Passwords had a good run, but the authentication world has moved on. Today, everyone’s buzzing about passkeys and, hot on their heels, digital wallets.
At first glance, passkeys and digital wallets can look like two approaches fighting for the same spot. Naturally, this sparks a question we hear all the time when mapping out IAM strategies:
“Which one should I bet on for my users? What’s the smarter priority?”
Spoiler: there’s no neat, one-size-fits-all answer (sorry!) But the guidance below will help you cut through the noise and figure out what makes the most sense for your roadmap.
Passkeys: the road to passwordless
Passkeys offer a secure, user-friendly alternative to passwords: simplifying authentication for both users and organizations. They combine enhanced security through strong cryptographic mechanisms, secure secret storage, simple two-factor activation (biometrics or PIN), and phishing resistance, all while ensuring a seamless user experience.
Assuming users already have accounts, the login process involves 2 to 3 steps: entering their username, optionally tapping an NFC device or connecting a security key, completing local authentication and... voilà! The entire process takes less than 20 seconds, with minimal and controlled risk of error.
For organizations, passkeys offer flexible configuration options, such as requiring user verification or defining security constraints for authenticators, making them adaptable to a wide range of contexts.
However, ‘perfect’ is an impossible state. Critical governance aspects are not covered by the underlying standards, such as authenticators’ onboarding and recovery, and must therefore be designed and managed by the service provider. And obviously, these processes are increasingly targeted by attackers, as they often rely on weaker methods like OTPs or passwords.
While passkeys appear to be an ideal authentication method, particularly for use cases involving frequent logins, such as employee access to applications or bank customers accessing their current account, they require additional governance solutions tailored to each context.
Wallets: the key to user centric identity
Smartphone-embedded wallets are designed to simplify the storage and sharing of information – Verifiable Credentials (VC), often containing personal data – with various services. They are managed by a wallet provider, which may be the smartphone OS vendor, a government agency, or a private organization.
Their primary goal is to allow end-users to share personal information with any third party through a consistent process, while maintaining control over data shared through consent and granularity.
From the organizations’ perspective, wallets enable reliance on trusted third parties to obtain verified information about end-users, such as their name, address, or birthdate.
Since opening the wallet requires users to locally authenticate on their device, wallets can also serve as an authentication mechanism. However, the wallet authentication journey is a multi-step, error-prone process over which the service provider has no visibility nor control. In addition to entering their login, users may need to scan a QR code for cross device access, open the wallet app (choosing one if multiple are installed, or encountering an error if none are), select data to share, provide consent, perform local authentication, and wait for the wallet to transmit the data to the service provider’s backend.
The process just described is clearly not designed for authentication. Using it for that purpose is likely to confuse users as they may not understand why they’re being asked to perform unrelated actions, such as consenting to sharing data.
Wallets significantly enhance identity verification processes, whether it’s user onboarding (a new employee joining a company or a new customer creating a bank account), device onboarding (installing a banking app on a new device), or credential recovery.. They are set to become central to digital identity in European banking due to eIDAS v2, which will likely accelerate adoption. However, as an authentication method, despite the advantage of consistency, wallets do not offer the smoothest user experience.
It’s not a war, it’s cooperation.
While passkeys and wallets may appear to overlap on paper, they have different purposes. Each technology is best suited to different stages of the digital identity journey.
Passkeys are ideal for frequent authentication, while wallets work better for occasional identity checks like onboarding or credential recovery.
While passkeys and wallets can be used independently depending on context and needs, they are highly complementary. Next steps should be to map out each identity workflow, pick the approach that fits best, and then weave them together. Done right, you’ll end up with the best of both worlds: better security, better experiences.