By NHI Mgmt Group Editorial TeamDomain: Best PracticesSource: VersasecPublished September 24, 2025

TL;DR: Passwords still drive most account compromise, and Microsoft’s Digital Defense Report says phishing causes 70% of data breaches, making hardware-backed, device-bound FIDO2 passkeys a stronger control than traditional MFA for enterprise authentication. The real challenge is not adoption alone but lifecycle governance, because passwordless credentials still need issuance, revocation, reissue, and audit discipline.


At a glance

What this is: This is an analysis of passwordless FIDO2 passkey management and the finding that device-bound passkeys reduce phishing exposure only when lifecycle controls are centralized.

Why it matters: It matters because identity teams need to treat passkeys as governed credentials, not just a better login method, or they will recreate the same lifecycle and visibility gaps that already weaken human IAM and NHI programmes.

By the numbers:

👉 Read Versasec's guidance on FIDO2 passkey management with Microsoft


Context

Passwordless authentication is not a single control, it is a change in how identity proofing and credential lifecycle are managed. In this case, the primary issue is human IAM: FIDO2 passkeys remove password reuse and reduce phishing exposure, but they also create a managed credential estate that still needs issuance, revocation, and audit controls.

The governance gap appears when organisations treat passkeys as a user experience upgrade instead of a credential management problem. Microsoft Entra ID is the operating context here, but the broader lesson is that stronger authentication only works when identity teams can govern the full lifecycle of the authenticator, not just the login event.


Key questions

Q: How should security teams govern passkeys in enterprise environments?

A: Treat passkeys as managed credentials, not as a one-time authentication upgrade. Define who can issue them, which devices qualify, how revocation works, and how audit evidence is captured. If those controls are missing, passwordless simply shifts the risk from passwords to unmanaged authenticators.

Q: Why do device-bound passkeys reduce phishing risk more effectively than passwords?

A: Device-bound passkeys keep the private key on the physical authenticator, so an attacker cannot steal or replay it from a phishing page the way they can with passwords. That makes the credential far harder to misuse remotely, provided the enterprise controls issuance and revocation.

Q: What do organisations get wrong about passwordless authentication?

A: They often focus on user convenience and ignore credential lifecycle governance. Passwordless still needs enrollment controls, replacement handling, revocation, and audit trails. Without those, organisations improve sign-in security while leaving identity administration fragmented and hard to defend during review.

Q: Who is accountable when a passkey is lost, replaced, or revoked incorrectly?

A: The accountability sits with the identity and access management function, because it owns authenticator policy, lifecycle evidence, and exception handling. If the organisation cannot show who approved the credential and when trust was removed, it does not have controlled passwordless governance.


Technical breakdown

Device-bound passkeys vs syncable passkeys

FIDO2 passkeys come in two operational patterns. Syncable passkeys can move across devices through an ecosystem account, which improves convenience but weakens enterprise control over where the credential exists. Device-bound passkeys stay tied to a physical device, and the private key never leaves that device. That makes theft through phishing materially harder because the attacker cannot extract the secret from a remote prompt or reused password database. For enterprises, the security value is strongest when the authenticator is non-exportable and the identity team can govern issuance and revocation centrally.

Practical implication: Prefer device-bound passkeys for high-risk users and define which authenticator types are permitted in policy.

Passkey lifecycle management in enterprise IAM

A passkey is still a credential, so the lifecycle does not end at enrollment. Enterprises need provisioning, replacement, PIN unblock, revocation, reissue, and retirement workflows, especially when users move roles, lose devices, or leave the organisation. Without lifecycle control, passwordless simply shifts the problem from password reset tickets to unmanaged authenticators. In regulated environments, the audit trail matters as much as the cryptographic strength because identity governance must prove who issued the credential, when it was revoked, and whether the device remained trusted throughout its use.

Practical implication: Build passkey lifecycle events into joiner-mover-leaver processes and access reviews.

Centralised management for passwordless authentication

Centralisation matters because passwordless is not just an authentication pattern, it is an operational control plane. If passkeys are issued and managed across multiple tools, the result is fragmented visibility, inconsistent policy, and weak remediation. Centralised management allows IT teams to standardise issuance, enforce policy on device types, and maintain a complete audit trail. That is particularly important in hybrid environments where passkeys and certificates may coexist on the same device. The architectural point is simple: stronger cryptography does not remove the need for identity administration, it raises the value of disciplined administration.

Practical implication: Use one control plane for issuance and revocation so policy enforcement and audit evidence stay consistent.


Threat narrative

Attacker objective: The attacker wants to turn a user login into durable account access that bypasses password and MFA defenses.

  1. Entry occurs when attackers target password-based sign-in flows or MFA prompts that can still be phished or replayed.
  2. Escalation follows when the attacker uses captured credentials or approval fatigue to reach the account despite weaker second-factor controls.
  3. Impact is account takeover, which can lead to data access, fraudulent actions, or further lateral movement through trusted identity paths.
  • Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.
  • MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Device-bound authentication is now a governance question, not just a cryptography question: FIDO2 passkeys reduce phishing exposure, but the operational risk moves to authenticator governance, issuance policy, and revocation discipline. A strong private key does not help if the organisation cannot prove which device owns it, who approved it, and when it was retired. Practitioners should treat passkeys as governed credentials with full lifecycle accountability.

