FIDO2 passwordless authentication: what it changes for NHI governance

At a glance

What this is: FIDO2 replaces password-based login with cryptographic authentication that uses unique keys per site and does not store shared credentials on the server.

Why it matters: For IAM and NHI practitioners, FIDO2 matters because it changes how access is proven, but it does not remove the need to govern recovery paths, device trust, and privileged access.

By the numbers:

• In 2023, 880,418 cybercrime complaints were filed, a 10% increase over the previous year.
• $12.5 billion.
• 74 percent of organizations plan to increase investment in modern authentication technologies.
• 61 percent of surveyed organizations have either deployed or plan to deploy passwordless authentication.

👉 Read StrongDM's guide to FIDO2 passwordless authentication and certification

Context

FIDO2 is a passwordless authentication standard built on public-key cryptography, but the governance problem for IAM and NHI teams is broader than end-user convenience. When authentication moves from shared secrets to device-bound keys, the control question shifts to enrollment, attestation, recovery, and how those flows interact with privileged access and non-human identities. The same pressure applies to service accounts and automation, where passwordless patterns can reduce exposure but do not eliminate trust decisions.

For practitioners, the central issue is whether FIDO2 can fit into environments that still depend on legacy applications, remote work exceptions, and account recovery processes. StrongDM's article is useful because it treats FIDO2 as an architectural change, not just a usability upgrade. That starting point is typical for mature IAM teams, but many organisations still underestimate the operational work needed to make passwordless authentication governable at scale.

Key questions

Q: How should organisations roll out FIDO2 without creating new recovery risk?

A: Start with the recovery process, not the authenticator. Define how users regain access after lost devices, failed registration, or role changes, then test whether those paths require weaker verification than the primary login. If they do, restrict rollout to lower-risk populations until the exception model is hardened.

Q: When does passwordless authentication reduce risk, and when does it simply move the problem?

A: It reduces risk when password theft, phishing, and replay are the dominant threats and recovery is tightly controlled. It moves the problem when legacy systems, helpdesk resets, or broad exception handling become the easiest way back in. In that case, the weakest path becomes the real control plane.

Q: What is the difference between FIDO2 and WebAuthn for security teams?

A: FIDO2 is the broader standards family, while WebAuthn is the browser and platform API that enables web applications to use FIDO2 authenticators. Security teams should think of WebAuthn as the integration layer and FIDO2 as the overall passwordless model that includes both browser and authenticator components.

Q: Should organisations use FIDO2 for privileged access first?

A: Often yes, but only if the organisation can support stronger registration, device trust, and recovery controls. Privileged access has the most to gain from phishing-resistant authentication, yet it also has the least tolerance for fragile fallback paths. Start there only when the surrounding governance is ready.

Technical breakdown

How FIDO2 uses public-key cryptography for passwordless login

FIDO2 relies on asymmetric cryptography, where the authenticator keeps the private key and the service stores only the public key. During login, the service issues a challenge and the authenticator signs it, proving possession without sending a reusable secret over the network. WebAuthn handles the browser and operating system interaction, while CTAP connects external authenticators such as security keys or platform authenticators. The security model is strong because each site gets a unique credential, which reduces replay and phishing risk. But the model also shifts trust to device enrollment, authenticator integrity, and the processes that issue or recover access when the device is lost.

Practical implication: Practitioners should treat authenticator enrollment and recovery as privileged workflows, not routine helpdesk tasks.

FIDO2 attestation, certification, and device trust

Attestation lets a relying party verify information about the authenticator during registration, including whether it meets a required certification profile. That matters when organisations want to enforce policy such as approved hardware classes or stronger assurance for sensitive applications. In practice, attestation is less about proving that a user is who they say they are and more about validating that the device itself belongs to an accepted trust class. The trade-off is operational complexity: tighter policy improves assurance, but can create friction if device inventories, metadata services, or certification requirements are not maintained. This is where authentication policy becomes a lifecycle problem, not a one-time configuration.

Practical implication: Use attestation selectively for high-risk access paths, then maintain device metadata and exception handling as part of IAM operations.

Where FIDO2 still leaves governance gaps

FIDO2 reduces dependence on passwords, but it does not eliminate account recovery, legacy integration, or non-browser authentication paths. Those gaps matter because attackers often target the weakest fallback rather than the primary factor. The article's own warning about timing vulnerabilities and limited physical protection also points to a broader truth: stronger authentication does not guarantee stronger session governance. For NHI teams, the parallel is clear. A better credential type does not solve lifecycle control, access review, or blast-radius management when identities are ephemeral, delegated, or privileged.

Practical implication: Review fallback authentication, recovery, and privileged session controls before expanding passwordless access broadly.

Threat narrative

Attacker objective: The attacker aims to bypass strong primary authentication by exploiting the recovery and exception paths around it.

