Passkeys are having a moment. Industry headlines suggest they’ll finally replace passwords for good, ushering in a simpler, more secure authentication model. It’s a compelling narrative, and one we’ve heard before in different forms, from the paperless office to “set-it-and-forget-it” cloud security. Enterprise environments don’t run on narratives. They run on systems, dependencies, and realities that move far more slowly than the latest authentication trend.

Passkeys are gaining traction. FIDO Alliance reports 87 percent of enterprises have deployed or are rolling them out, Microsoft set them as the default for new accounts last year, and consumer platforms are following suit. That momentum is building. But deploying passkeys and maintaining control over your existing credentials are two separate challenges, and organizations that focus on the first while neglecting the second are creating a governance problem their current infrastructure isn’t built to handle.

Passwords Aren’t Going Anywhere

Passkeys work best in a narrow slice of the authentication landscape: user-specific, device-bound access to modern platforms. That’s a legitimate use case. It’s also not where the majority of enterprise credentials live.

Behind the visible login layer, most organizations depend on a much broader credential ecosystem. Shared accounts accessed across teams. Service accounts running critical infrastructure. API keys and automation tokens. Legacy systems that predate modern authentication standards by years, sometimes decades. Third-party integrations with fixed login requirements that can’t be changed without vendor involvement. These aren’t peripheral systems. For most organizations, they are the operational backbone.

Research from Entro Labs found that service accounts, API keys, and automation tokens now outnumber human identities at a ratio of 144 to one, and nearly half carry no lifecycle policy. None of those credentials are moving to passkeys anytime soon, if ever. When Microsoft began enforcing the deprecation of legacy authentication protocols in Microsoft 365 last July, a lot of organizations discovered their application stacks hadn’t kept pace. That’s the gap between where passkey adoption is heading and where enterprise credential environments actually are.

Running Both Creates Twice the Governance Problem

Most organizations aren’t choosing between passwords and passkeys. They’re running both, indefinitely, across systems that were built at different times for different purposes. The governance challenge isn’t in which model to adopt, but in managing two fundamentally different authentication systems at once.

Passkeys live in device-native keystores or cloud sync providers. Passwords live in whatever mix of enterprise managers, browser autofill, and personal vaults employees have accumulated. Each carries its own failure modes, recovery paths, and compliance requirements. What you get isn’t a simplified security posture, but a duplicated one.

Compliance frameworks don’t adjust for authentication modernity. SOC 2, ISO 27001, and HIPAA require demonstrable, auditable control over credential access regardless of type. Passwords, when properly managed, already satisfy those requirements through tooling that is mature and well understood. Passkeys add a second compliance surface alongside that.

Offboarding is where the duplication becomes exposure. Revoking a passkey tied to a personal device means deactivating a credential on hardware the organization doesn’t own or control. Add password-based access to legacy systems and shared accounts, and revocation spans two authentication systems simultaneously with no single enforcement point. A 2025 SailPoint survey found 77 percent of UK organizations already fail to deactivate former employee accounts promptly. A second authentication system in that process doesn’t improve those odds.

Most security teams understand this. The passkeys-versus-passwords debate was never the conversation they needed. The problem in front of them is visibility and control across both credential types, simultaneously, without gaps between them.

What Effective Governance Looks Like in a Hybrid Environment

Organizations navigating this well aren’t waiting for the authentication landscape to consolidate. They’ve accepted that hybrid is the operating condition and are building governance infrastructure around that reality.

The starting point is a full credential audit, and I mean full: not just user passwords, but every active credential the organization depends on. Shared accounts, service accounts, API keys, third-party integrations, legacy system logins. You cannot govern what you haven’t mapped. This matters more in a hybrid environment because passkey deployments typically roll out to the most modern, highest-visibility systems first. The credentials still running on passwords tend to be the less visible ones, some sitting in older systems with the least governance around them. That’s precisely where the exposure lives.

From there, the work is consistent policy enforcement across credential types: password complexity, rotation schedules, and expiration policies centrally managed and applied regardless of which systems those passwords serve. Role-based access controls should reflect how the organization works today, not how it was configured three years ago. The principle of least privilege doesn’t stop being relevant just because part of the environment is running passkeys.

The third piece is a unified audit trail, and it’s where investment tends to fall short. Compliance documentation requires demonstrating not just that policies exist, but that they were enforced and that access events were logged. When authentication activity is spread across passkey systems, password managers, and legacy platforms, producing a coherent audit record requires deliberate architecture. It won’t happen by accident.

Where passkeys make sense, the organizations doing this well layer them in deliberately, without disrupting the systems that still depend on passwords. DocuSign and TikTok picked their starting points carefully, validated before expanding, and kept passwords running with tighter governance on anything not yet ready. Incremental and deliberate. That’s the pace enterprise infrastructure actually moves at.

Govern the Present, Plan for the Future

Consider what happens when someone loses the device holding their passkey. The fallback to regain access is, almost always, a password. Plan accordingly.

Weak passwords are not the same as weak security. Governance is what makes the difference. The most defensible position for any size business isn’t passwordless. It’s password-plus: strong credentials of either type, centrally managed, consistently enforced, and fully auditable across every system the organization depends on.

The keynote announcements will keep coming. The organizations that stay secure through this period are the ones maintaining control over what they’re actually running, not just what they’ve recently deployed.