises are already moving toward passwordless: FIDO2, passkeys, and hardware keys for employees. Consumer identity is messier: thousands of sites, uneven support, and users who don’t want to think about it. Progress will be uneven—you’ll use a passkey or wallet for some things and still type a password for others for years. The goal is to shrink the surface area where passwords are the only option and to make the rest consistent and recoverable.

Regulation and Standards

Regulation will shape what “digital identity” means. eIDAS in the EU, digital identity initiatives in the US and elsewhere, and rules around data minimization and consent push toward verifiable credentials and away from “send us everything.” Standards bodies (W3C, FIDO, OIDC, etc.) are working on interop so that credentials issued by one party can be verified by another. That work is slow but necessary. Without it we get more walled gardens, not a real step beyond passkeys.

What Has to Happen for “Beyond Passkeys”

For identity to move meaningfully beyond passkeys we need: (1) portable credentials that work across issuers and verifiers, (2) better recovery so losing a device doesn’t mean losing your identity, (3) clear rules on who can issue and attest what, and (4) UX that doesn’t require a PhD to use. Passkeys were a big step. The next one is a world where you prove who you are and what you’re allowed to do without handing the keys to a few platforms—and without going back to passwords.