FIDO2 authentication shows why passwordless identity needs device governance

At a glance

What this is: FIDO2 authentication uses public-key cryptography and a user-held device to replace password-centric sign-in with challenge-response authentication.

Why it matters: It matters because passwordless programs still fail when device governance, recovery, and offboarding are weak across human and non-human identity workflows.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Axiad's explanation of FIDO2 authentication and passwordless deployment

Context

FIDO2 authentication is a passwordless sign-in method built on public-key cryptography, where a device holds the private key and the service validates a signed challenge with the public key. For IAM teams, the practical question is not whether the cryptography is sound, but whether identity governance can manage device enrolment, recovery, loss, and revocation with the same discipline used for other authenticators.

The security model changes the failure mode rather than eliminating it. Password theft is reduced, but the trusted device becomes the control point, which means endpoint handling, mobile device management, and user offboarding now sit inside the authentication model. That shift is familiar to NHI programmes, where credential value follows lifecycle control rather than the label on the credential.

Key questions

Q: How should security teams roll out FIDO2 authentication without weakening account recovery?

A: Security teams should treat enrolment, replacement, and recovery as controlled identity events. Keep the same assurance level for account recovery that you require at initial registration, remove weak support desk shortcuts, and test loss scenarios before production rollout. FIDO2 only improves security if the fallback path does not reintroduce password-era abuse.

Q: When does passwordless authentication create new governance risk?

A: Passwordless creates governance risk when the device becomes the new single point of trust but its lifecycle is not managed. If enrolment, revocation, replacement, and termination are unclear, the organisation may eliminate password exposure while preserving weak recovery and offboarding paths. The control failure moves, it does not disappear.

Q: What do teams get wrong about FIDO2 and MFA?

A: Teams often assume that phishing-resistant authentication ends the IAM problem. In practice, it only changes the control surface. Access reviews, help desk proofing, endpoint trust, and offboarding still govern whether the authenticator remains trustworthy across its full lifecycle.

Q: Who is accountable when a lost authenticator is used to regain access?

A: Accountability sits with the teams that own identity recovery, endpoint trust, and help desk policy, not just the user. If a lost key or phone can be rebound through a weak manual process, the organisation has failed to govern the trust chain around the authenticator. NIST SP 800-63 is the right reference point for proofing and recovery expectations.

Technical breakdown

Public-key challenge-response in FIDO2 authentication

FIDO2 uses asymmetric cryptography to avoid shared secrets at login. The service sends a challenge, the authenticator signs it with a private key stored on the user device, and the service verifies the signature with the public key already on record. Because the private key never leaves the authenticator, replay and phishing resistance improve materially compared with password-based authentication. The protocol still depends on registration integrity, trusted attestation in some deployments, and secure binding between the credential and the account record.

Practical implication: treat FIDO2 enrolment as an identity lifecycle event, not a user convenience step.

Device binding, recovery, and lost authenticator handling

The real operational risk is not cryptographic weakness but control loss around the device that holds the credential. If a key, phone, or platform authenticator is lost, stolen, or replaced, the organisation must know how to revoke access, re-bind the account, and verify the requester without falling back to weaker recovery paths. Poor recovery design often recreates the very password-reset abuse passwordless was meant to remove. In practice, authentication strength is only as strong as the recovery workflow around it.

Practical implication: document revocation and re-enrolment paths before broad FIDO2 rollout.

Why passwordless programmes still need governance controls

Passwordless reduces one class of credential compromise, but it does not remove identity governance. Access reviews, device trust, offboarding, and privileged access checks still matter because the account remains the asset, not the login method. For mixed estates, FIDO2 may coexist with passwords, tokens, and phishing-resistant MFA, so the governance model must account for multiple authenticator states across humans and service workflows. That is where identity architecture, not just authentication UX, determines the outcome.

Practical implication: align passwordless rollout with access review and offboarding processes across all identity types.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless authentication shifts risk from password theft to device governance. FIDO2 makes phishing and replay harder, but it does not remove the need to manage enrolment, revocation, recovery, and lost-device handling. The governance problem moves from secret protection to authenticator lifecycle control, which IAM teams often underweight when they treat passwordless as a pure UX upgrade. Practitioners should judge passwordless by the quality of its recovery and offboarding design, not by cryptographic strength alone.

