CDA Friction, CXF, GenAI Phishing: Authenticate 2025 Trends

Every year, the Authenticate conference brings together the leading voices in digital identity, offering a stage to discuss the technologies, challenges, and innovations shaping the future of authentication and passkeys. As one of the most highly anticipated events in the identity and security space, Authenticate 2025 focused on critical issues that are driving the next wave of passwordless technologies.

At this year’s event, some major themes emerged: the quest to eliminate passwords entirely through passkeys and the critical need to solve the cross-device friction that continues to hinder seamless adoption. With major players like Google and Microsoft leading the charge, passkeys are proving to be a game-changing solution for both security and user experience.

However, scaling passkey adoption across devices and platforms remains a significant hurdle. In this article, we are going to cover the main questions associated with the topic:

1. How does cross-device friction influence passkey adoption efforts by Google?

2. What impact does passkey adoption at massive scale have and what can we learn from Microsoft’s example?

3. What role does the Credential Exchange Format (CXF) play in ensuring secure and seamless credential migration across platforms?

4. What impact does Generative AI have on modern phishing attacks and identity security?

Google is not just an adopter of passkeys, it is a foundational partner and driving force behind the technology. As one of the core members of the FIDO Alliance (Fast IDentity Online) that developed the passkey standards, Google has a clear orientation towards a passkey future.

Passkeys are now a critical component of Google Account sign-in, proving to be a highly effective and popular alternative to passwords.

• Massive User Adoption: Over 1 Billion users have already signed in using passkeys.

• High Success Rate: When a passkey is available locally on the device being used (like a synced passkey on a personal phone), the authentication success rate is 75%.

• Superior User Experience: Sign-in is 50% faster compared to using a traditional password.

Despite the success of local sign-in, Google identified a major struggle with the cross-device hybrid flow, the process where you use your phone to log into a different device (like a new laptop or a public computer) by scanning a QR code.

• Poor Account Recovery Rates: This process struggles significantly in critical scenarios like account recovery (Google only uses CDA for recovery, not for the regular login):

  • Hybrid Passkey Success Rate (using the cross-device flow): 14%

  • Push Notification Success Rate (one-tap approval on a trusted device): 64%

• Current Policy Focus: Because of this friction, Google's policies currently emphasize local passkey usage, where the passkey is already on the device you're using.

Increasing the usability of this cross-device flow is critical for all Relying Parties (RPs, or websites and apps) to drive global passkey adoption.

Solving this challenge provides significant benefits:

Google's presentation concludes that it is strategically important to address the cross-device passkey gap for the entire ecosystem to succeed.

• The Problem is UX Friction: Most user drop-off in the cross-device flow is attributed to a lack of familiarity and UI friction (users get confused).

  • Experiments show that providing additional context (clearer instructions) significantly improves user success rates.

  • The call to action is for RPs and platforms to streamline the UI flow to boost success.

• Technical Enhancements: Changes to the technical specifications are underway to address drop-off on the authenticator side (the device that holds the passkey). For instance, a URL Fallback can help. This feature allows the sign-in process to use a standard web link if the typical secure communication (like Bluetooth) fails, making the cross-device flow more reliable while users adopt the technology.

Following the same path as Google, Microsoft, another foundational member of the FIDO Alliance, provided compelling production data that answers the question: what happens when passwordless becomes the default for a billion users? The team shared telemetry from their massive user base (approaching 1 billion Monthly Active Users), demonstrating the critical shifts that occur once the user interface (UI) defaults to passkeys. The key takeaway is that at scale, both speed and success jump dramatically, while the internal cost of supporting passwords virtually collapses.

Microsoft's data shows that once an organization reaches a critical mass of passkey adoption, the UX metrics become superior to those of traditional methods by orders of magnitude:

• Speed: Sign-ins with passkey autofill average approximately 3 seconds, compared to a staggering 69 seconds for the traditional password + Multi-Factor Authentication (MFA) flow. This represents a process that is approx.. 23 times faster.

• Reliability: Passkey sign-ins boast a success rate of about 95%, significantly higher than the less than 30% success rate often seen for password + MFA flows, demonstrating a 3 times higher success rate.

• Support Load: The most dramatic impact is on operational cost. Microsoft reports approximately 21,170 password-related support cases per day (covering resets, lockouts, and OTP failures), versus just 4 per day for passkeys. This is a reduction of 99.98% in support load for the authentication method.

