Passwordless and passkeys in CIAM

Passwordless authentication removes the shared secret that causes most account takeovers. Passkeys are the strongest mainstream form of it, and CIAM vendors now compete on how well they support them.

The passwordless spectrum

Not all passwordless is equal:

Magic links and email OTP: convenient, but only as secure as the email account, and phishable.
SMS OTP: widely used, weak. Vulnerable to SIM swap and interception.
Authenticator app TOTP: stronger, but still a code a user can be tricked into typing.
Passkeys (FIDO2 / WebAuthn): a cryptographic key pair bound to the device and the site. Nothing phishable is ever typed or sent.

What makes passkeys different

A passkey is a private key stored on the user’s device (phone, laptop, or hardware key) and unlocked with a biometric or PIN. The site only ever sees a public key. Because the credential is bound to the domain, a phishing site cannot use it. Synced passkeys (via iCloud Keychain, Google Password Manager, or a password manager) solve the old problem of losing the credential with the device.

What to ask a CIAM vendor

Do you support synced and device-bound passkeys, and autofill (conditional UI)?
Can passkeys be the primary factor, not just a second factor?
How do you handle account recovery when a user has only a passkey?
What is the fallback for users on unsupported browsers?
Is passkey support gated to a higher pricing tier? (It often is.) See the pricing guide.

Why it matters for buyers

Passkeys cut support cost (fewer resets), reduce fraud, and lift conversion once enrolled. The gap between vendors is no longer “do they support it” but how complete the recovery and fallback story is. A demo that skips recovery is hiding the hard part.