Device-bound identity creates a new control plane that must be governed like any other credential estate. Once a smartphone or hardware key becomes the factor that determines access, endpoint hygiene and identity governance converge. That means access is no longer just a directory decision, it is also a device-trust decision. The implication is that authentication programmes need stronger coordination between IAM, endpoint management, and help desk recovery processes.

FIDO2 is most effective when organisations stop thinking of it as a substitute for MFA and start treating it as part of a broader zero-trust access model. The protocol is aligned with phishing-resistant authentication, but the surrounding lifecycle controls determine whether the organisation can actually sustain that advantage at scale. This is why passwordless does not simplify governance, it relocates the governance burden to enrolment, recovery, and device state.

Identity attack surface still expands when recovery is weak. A strong authenticator can be bypassed if account recovery falls back to weaker proofing, shared support workflows, or unmanaged device replacement paths. The practical lesson is that passwordless reduces one attack path while opening scrutiny on adjacent ones, especially the processes that reissue trust when a user loses a device.

For non-human identity programmes, FIDO2 is a useful reminder that authentication strength and lifecycle governance are inseparable. Service accounts and machine credentials do not use FIDO2, but the governing principle is the same: a credential is only as safe as its issuance, rotation, and revocation model. The implication for IAM leads is to apply the same rigor to device-bound human authentication and to non-human credential estates.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For broader lifecycle governance, see 52 NHI Breaches Analysis for how weak revocation and offboarding become breach multipliers.

What this signals

Passwordless programmes will increasingly be judged on recovery design, not only on phishing resistance. If the organisation cannot revoke, replace, and re-bind authenticators cleanly, the security benefit of FIDO2 is partly cancelled by the operational paths that restore access after loss or turnover.

Identity recovery debt: The longer teams leave informal recovery paths in place, the more they accumulate hidden trust dependencies outside the formal authentication policy. That is the same governance pattern that turns NHI sprawl into exposure, and it means IAM, endpoint, and service-account owners need a shared view of lifecycle control.

The most durable programmes will connect phishing-resistant authentication to Zero Trust Architecture and device posture controls, then measure whether offboarding actually removes trust rather than simply hiding it. The practical signal to watch is whether recovery and termination workflows can be completed without manual exception handling.

For practitioners

• Map passwordless to lifecycle controls Define who can enrol, replace, revoke, and recover FIDO2 authenticators, and require each step to have an owner, an audit trail, and a clear approval path.
• Test loss and replacement scenarios before rollout Simulate lost keys, stolen phones, and user termination to verify that access can be disabled and re-established without weakening proofing requirements.
• Align help desk recovery with phishing-resistant proofing Remove fallback flows that rely on knowledge-based checks or informal manual overrides, then force the same assurance level used at initial enrolment.
• Coordinate IAM and endpoint governance Connect identity records to mobile device management and endpoint trust signals so that authenticator state, device state, and access state stay in sync.
• Include passwordless in offboarding reviews Verify that user termination removes recovery paths, secondary authenticators, and any cached trust that could be used to re-bind the account later.

Key takeaways

• FIDO2 reduces password theft risk, but the real governance challenge is controlling the device and the recovery path around it.
• Passwordless security fails when loss, replacement, and offboarding are handled with weak fallback processes that recreate old attack paths.
• IAM teams should measure passwordless success by lifecycle control quality, not just by cryptographic strength or user convenience.

Key terms

• FIDO2 Authentication: FIDO2 authentication is a passwordless sign-in method that uses public-key cryptography and a user-held authenticator to prove identity. The private key stays on the device, while the service verifies a signed challenge with the matching public key. Governance quality depends on enrolment, recovery, and revocation, not just on the protocol itself.
• Phishing-resistant authentication: Phishing-resistant authentication reduces the value of stolen credentials because the authenticator signs a challenge tied to the legitimate service. In practice, it makes interception and replay harder, but it does not remove the need for identity proofing, account recovery controls, and device lifecycle management.
• Authenticator lifecycle: Authenticator lifecycle is the end-to-end governance of how a credential or device is enrolled, used, replaced, revoked, and retired. For passwordless programmes, this lifecycle is the control plane that determines whether strong authentication stays strong after loss, turnover, or support intervention.

Deepen your knowledge

FIDO2 authentication, device binding, and recovery governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building passwordless controls alongside broader identity lifecycle governance, it is worth exploring.

This post draws on content published by Axiad: What is FIDO2 Authentication and How Does It Work? Read the original.