"Deploy passkeys, remove passwords, strengthen account recovery—then you'll have phishing-resistant accounts." We believed this. Mercari's implementation proved us wrong.

Complaints about being locked out after passkey registration went viral. Product managers stopped promoting passkeys. The reality: security motivation alone doesn't create phishing-resistant accounts. You must put users first.

We built two strategies. Self-service recovery with strong identity proofing lets users recover locked accounts themselves. Risk-based passkey enforcement adjusts requirements dynamically—allowing phishable fallbacks for trusted sessions, blocking them for suspicious ones.

The key is controlling risk thresholds. Baseline thresholds evolve with passkey maturity—platform support, device compatibility, user acceptance. When attacks surge, we raise the thresholds temporarily.

What does it take to make phishing resistance work at scale? Not just technology. Not just policy. This session shares real data from millions of users: why passkey-only approaches are challenging, how dynamic controls adapt to both threats and user readiness, and what sustainability actually looks like when you can't sacrifice accessibility.