Subscribe to the Non-Human & AI Identity Journal

Passkey Provenance Drift

Passkey provenance drift is the loss of clarity about where an authentication credential exists, which devices may use it, and who controls the recovery path. It is an identity governance issue because assurance depends on knowing the credential’s true trust boundary.

Expanded Definition

Passkey provenance drift describes the governance gap that appears when an organisation can no longer answer basic custody questions about a passkey: which device enrolled it, which devices can still use it, whether a synced copy exists, and who can approve recovery. The issue matters because passkeys are designed to reduce phishing and password reuse, but their assurance depends on a known trust boundary. When that boundary becomes unclear, the credential may remain technically valid while its administrative ownership becomes ambiguous.

In NHI security, this is not just an endpoint hygiene issue. It is an identity lifecycle problem that intersects with enrollment, device trust, recovery workflows, and offboarding. The concept aligns with the governance emphasis in NIST Cybersecurity Framework 2.0, especially where asset visibility and access control must remain current. Industry usage is still evolving because passkeys may be device-bound, synced across ecosystems, or recovered through enterprise-managed processes, and definitions vary across vendors. The most common misapplication is treating passkey sync as harmless convenience, which occurs when recovery and device enrollment are not tracked as part of identity governance.

Examples and Use Cases

Implementing passkey provenance rigorously often introduces operational friction, requiring organisations to weigh stronger assurance against more detailed lifecycle tracking and recovery controls.

  • A help desk approves a new phone-based recovery path, but the original registered laptop remains active, leaving two devices with unclear authority over the same passkey.
  • An employee changes devices during travel and uses cloud sync to restore the passkey, but the security team has no inventory evidence of where the credential now exists.
  • A contractor leaves the company, yet a recovery code and synced passkey remain available on a personal device, creating a lingering trust boundary after offboarding.
  • An incident response team reviews an account takeover and discovers that the credential was never stolen in the usual sense, but its provenance was lost across enrolment, sync, and recovery steps.
  • The pattern is visible in the Salesloft OAuth token breach, where unclear token custody and access paths amplified the blast radius; the same governance failure mode can emerge with passkeys when recovery paths outrun control.

Passkey provenance drift is especially relevant in environments that mix mobile enrollment, browser-based authentication, and enterprise device management. It also overlaps with standards discussions around phishing-resistant authentication in the NIST Cybersecurity Framework 2.0, even though no single standard yet fully defines provenance drift itself.

Why It Matters in NHI Security

Passkey provenance drift becomes dangerous when teams assume the presence of a passkey equals continued control of that passkey. In reality, synced credentials, unmanaged recovery channels, and device replacement can create hidden forks in authority. That undermines Zero Trust assumptions, weakens revocation confidence, and complicates investigations because the organisation cannot quickly determine whether a credential is still confined to an approved trust boundary. NHI Mgmt Group research shows that only 5.7% of organisations have full visibility into their service accounts, a visibility gap that mirrors the same control problem when passkeys are treated as one-time enrollment artifacts instead of governed identities.

This issue also affects resilience planning. When provenance is unclear, incident response teams may revoke the wrong device, miss a recovery path, or leave an authenticated session active after a user departs. The result is not just authentication sprawl but degraded accountability across the entire identity lifecycle. Organisations typically encounter this consequence only after a device loss, account takeover, or recovery abuse event, at which point passkey provenance drift becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC Passkey provenance drift is an access control and visibility problem in identity governance.
NIST Zero Trust (SP 800-207) Zero Trust depends on continuously knowing which device and path can assert a credential.
NIST SP 800-63 Digital identity guidance informs assurance around authenticators and recovery procedures.
OWASP Non-Human Identity Top 10 NHI-01 Credential lifecycle ambiguity maps to NHI governance and identity ownership weaknesses.
NIST AI RMF AI systems that rely on passkey-backed operator access need governed identity assurance.

Treat passkey enrollment, sync, and recovery as dynamic trust signals requiring continuous validation.