Future-proofing authentication: A look at the future of post-quantum cryptography

Christopher Harrell

Christopher Harrell

6 minute read

The path from passwords to passkeys and beyond

In a previous blog I talked about the end of passwords and the rise of passkeys, which promise stronger security and less frustration for both individuals and businesses. The global momentum behind passkeys represents one of the most exciting shifts in authentication history, but realizing their full potential worldwide and truly eliminating passwords for good requires continued innovation. That includes the need for post-quantum cryptography, and strong passkey-based solutions for encryption, signing, digital identity, and beyond.

When my colleague Alessio Di Mauro and I stepped on the keynote stage at FIDO Authenticate last week, our goal was clear: to look back at how far we’ve come and to show what’s next for passkeys in a post quantum world. During our presentation we showcased Yubico’s progress extending passkey-based authentication to include advanced, interoperable, privacy preserving, and post quantum solutions – starting with security keys (see our keynote video below).

Where we are now: FIDO gets a ‘glow up’ — passkeys

Yubico first introduced the YubiKey in 2008 with a mission to make strong, privacy-preserving authentication available to everyone, everywhere. By using asymmetric cryptography at scale, helped create a phishing-resistant authentication standard that’s both secure and simple to use. Through years of collaboration with industry partners and standards bodies, we helped evolve U2F into WebAuthn/FIDO2, bringing hardware-backed authentication to all major desktop and mobile platforms.

As the WebAuthn/FIDO standards matured, the industry began calling FIDO credentials “passkeys.” The term passkey was chosen because passkeys replace passwords in this next generation of secure authentication. 

Passkeys offer a rare combination of improved usability and stronger security than legacy MFA and passwords alone. As the creator of the first passkeys on security keys, Yubico is proud and humbled to have helped initiate and continue to drive this transformation.

What’s next: Digital identity and post-quantum prototypes in the real world

As passkeys continue to gain momentum around the world (as featured in almost every session we saw at Authenticate) what’s most exciting about the future of passkeys is not just that they are replacing passwords with one of the most secure forms of authentication available, but that they are increasingly used for encryption and securing digital identities.

On stage, we previewed a new capability that broadens passkeys beyond login to enable credential signing flows from a YubiKey inside a standards-based digital wallet. In plain English: using the same root of trust people rely on for phishing-resistant login to sign and authorize other sensitive actions. Here’s why that matters:

  • Ecosystem flexibility: Developers can build richer use cases, high-assurance experiences without reinventing the auth wheel.
  • User simplicity: Same motion, same key, more secure, and no new habits to learn.
  • Better privacy posture: Sensitive operations remain tied to a physical device the user controls.

Our co-founder Stina recently explored this in more detail by explaining how passkeys and verifiable credentials reinforce each other rather than compete. This includes Yubico’s collaboration with Sunet, GUNet, SURF, and the non-profit SIROS Foundation to develop and enhance wwWallet – the first passkey-enabled digital identity wallet for the web.

Security keys’ post-quantum future

We also demoed an early prototype of post-quantum (PQ) signatures running on a hardware security key. From a user’s perspective, it looks delightfully unremarkable: touch the device, produce a signature, continue as usual. Behind the scenes, however, the math gets more complex because it’s designed to resist potential future attacks from quantum computers. 

We emphasized a few key points on stage:

  • Standards progress is underway: FIDO, IETF, and other standards work is progressing, but there’s more to do beyond “make a signature” (think: PIN protocol, attestation, registration UX, and crypto-agile plumbing).
  • Prototype ≠ product: The PQ demo shows feasibility and performance direction, not a shipment announcement.
  • New hardware is required: PQ algorithms have bigger footprints; they don’t fit on today’s keys.

Here are a few ways these features will work in the real world:

  • High-assurance approvals: Approve sensitive or high-value action such as pushing code, initiating a wire, rotating a KMS root, or approving a zero-trust policy change by simply tapping your YubiKey
  • Privacy-preserving design: Where decryption happens matters. Keep decryption local to user-controlled devices, not in opaque cloud environments.
  • Digital identity that complements passkeys: Verifiable credentials (VCs) and passkeys aren’t competitors. Passkeys prove you control your authenticator. VCs prove something about you (employment, citizenship, license) and can do so without oversharing. The magic is that a hardware key can cleanly support both strong authentication and selective disclosure in one familiar motion.

The industry’s ongoing commitment to crypto-agility is vital. Adopting PQC across protocols and products will take time, but that’s a strength, not a weakness. Rushing crypto transitions has never ended well in security history

The big picture: Building trust in a post-quantum world

The response to our Authenticate demo was overwhelmingly positive. Many partners and attendees told us that seeing post-quantum authentication in action for the first time transformed abstract discussions into tangible reality.

Here’s what next for Yubico and the ecosystem:

  • The beta capabilities we demoed such as raw signing with privacy preserving algorithms are stabilizing and are available to a limited set of qualified testers from Authenticate.
  • The post-quantum work is prototype level. It’s tangible progress, but it’s not product-ready yet because new hardware and further standards maturity is required.
  • We will continue to enhance YubiKeys for mainstream passkey adoption and enterprise use cases, separate from PQC efforts.

Security is evolving from “prove you know a password” to “prove possession and intent,” and increasingly, “prove just enough about yourself with privacy intact.” Hardware-backed credentials remain the most dependable way to achieve that balance at scale. Our mission is to make the strongest option the easiest option across login, approvals, and identity-rich scenarios.

Thank you to everyone who joined us in person, asked hard questions afterwards, and pushed us to make the demos practical – not just technical. If you’re working on digital wallets, regulated workflows, high-value approvals, or VC systems, we’d love to hear from you. Please fill out this form and keep the feedback coming!

Talk to our teamTalk to our team

Share this article:
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet
  • We’re excited for what’s to come – meet us in-person to find out whyIt’s been a busy year for our team, filled with exciting company and product updates aimed at better serving our customers and helping them achieve cyber resilience as AI-driven phishing threats continue evolving globally. Between industry award recognitions and key new executive leadership hires to lead Yubico to its next stage of growth and a […]Read more
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreYubiKey