HYPR has released its sixth annual State of Passwordless Identity Assurance report, presenting next chapter in enterprise identity security: the "Age of Industrialization." Commissioned by HYPR and produced by 451 Research from S&P Global Energy Horizons, the report argues that enterprises are moving beyond simple awareness of identity risk and into the harder work of operationalizing identity security across the business. Based on a survey of 950 global IT security decision-makers conducted in November 2025, the findings suggest organizations now better understand the threat landscape, but many have yet to turn that understanding into enterprise-wide execution.
Report highlights include:
-
The majority of organizations (87%) have encountered audio or video deepfakes in identity-based attacks.
-
Despite passkey literacy surging to 64%, enterprise-wide adoption remains stalled at 43% as businesses consider deployment considerations and UX.
-
FIDO passkeys are the gold standard by 64% of leaders (up from 40%)
-
65% of attacks are detected within hours, but AI automation allows data theft before manual intervention.
-
While 65% of enterprises report using IDV in some form, deployment is typically limited to less than a quarter of the workforce, suggesting that use cases remain siloed.
AI-Driven Identity Attacks Hit Enterprise Scale
The report's clearest message is that AI has fundamentally changed the pace and scale of identity attacks. For the first time in the study's history, generative AI and agentic AI ranked as the top identity-specific security concerns, overtaking stolen or compromised credentials. Among surveyed organizations, 43% said AI-driven tactics were the most significant change in the attack landscape over the last year, and nearly 40% said they had experienced a GenAI-related security incident in the past 12 months. Personalized phishing emails were the most common AI-enabled threat, cited by 65% of respondents who had dealt with AI-based attacks.
Deepfakes have also moved from a future concern to a current enterprise challenge. The report found that 87% of organizations hit by AI-based attacks had encountered some form of deepfake, including prerecorded video, live audio, manipulated video calls, altered images or cloned voice messages. HYPR's conclusion is that attackers are not simply inventing new methods; they are industrializing familiar ones such as phishing, ransomware and impersonation by making them faster and easier to scale. Even as detection improves, the time to respond remains tight: 65% of recent identity-based or AI attacks were detected within hours, yet the report warns that attackers can still steal credentials and begin accessing data before manual intervention can make a meaningful difference.
Passkeys Gain Ground, but Rollouts Stay Uneven
On the defense side, the report points to a stronger understanding of phishing resistance and passwordless authentication. For the first time, FIDO passkeys emerged as the most widely identified phishing-resistant authentication method, at 64%, up from 40% in 2025. Hardware keys and smartcards also posted notable gains, suggesting that security leaders are becoming more precise about what modern, phishing-resistant authentication actually means. That matters because clearer technical understanding is often the first step toward broader implementation.
Still, adoption has not caught up with awareness. Usernames and passwords remain the dominant authentication method for 76% of respondents, while enterprise passwordless deployment sits at 43%. HYPR describes that as a pause rather than a retreat: nearly one-third of organizations have passwordless pilot projects underway, and another 28% plan rollouts within the next two years. The barriers are practical rather than philosophical. Cost and budget constraints were cited by 40% of respondents, while 32% pointed to the challenge of supporting legacy applications. In short, the report suggests the market no longer needs to be convinced that passwordless works; it needs help scaling it cleanly across real-world infrastructure.
Identity Verification Moves to Center Stage
Identity verification, or IDV, is another area where the numbers point to growing urgency. Nearly two-thirds of organizations, 65%, now use IDV in some form, making it one of the most widely deployed identity technologies in the survey. Yet HYPR argues that IDV is still being used too narrowly. On average, it reaches just 28% of employees and is most often limited to specific moments such as account creation, high-risk transactions, and credential reset or recovery. The result is a fragmented approach in which enterprises strengthen a handful of high-risk checkpoints without extending the same level of assurance across the broader employee life cycle.
That fragmentation extends to budgeting and ownership. Increased budget and investment was the most common response to a breach, cited by 59% of respondents, showing that many organizations still spend on identity security after the damage is done. At the same time, ownership of emerging risks remains split across HR, IT, IAM and security teams, making enterprise-wide execution harder to achieve. That tension sits at the heart of HYPR's latest report: the industry has moved beyond awareness, but resilience now depends on building systems that can scale.
With the 2026 report now available at https://www.hypr.com/resources/report-state-of-passwordless, HYPR is framing this year's findings as both a warning and a roadmap.
HYPR will also host a live report briefing in the coming weeks featuring CEO Bojan Simic and VP of Product Carla Roncato, offering security leaders a closer look at what the findings mean for the future of passwordless identity assurance.