• Crossover Point: Microsoft confirmed that it now sees more passwordless authentications (including passkeys) than password-based authentications across its platform of 1 billion MAU, signaling a fundamental shift in user behavior.

The metrics shared by Microsoft provide a clear and compelling business case for moving to passkeys, taking the conversation beyond just security:

Microsoft concluded its session with a clear roadmap for organizations looking to follow their lead and achieve the benefits of passwordless scale:

1. Default to Passkey: Make the passkey the default login mechanism on known devices. The user experience (UX) should be native and immediate, leveraging the device's built-in biometrics.

2. Instrument the Right KPIs: Establish key metrics to track your progress: time-to-authentication, success rate, fallback rate, and support case rate (specifically broken down by authentication method) – see also this article on passkey KPIs.

3. Aggressively Deprecate Weak Paths: Following the strategy of companies like Uber, organizations must plan to remove or heavily gate weak login methods once a passkey is enrolled, reserving fallbacks for true account recovery scenarios only (ultimately, also making the account recovery phishing-resistant).

4. Plan Cross-Device UX: Address Google's noted friction point immediately by planning a robust, clear cross-device experience clear user instructions to ensure success when users switch devices.

In a session focused on secure interoperability, speakers outlined the progress on the Credential Exchange Format (CXF), a new standard designed to safely and easily move credentials, including passkeys, between different devices, platforms, and password managers. This initiative addresses the crucial issue of user lock-in and device lifecycle management, showing that both major mobile platforms are already integrating the necessary APIs.

A clear timeline was provided, and platform support was confirmed, signaling that the ability to move credentials securely is moving from concept to reality:

For organizations, the formal standardization of credential exchange represents a major operational and strategic benefit:

• Lower Support Load: A standardized method for credential transfer will significantly reduce the number of "lost credential" and device-switch support tickets that occur during device refreshes, break/fix scenarios, or employee turnover.

• Vendor Neutrality: Establishing a standard, policy-aware export/import path reduces vendor lock-in and eliminates the need for brittle, one-off tooling or complex manual procedures for credential migration.

• Safer Recovery: CXF-enabled exchange flows can be designed to require local biometrics or attestation, providing a significantly higher level of assurance during recovery or migration compared to ad-hoc or less secure export methods.

The Authenticate 2025 conference highlighted that the most significant new threat to identity security isn't just a technical exploit, but the sophistication brought by Generative AI (GenAI) to the classic attack vector of phishing. GenAI fundamentally changes the economics and scalability of social engineering, moving the threat from broad, clumsy campaigns to highly personalized, fast-moving attacks.

The new phishing pipeline, powered by AI, covers every stage of an attack with unprecedented speed and customization according to Yuriy Ackermann (Senior Identity Advisor at Aware, Inc.):

GenAI Phishing Predictions:

The accessibility of GenAI tools is projected to rapidly reshape the structure of the cybercrime ecosystem:

• Syndicates Collapsing and Startups Emerging: Large, established syndicates are predicted to fragment under economic and political pressure. In their place, small, AI-powered teams will emerge.

• APTs Adapting: State-sponsored Advanced Persistent Threats (APTs) are already integrating GenAI for high-stakes phishing, sophisticated misinformation campaigns, and fraud, leveraging the technology's capability for strategic influence.

• Wide Accessibility and Gamification: Phishing is becoming gamified, automated, and frictionless, making it accessible to a much broader base of actors. This will lead to small actors, often driven by existing petty crime networks and operating from low-income or unstable regions, becoming a significant part of the global threat landscape.

Google’s masterclass distilled fresh user research and concrete UI patterns for Android’s Credential Manager. The headline: awareness is rising fast, small design tweaks materially lift success and speed, and “passkey as an upgrade” (not a lecture) is how you win mainstream users.

• 76% of users now have at least a basic understanding of passkeys, and 72% have already used a passkey in at least one app, awareness and lived experience are no longer niche.

• Streamlined flows cut median sign-in time from ~7.2 s to ~4.8 s, showing that micro-frictions in the UI are the difference between hesitation and completion.

• Platform gains moved the needle: passkey success improved from ~65% on Android 14 to ~72% on Android 15, indicating that OS-level polish compounds app-level UX work.