Passwords are a human IAM liability, but passkeys do not eliminate identity administration: The control objective changes from password protection to authenticator control. That means access governance must include enrollment source, device binding, reissue triggers, and auditability across the credential’s life. Teams that stop at passwordless rollout will reduce one risk while preserving the same management failures in a new form.

Centralised passkey administration is becoming the enterprise control plane for phishing-resistant MFA: The article shows why isolated authenticator tools are not enough in real environments. When issuance, PIN recovery, revocation, and audit are split across systems, identity teams lose policy consistency and cannot explain trust decisions under review. The practitioner implication is that passwordless programmes need a management layer, not just a better factor.

Passkey programmes should be measured as identity lifecycle programmes, not adoption campaigns: The meaningful questions are how quickly credentials are revoked, whether replacements preserve policy, and whether hybrid device estates remain visible. That is the difference between reduced login risk and actual identity governance maturity. Teams should evaluate passkeys by lifecycle evidence, not by enrollment volume alone.

FIDO2 strengthens authentication, but it does not change the requirement for least privilege: A device-bound passkey can secure sign-in, yet the account behind it may still have excessive permissions. Authentication hardening and privilege governance must move together, or the attacker simply needs one successful login to reach too much authority. Practitioners should pair passwordless adoption with privilege review and access scope reduction.

From our research:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • For lifecycle governance across machine and human credentials, NHI Lifecycle Management Guide is the better next reference point.

What this signals

Passwordless is maturing into a governance discipline: The next phase is not broader enrollment, but tighter control over device binding, reissue, and revocation. Teams that only measure adoption will miss the operational weak points that decide whether passkeys actually reduce risk in production.

Passkey rollout will expose whether IAM and help desk processes are aligned: If a user can enroll a credential faster than the organisation can revoke it, the programme is already out of balance. That is the sort of operational mismatch identity leaders should surface early in pilot groups before expanding to privileged users.


For practitioners

  • Prioritise device-bound passkeys for high-risk accounts Set policy to favour hardware-backed, non-exportable authenticators for administrators and other sensitive users, and limit syncable passkeys where enterprise control over device state is weak.
  • Embed passkey events into identity lifecycle workflows Tie issuance, PIN recovery, revocation, and reissue to joiner-mover-leaver processes so the credential is governed from enrollment to retirement.
  • Create a single audit trail for passwordless administration Ensure the identity team can trace who approved a passkey, which device it was bound to, and when it was revoked or replaced.
  • Review privileged account scope before expanding passwordless Pair passkey rollout with privilege reduction so stronger authentication does not protect an over-permissioned account.

Key takeaways

  • Device-bound FIDO2 passkeys reduce phishing exposure, but they do not remove the need for identity governance.
  • The control problem shifts from password strength to credential lifecycle management, including issuance, revocation, replacement, and audit.
  • Organisations that adopt passwordless without central administration will modernise authentication while preserving governance gaps.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Authentication strength and credential control are central to passwordless deployment.
NIST SP 800-63SP 800-63BThis covers authenticator management for phishing-resistant login methods.
NIST SP 800-53 Rev 5IA-5Authenticator management directly applies to passkey issuance and revocation.
NIST Zero Trust (SP 800-207)Passwordless authentication supports zero trust access decisions.

Tie passkey policy to identity proofing and authentication controls across the sign-in lifecycle.


Key terms

  • Device-bound Passkey: A device-bound passkey is a phishing-resistant authenticator tied to a specific physical device. The private key stays on that device and cannot be exported for reuse elsewhere, which gives enterprises stronger control than syncable credential models when they need high-assurance authentication.
  • Phishing-Resistant Authentication: Phishing-resistant authentication uses cryptographic proof that cannot be easily replayed through a fake login page or social engineering prompt. In practice, it reduces the value of stolen passwords and one-time codes, but it still depends on policy, device trust, and lifecycle governance.
  • Authenticator Lifecycle Management: Authenticator lifecycle management is the set of controls that govern a credential from issue to retirement. It covers enrollment, replacement, revocation, recovery, and audit evidence, and it becomes essential when passwordless credentials are treated as enterprise assets rather than user conveniences.

What's in the full article

Versasec's full post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance for managing FIDO2 security keys across provisioning, replacement, and revocation workflows
  • Practical details on integrating passkey management with Microsoft Entra ID in hybrid identity environments
  • Operational examples for unblocking PINs, reissuing devices, and maintaining audit trails for passwordless administration
  • Details on automating passkey administration while keeping policy enforcement and compliance evidence consistent

👉 Versasec's full post covers lifecycle control, automation, and hybrid passkey administration details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org