Passkeys improve security by reducing phishing and secret theft, but IAM governance is still required because identity risk moves to enrollment, device trust, and recovery. If those processes are weak, the organisation can still suffer account takeover through the path around the passkey rather than through the passkey itself.
Why This Matters for Security Teams
Passkeys remove a major phishing and secret-theft path, but they do not remove identity governance. Security teams still have to control who can enroll a passkey, which device is trusted, how recovery is performed, and what happens when a credential is lost, cloned, or reset. NIST Cybersecurity Framework 2.0 makes the broader point that identity assurance depends on the full lifecycle, not a single authentication method.
This matters because attackers often bypass the strongest factor by targeting the weak process around it. If an enrollment workflow accepts weak verification, or a help desk can replace a credential without strong proofing, the organisation has merely shifted risk from password theft to account recovery abuse. That is why NHIMG’s Top 10 NHI Issues is still relevant here: credential strength alone does not create governance.
In practice, many security teams encounter passkey abuse only after a recovery path or device-trust gap has already been used to take over the account.
How It Works in Practice
Effective passkey governance treats the passkey as one control point inside a larger IAM process. The goal is to ensure the organisation can answer three questions at any moment: who enrolled the passkey, on what device, and under what assurance level. That means pairing passkeys with policy for enrollment, device binding, revocation, step-up authentication, and break-glass recovery. The Ultimate Guide to NHIs in Lifecycle Processes is useful here because it frames identity control as a lifecycle problem, not just a login problem.
At a practical level, teams should:
- Require strong identity proofing before initial passkey enrollment.
- Bind passkeys to managed devices where possible, and monitor unmanaged device exceptions.
- Protect recovery channels with separate controls, such as supervised help desk workflows or secondary assurance.
- Revoke or re-verify trust after device loss, replacement, or compromise.
- Log enrollment, recovery, and admin changes so anomalous identity events are detectable.
Passkeys also fit into zero-trust thinking: the authenticator improves assurance, but access should still be continuously evaluated against user risk, device posture, and session context. NIST’s identity guidance and the Regulatory and Audit Perspectives section both reinforce that auditability matters when proving the control is actually working. These controls tend to break down in high-volume support environments where help desk overrides, shared devices, or inconsistent enrollment standards make recovery the easiest path in.
Common Variations and Edge Cases
Tighter passkey governance often increases support friction, so organisations have to balance user convenience against the risk of silent account recovery abuse. Current guidance suggests that this tradeoff is acceptable when the account protects sensitive data, admin access, or high-value transactions.
There is no universal standard for passkey recovery yet, which means implementations vary widely. Some environments allow cloud-synced passkeys across devices, while others require device-attested hardware-backed keys. In regulated or audit-heavy environments, governance usually needs to be stricter than the consumer model, because a synced passkey is not the same as a managed enterprise credential. Where the risk is higher, teams should prefer explicit approval flows and strong device management over convenience.
For a broader picture of where identity controls fail around secrets and delegated access, NHIMG’s State of Non-Human Identity Security shows why lifecycle controls and visibility remain critical even when the credential itself is stronger. That same governance logic applies to passkeys: reducing phishing is valuable, but it does not eliminate the need for policy, review, and recovery discipline.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Passkey assurance still depends on identity proofing and enrollment governance. |
| NIST SP 800-63 | IAL/AAL | Passkeys improve AAL, but recovery and device binding still require identity assurance. |
| NIST Zero Trust (SP 800-207) | SA | Device trust and continuous verification are central to passkey governance in Zero Trust. |
Set enrollment, authenticator, and recovery requirements at the assurance level the account needs.