The research explained why some users still stall out, and it isn’t capability. Discoverability remains thin (many never see where to create a passkey), benefits are undersold (users don’t immediately see why it’s better), password habit is sticky (“my password works”) and fragmented experiences across apps and platforms erode trust. Google’s guidance tackles those head-on with a few decisive patterns.

• Treat passkey as an upgrade, not a side quest: Prompt creation immediately after a successful password sign-in or during account recovery, when intent is highest. Pair this with Conditional Create to automatically create a passkey on eligible devices so the “switch” feels effortless rather than like a setup chore.

• Be explicit about consequences and control: In the prompt, state the direct benefit (“faster sign-ins without codes”), explain why the user is seeing this now (e.g. after verifying their password) and show where passkeys live and can be managed (e.g., Account → Security → Passkeys/Credential Manager) so ownership feels tangible.

• Unify names and journeys: Use consistent wording for the same action (“Create a passkey”, “Use passkey to sign in”) and keep the identifier-less path the default when a passkey exists, reducing decision points that send users back to passwords.

• Design for cross-surface continuity. Where possible, mirror your web and app flows so a passkey created in one place is discoverable and usable in the other, avoiding “I set this up already, why doesn’t it work here?” moments that damage trust.

• Sync sometimes fails between web and apps: Occasionally, a passkey created on web won’t appear in the app (or vice versa). Acknowledge this in recovery text so users understand what’s happening, and offer a clean fallback that stays phishing-resistant instead of dropping straight back to passwords.

• Inconsistent naming and journeys across RPs/platforms: Standardize vocabulary and UI entry points within your product, even if the broader ecosystem is uneven.

• Trust hotspots: Finance flows and missing biometrics still trigger hesitation. Reassure with clear copy (“your fingerprint stays on this device, no shared secrets”) and show a visible recovery path that keeps safety high without reverting to password-first habits.

Ensuring a consistent user experience across devices is critical for passkey adoption. Cross-device authentication, where a passkey from one device (e.g., phone) is used to authenticate on another (e.g., laptop), still presents significant friction. Clearer instructions and consistent UI design can reduce this friction, improving success rates and boosting user engagement. Organizations should focus on eliminating these barriers to make the process more intuitive and seamless.

Passkeys should be treated as a universal authentication method, not limited to specific use cases. For enterprises, this means integrating passkeys consistently across all platforms, web, mobile, and IoT devices. The goal is to reduce complexity and ensure seamless, cross-platform authentication, which enhances both user experience and security. By adopting passkeys as the default across systems, organizations can simplify authentication and improve user retention.

To avoid vendor lock-in, enterprises should prepare that their users will soon start to use the Credential Exchange Format (CXF), which enables secure credential migration across platforms and devices. As passkey technology grows, using standards like CXF ensures a seamless experience across systems and future-proofs authentication strategies. Proactively preparing for these standards on the RP side will support scalability and reduce credential management complexities.

Authenticate 2025 shows that passkeys will soon become the standard for authentication across the globe. Google and Microsoft’s advancements highlight the significant progress in passkey adoption, with both companies tackling the challenges of cross-device friction and demonstrating the operational benefits of scaling passwordless solutions.

The development of the Credential Exchange Format (CXF) further underscores the importance of secure and seamless credential migration, setting the stage for a more unified and frictionless passwordless future.

As the ecosystem matures, it is clear that passkeys are not just a technological innovation, but a strategic necessity for enterprises aiming to improve both security and user experience. In this article we also answered the following questions:

1. How does cross-device friction influence passkey adoption efforts by Google? Google is driving passkey adoption by integrating passkeys into Google Account sign-ins and focusing on improving local passkey usage while addressing cross-device friction through UI enhancements and technical updates.

2. How does passkey adoption at massive scale shape enterprise impact, and what can we learn from Microsoft’s example? Microsoft’s success with passkeys at scale demonstrates significant improvements in login speed, success rates, and reduced support load, providing enterprises with hard ROI and a more secure, user-friendly authentication process.

3. What role does the Credential Exchange Format (CXF) play in ensuring secure and seamless credential migration across platforms? The Credential Exchange Format (CXF) enables secure and standardized credential migration across devices, platforms, and password managers, ensuring interoperability and reducing the risk of credential lock-in.

4. What impact is Generative AI having on modern phishing attacks and identity security? Generative AI is making phishing faster, smarter, and more personalized, amplifying identity threats and underscoring the need for phishing-resistant authentication like passkeys.