Passwords have dominated digital security for decades, but a newer technology called passkeys is now positioned to replace them across consumer and government systems alike. The National Institute of Standards and Technology has formally addressed how passkeys fit into federal digital identity standards, while Microsoft is phasing out password autofill in its Authenticator app and pushing users toward passkeys before an August 1 deadline. Together, these moves signal that the shift away from passwords is no longer theoretical but actively underway, with real consequences for how people log into everything from email to banking apps.
What is verified so far
The strongest confirmed development is that NIST has published guidance explaining how syncable authenticators, the technical term for what most people call passkeys, can be incorporated into federal digital identity frameworks. The guidance addresses where passkeys fit within established assurance levels, specifically at Authenticator Assurance Level 2, a tier that requires two distinct authentication factors. NIST’s supplement also lays out the rationale for including passkeys and identifies additional requirements and considerations that agencies should weigh before adopting them.
One of the most significant technical properties NIST highlights is that passkeys can be phishing-resistant. Traditional passwords are vulnerable to fake login pages that trick users into handing over their credentials. Passkeys work differently: they rely on public-key cryptography, binding authentication to a specific device or synced credential rather than a memorized secret. Because the private key never leaves the user’s device ecosystem, an attacker running a phishing site cannot intercept it the way they would a typed password. This distinction matters for federal systems that handle sensitive data, but it also applies directly to everyday consumer accounts.
The NIST supplement builds on the agency’s existing digital identity guidelines, which have long served as the baseline for how federal agencies verify users online. By formally recognizing syncable authenticators, NIST is acknowledging that passkeys have matured enough to meet security requirements that previously demanded hardware tokens or other dedicated second factors. That recognition carries weight: federal guidelines often influence private-sector security standards, meaning NIST’s position could accelerate adoption well beyond government agencies.
On the industry side, Microsoft has confirmed that its Authenticator app will end password autofill support, with users urged to set up a passkey before August 1. This is not a minor feature update. Microsoft Authenticator is widely used across enterprise and consumer environments, and removing password autofill is a deliberate step to push users toward passkeys as the default sign-in method. The company’s statements, as reported by the Associated Press, frame passkeys as both more secure and more convenient than the passwords they replace.
These two developments (NIST’s standards work and Microsoft’s product change) are aligned in direction even though they operate in different domains. NIST is defining what counts as acceptable authentication for high-assurance government services, while Microsoft is altering the daily login experience for millions of people. Both are premised on the same technical foundation: that device-bound cryptographic credentials can reduce the risk of credential theft compared with passwords that can be guessed, reused, or phished.
What remains uncertain
While NIST has laid out how passkeys can meet AAL2 requirements, no publicly available data from the agency quantifies how many federal systems have actually adopted passkeys or how quickly that adoption is expected to grow. The guidance is prescriptive rather than descriptive: it tells agencies what they can do, not what they have done. Without adoption metrics, it is difficult to assess whether the federal government is months or years away from widespread passkey use.
Similarly, there is no published research from NIST or other federal bodies measuring real-world phishing reduction rates after passkey deployment. The claim that passkeys are phishing-resistant is technically sound and well-supported by cryptographic principles, but concrete field data showing, for example, a measurable drop in credential theft incidents at agencies using passkeys has not surfaced in the available reporting. This gap matters because security technologies sometimes perform differently in controlled environments than they do when millions of non-technical users interact with them daily.
Cross-device syncing, one of the key selling points of passkeys, also lacks official failure-rate data. Passkeys are designed to sync across a user’s devices through platform ecosystems like Apple’s iCloud Keychain or Google Password Manager, but edge cases involving mixed ecosystems, lost devices, or account recovery remain poorly documented in public research. A user who owns an iPhone but uses a Windows laptop, for instance, may encounter friction that password-based logins never presented. No official research from NIST or major vendors has published sync failure rates, leaving this a known but unquantified risk.
Microsoft’s August 1 timeline is clear, but the broader industry trajectory is less defined. Other major platforms, including Google and Apple, support passkeys, yet there is no coordinated deadline or industry-wide mandate requiring services to offer passkey login. Adoption remains voluntary for most websites and apps, which means users could find themselves managing passkeys for some accounts and passwords for others for an extended period. That hybrid state introduces its own usability challenges that current reporting has not fully addressed.
Another open question is how organizations will handle account recovery when a user loses access to the devices that store their passkeys. Passwords, for all their flaws, can often be reset through email links or security questions. Passkeys tie identity more tightly to hardware and platform accounts, which may improve security but can also complicate recovery. NIST’s guidance acknowledges the need for robust lifecycle management, but detailed, real-world playbooks for large agencies and enterprises are still emerging.
How to read the evidence
The two strongest pieces of evidence supporting the headline claim come from different tiers but reinforce the same conclusion. NIST’s published supplement is a primary source, meaning it represents the agency’s own position rather than a journalist’s interpretation. When NIST states that syncable authenticators can meet AAL2 and can be phishing-resistant, those are institutional determinations backed by the agency’s technical review process. Readers can treat these claims with high confidence, though they should note that “can be” phishing-resistant is not the same as “always are.” Implementation details, such as whether a service properly validates the origin of a passkey request, determine whether the phishing resistance holds in practice.
The Associated Press reporting on Microsoft’s Authenticator changes is institutional-grade journalism with direct attribution to Microsoft’s own statements. It provides a concrete timeline and a specific product change, both of which are independently verifiable. This source is best understood as confirming a corporate decision rather than evaluating whether that decision will succeed. Microsoft’s framing of passkeys as more secure and convenient reflects the company’s marketing position as much as a technical assessment, and readers should weigh it accordingly.
What is notably absent from the current evidence base is independent, peer-reviewed research measuring passkey usability at scale. Most of the available information comes from the organizations building or promoting passkey technology, whether that is NIST setting standards, Microsoft redesigning its app, or the FIDO Alliance developing the underlying protocols. None of these sources are disinterested observers. This does not mean their claims are inaccurate, but it does mean readers should distinguish between empirical findings, such as NIST’s classification of assurance levels, and value-laden statements about convenience or user preference.
Readers should also be cautious about extrapolating from policy and product moves to inevitable outcomes. NIST’s recognition of passkeys at AAL2 shows that the technology is eligible for use in high-assurance settings, not that it will automatically displace every other method. Likewise, Microsoft’s decision to retire password autofill in one app is a strong signal about the company’s direction but does not guarantee that all of its services, or its customers, will abandon passwords on the same timeline.
Taken together, however, the evidence does support a clear directional conclusion. A major standards body has carved out an explicit place for passkeys in government-grade authentication, and a major technology vendor is reshaping a widely used authentication product around them. The remaining uncertainties (about adoption speed, real-world phishing reduction, cross-platform usability, and recovery practices) will determine how smooth the transition is, not whether the transition has begun. For users, agencies, and businesses, the practical takeaway is that passkeys are moving from experimental option to expected default, and planning for a future with fewer passwords is no longer premature.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
