Passwords are dying, and not a moment too soon. Over 20 years ago, Bill Gates famously announced that passwords “cannot ‘meet the challenge’ of keeping critical information secure”. They’re a liability—phishable, sharable, forgettable and an easy target for attackers. Breached credentials is the leading attack mode resulting in identity theft. Recently, there has been focus on the power of FIDO Passkeys and adoption of this solution to replace the password, but is that the end of the story?

Rarely is a single technology the ‘silver bullet’ to every problem, and the same holds true for Passkeys. They need to be supported in the OS and/or browser, and rely on other tools to sync Passkeys across devices via the Cloud. So do Passkeys have more critical weaknesses?

Enter the partnership of Passkeys and Verifiable Credentials (VCs), two technologies that don’t just replace passwords but redefine authentication and identity itself in the digital era. Let’s explore how this partnership is transforming digital identity.

Passkeys: Fast, phishing-proof authentication

Passkeys make secure login effortless. Built on FIDO2/WebAuthn, they replace passwords with a cryptographic keypair stored securely on a trusted device. Simple, secure and phishing-resistant.

Why Passkeys matter:

• No more passwords – Nothing to remember, nothing to steal, nothing to phish.
• Frictionless UX – A biometric or PIN gets you in instantly.
• Tied to devices – No more credential stuffing or stolen passwords.

So where are the weaknesses?

• Limited domain context - Each device and application requires a unique passkey
• No built-in identity proofing – They prove access rights to an account, not who you are.
• Device-dependent – A separate tool is required to synchronise the passkey across devices.
• Users must login to create them - Before a passkey can be created and linked to an account, the user must login to the account. This often requires a less secure mode of authentication to be available.
• Every application requires a unique passkey - In this way, a passkey is very similar to a highly secure password. Access 20 apps from 2 devices, you’ll have 40 passkeys.

Verifiable Credentials: Attested, reusable proof of identity

VCs are cryptographically signed, third-party attested credentials that verify facts about you—personal attributes, employment, certifications, memberships and more. Unlike self-asserted personal attributes, VCs have provenance as they’re created by the issuer, making them inherently trustworthy.

Why VCs matter:

• Trust at scale – Third-party attested so they can be trusted inside or outside an organisation.
• Trust the data, not the device – Cryptographically tamper evident data.
• User-held, user-controlled – Your credentials, your data in your full control.
• Portable – Once held by the user, one credential can be trusted and used in many applications.
• Authentication beyond logins – Can be used to originate an account and power authentication from any device, trusted or new.
• More than authentication – VC claims can be used to power authorisation or access control.

What’s the trade-off?

• Credential infrastructure is required – Issuers and verifiers must support them.
• Adoption – Users and businesses need to embrace them. But awareness growing! Gartner predicts that “by 2026, at least 500 million smartphone users will be regularly making verifiable claims using a digital identity wallet (DIW)”
• A few extra steps – But the security and trust gains are worth it.

Verified Orchestration was founded specifically to enable business adoption of VCs. We provide VC infrastructure and a suite of tools to simplify adoption of this revolutionary technology. By reducing the integration effort, our customers benefit from VCs more quickly.

Passkeys + VCs = Stronger Together

Both technologies are cryptographically secure. Passkeys excel when it comes to user authentication from a trusted device, while VCs are unparalleled in their ability to digitally verify personal identity attributes, even from untrusted devices. Passkeys and VCs aren’t competitors—they’re perfectly complementary.

So how could they be used together:

1. Account Establishment – Use a VC to verify identity and establish an account.
2. Login from a new device – Use the unique Verified Orchestration OIDC endpoint to truly authenticate the user with a VC, then register a Passkey on that device.
3. Login from trusted devices – Passkeys provide seamless authentication.
4. Step-up authentication – Use the Verified Orchestration OIDC endpoint to provide the additional trust of a VC prior to a user completing a risky event online.

Using this approach, weak authentication mechanisms are eliminated and Passkeys are used to provide a seamless day-to-day authentication experience. The trust offered by VC identity proofing is used to streamline and automate account establishment, reducing back-office operational demands. Additionally, the biometric binding in a VC can be use to re-verify the user identity within an authenticated session so an organisation can meet customer expectation and offer more services online.

So how does this work in practice?

1. Jo Smith, a new student at ACME University, has been issued their Student ID in the form of a Verifiable Credential. The Student ID includes their name, start date and course they’re enrolled in.
2. Jo accesses the library system and is given two options to login; use their Student ID or a Passkey.
3. Jo has never logged in before, so chooses the Student ID.
4. The library system creates a new account for Jo and lets them register a passkey.
5. Next time Jo accesses the library system, they choose to login with the passkey.
6. When Jo wants to access a restricted research database, they are challenged to present their Student ID again, including verification that they match the biometric photo in the Student ID.

The future of identity is here! A future where credential breaches and identity theft are a thing of the past. Passkeys make login effortless and VCs make identity verifiable. Smart organisations aren’t choosing between them—they’re benefiting from the partnership of both and they’re eliminating insecure modes of authentication. Truly protecting their users.