Why 69% Passkey Enrollment Changes the Conversation with Your CFO

For the past several years, the business case for passkeys inside financial institutions has had a frustrating structural problem. The technology was compelling. The security story was airtight. The regulatory tailwinds were building. But every boardroom conversation eventually hit the same wall: will our customers actually use this?

That was a fair question. Passkeys were new. Behavioral change is hard. And financial services, more than most industries, has legitimate reason to think carefully about any change that sits between a customer and their money.

But the conversation has moved. According to the FIDO Alliance's 2025 Consumer Survey, 69% of consumers have now enabled passkeys on at least one account. That number represents a crossing of a threshold that shifts the nature of the internal debate. The adoption question has largely been answered. What remains is an execution question — and that's the kind of problem CFOs are built to solve.

Why the 69% Figure Is Different From Other Adoption Metrics

Adoption data can be misleading. Awareness metrics, intent surveys, and "would you use this?" polls routinely overstate actual behavioral change. The 69% figure from the FIDO Alliance's annual consumer research is notable precisely because it measures actual enablement — consumers who have gone through the process of setting up passkeys on a real account, not theoretical willingness.

That's a meaningful distinction. When a majority of consumers have already completed the passkey enrollment flow on at least one service, they arrive at your institution with prior experience. The friction of education, the hesitation around something unfamiliar, the support call explaining "what is a passkey?" — all of that is materially lower than it was two years ago.

For financial institutions that have been waiting for the market to mature before committing to a full passkey deployment, the market has arrived. The remaining question isn't whether to build for a future state — it's whether you're behind the curve on a present one.

Reframing the CFO Conversation

CFOs are trained to be skeptical of technology investments that rest on behavioral assumptions. That skepticism has historically been well-placed in the authentication space, where the graveyard of "frictionless" solutions is deep and well-populated. Biometrics that required specialized hardware. Mobile-first flows that excluded large customer segments. Passwordless pilots that quietly reverted to fallback SMS OTP because completion rates were too low to justify the investment.

The CFO objection to passkeys, stated plainly, has always been: this sounds compelling in theory, but what's the evidence that real users will change their behavior?

The 69% figure is the most direct answer that has ever existed to that question. It comes from a credible, independent source — the FIDO Alliance, the standards body that maintains the passkey specification — and it reflects consumer behavior at scale across actual services, not a controlled pilot environment.

That doesn't make the business case automatic, but it does change the structure of the CFO conversation. You are no longer asking for investment on the basis of projected future adoption. You are asking for investment to deploy a technology that the majority of your customer base has already used somewhere else. That is a fundamentally different proposal — and a considerably easier one to underwrite.

The Three Objections That Still Matter

Even with strong consumer adoption data, there are legitimate questions a CFO will and should raise. Here's how each one has evolved.

Objection one: What about customers who haven't enabled passkeys? The 69% figure means roughly three in ten consumers haven't enabled passkeys anywhere yet. In a financial services context, those customers tend to skew toward demographics that may be less comfortable with device-based authentication. This is a real consideration — but it's an argument for thoughtful rollout design, not for deferral. Modern passkey deployments support progressive enrollment, where customers are guided toward passkeys at natural moments in their journey without being forced to abandon familiar fallbacks immediately. The remaining 31% does not represent a deployment blocker; it represents a cohort that needs a slightly different onboarding path.

Objection two: What about our legacy authentication infrastructure? Most financial institutions have authentication infrastructure that was built over years or decades, and the integration path for passkeys is not trivial. This remains true. But the calculus has changed: the cost of integration is a one-time investment made against a standard — FIDO2 and WebAuthn — that has now achieved mainstream consumer familiarity. The cost of not integrating is ongoing: fraud losses, customer friction, and regulatory exposure as mandates around strong authentication multiply across markets. Framing the infrastructure investment as a trailing cost of the status quo, rather than a leading cost of a future state, often changes how CFOs evaluate it.

Objection three: What's the return timeline? Authentication ROI is notoriously hard to quantify cleanly because the benefits span multiple categories — fraud reduction, support cost reduction, conversion rate improvement on critical flows, and regulatory compliance cost avoidance. CFOs want a model, not a narrative. The honest answer is that the model will look different for every institution, depending on their current fraud exposure, their support ticket volume attributable to authentication failures, and their existing password reset and step-up authentication infrastructure costs. But the directional evidence from institutions that have deployed passkeys at scale is consistent: authentication-related fraud decreases, password reset volumes drop, and customer satisfaction with authentication improves. Those are real line items that exist in your institution's ledger today, and they provide the starting point for a credible business case.

Building the Internal Case: What Finance Needs From Technology

A CFO approving a passkey deployment isn't just approving a technology investment. They're approving a change to a customer-facing control that sits on the critical path of every login, every transaction authorization, and every account recovery. That's a risk decision as much as a financial one, and it needs to be framed accordingly.

The most effective internal business cases for passkey deployments tend to share a few structural characteristics. They don't lead with the technology — they lead with the problem. Authentication-related fraud is a real and growing cost center. Password resets and step-up authentication flows consume support resources at scale. Regulatory requirements around strong authentication are multiplying, and the cost of compliance through legacy methods is rising. Passkeys address all three of these problems simultaneously, and the 69% adoption figure means the implementation risk — the risk that customers won't use it — is now demonstrably lower than it has ever been.

The second structural element that resonates with CFOs is phased execution. Full passkey deployment across a complex financial institution is not a single project — it's a program with distinct phases: pilot, expand, transition, and rationalize legacy. Each phase has defined success metrics. Each phase validates assumptions before the next investment is made. That structure transforms a large uncertain commitment into a series of smaller, evidence-based decisions, which is exactly how sound capital allocation works.

What This Means for the Broader Organization

The CFO conversation doesn't happen in isolation. It happens alongside conversations with the CISO about the fraud and security posture, with the CTO about integration architecture, and with product leadership about the customer experience implications. What the 69% figure does for all of those conversations is the same thing it does for the CFO conversation: it removes the largest source of uncertainty from the equation.

When the primary risk of a technology investment is "we don't know if customers will use it," and credible data arrives that resolves that uncertainty, the entire risk profile of the decision shifts. The remaining risks — integration complexity, support readiness, edge case handling — are the ordinary operational risks that financial institutions manage well every day.

For organizations that have been waiting for the right moment to move, the FIDO Alliance's 2025 data is a reasonable marker. The consumer readiness that the adoption argument required has arrived. The regulatory pressure that justifies the investment is building. The fraud costs that define the opportunity are not going down. The window for being an early mover rather than a follower is narrowing.

The Timing Argument, Made Plainly

There is a competitive dimension to this that doesn't always surface in internal business case discussions but belongs in the CFO conversation. When 69% of consumers have enabled passkeys somewhere, the financial institutions that offer passkey authentication have a differentiated capability that many others don't yet match. That window won't stay open indefinitely — as more institutions deploy, the advantage shifts from differentiation to table stakes. The institutions that move earliest capture the benefit of differentiation, build operational expertise ahead of the market, and position themselves as leaders on a capability that customers increasingly expect.

For a CFO evaluating timing, the question isn't "is now the right time?" The question is "what evidence would I need to see to justify moving, and does this represent it?" For most well-run financial institutions, 69% consumer adoption is a reasonable answer.

Sources

• FIDO Alliance 2025 Passkey Consumer Survey — fidoalliance.org
• FIDO Alliance: What Are Passkeys? — fidoalliance.org
• W3C Web Authentication (WebAuthn) Specification — w3.org
• FIDO2 Specifications Overview — fidoalliance.org