We trace the evolution of how users have verified their identities online, i.e. online authentication, We shine a spotlight on the anchor role historically played by the mobile phone. This immediately leads us to address the challenge of account recovery when a primary mobile device is lost. We analyze scenarios including "Self-sovereign" techniques like facial biometrics, physical Security Keys, or Recovery Codes, as well as third-party solutions such as credential managers with passkeys or trusted social recovery. While current third-party methods often rely on phone numbers and government IDs for final verification, we predict the inevitable move towards a more secure, privacy-focused alternative: leveraging digital credentials to recover accounts and verify identity at participating websites using government-issued identification. When more developers join this community, we empower user accounts with more verified Real World identity data, which unblocks agentic use cases to truly personalize and act on behalf of the user. The talk concludes by discussing how digital credentials and passkeys can empower user-authorized agents to present intent mandates, ensuring online services provide appropriately scoped access.