1. Entry via phishing or password theft is reduced when passwordless login removes shared secrets, but attackers may shift to recovery channels or enrolled device compromise.
2. Escalation occurs when fallback processes, weak device trust, or poorly governed exceptions recreate the very access paths passwordless was meant to remove.
3. Impact is unauthorized account access, especially in environments where privileged users, admins, or service owners rely on the same recovery controls.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless authentication is only as strong as the recovery path around it. FIDO2 reduces password theft, phishing, and replay, but it does not remove identity recovery, helpdesk override, or device replacement workflows. Those are often the real points of compromise in mature environments. For NHI governance, the lesson is simple: move the control discussion from credentials to lifecycle and exception management.

FIDO2 is a useful assurance layer, not a complete access architecture. It improves how a principal proves possession of an authenticator, but it does not solve authorization design, session isolation, or privilege scoping. Organisations that treat FIDO2 as a replacement for access policy usually end up with stronger login and weaker governance. Practitioners should use it as one control in a layered model, not as the model itself.

Legacy integration is the biggest reason passwordless deployments stall. The technical model is straightforward in modern browsers, but production estates still include remote access tools, older apps, and break-glass processes that were designed around passwords. Those exceptions become durable risk if they are not redesigned. The practical conclusion is that passwordless rollout must be paired with application inventory and exception retirement.

For NHI programmes, FIDO2 highlights a deeper identity truth: credential quality matters less than control continuity. Whether the identity is human or non-human, the organisation needs a consistent way to issue, verify, restrict, and revoke access across its full lifecycle. Strong authentication without lifecycle governance still leaves shadow paths, stale access, and privilege creep. Teams should therefore anchor passwordless work inside broader NHI and IAM governance rather than treating it as a point solution.

FIDO2 certification matters most where policy and interoperability intersect. Certification, attestation, and metadata services become relevant when organisations need to trust heterogeneous authenticators at scale. That is a governance decision as much as a technical one, because it determines which devices can enter the access estate. Practitioners should define assurance tiers before deploying credentials, not after exceptions pile up.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows why recovery and exception paths remain the weak point in identity programmes.
• For a broader control-plane view, see Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and privilege issues that passwordless authentication does not remove.

What this signals

Passwordless authentication will keep spreading because it directly addresses phishing and replay, but the operational burden shifts to lifecycle control. The organisations most likely to succeed are the ones that treat device enrollment, recovery, and exception retirement as part of identity governance rather than as implementation afterthoughts.

Credential-quality debt: many programmes improve the primary factor while leaving fallback processes untouched, which creates a gap between security policy and real-world access. That gap matters for both human users and NHI workflows, because the easier path back in often defines the true trust boundary.

The better strategic move is to align passwordless work with broader NHI and IAM controls, including OWASP Non-Human Identity Top 10 guidance and phishing-resistant authentication patterns in NIST SP 800-63 Digital Identity Guidelines. That pairing turns FIDO2 from a login feature into an access governance control.

For practitioners

• Map every fallback path before expanding passwordless access Document account recovery, helpdesk reset, break-glass access, and device replacement flows for every workforce segment. If a path can reintroduce shared secrets or weak identity proofing, treat it as part of the attack surface.
• Use attestation only where assurance justifies the overhead Reserve stricter authenticator approval for admin, finance, and production access. Keep a documented exception process for hardware and browser combinations that cannot meet the chosen assurance tier.
• Retire password-based exceptions in legacy applications Inventory applications that still require passwords or static second factors and set a deprecation path. Where replacement is not immediate, isolate those apps behind stronger monitoring and narrower entitlements.
• Treat privileged access separately from standard user login Apply stronger controls to admin and operator accounts than to routine workforce access. Pair passwordless authentication with session recording, approval workflows, and just-in-time privilege where the business risk is highest.

Key takeaways

• FIDO2 reduces password dependence, but it does not remove the need to govern enrollment, recovery, and device trust.
• The main operational risk shifts from the primary login factor to the fallback paths that reintroduce weaker access.
• Teams should treat passwordless adoption as part of IAM and NHI lifecycle governance, not as a standalone authentication upgrade.

Key terms

• FIDO2: FIDO2 is a passwordless authentication standard that uses public-key cryptography instead of shared secrets. A service stores the public key while the authenticator keeps the private key, allowing users to prove possession without sending reusable credentials over the network.
• WebAuthn: WebAuthn is the browser and platform API that enables websites to work with FIDO2 authenticators. It handles the web-facing part of the login flow and lets applications request cryptographic authentication through supported browsers and operating systems.
• Authenticator Attestation: Authenticator attestation is evidence supplied during registration that describes the authenticator being enrolled. Security teams use it to decide whether a device meets policy requirements, which makes it a governance control as much as a technical trust signal.
• Phishing-resistant authentication: Phishing-resistant authentication is a login approach that cannot be easily replayed or stolen through fake websites or credential capture. FIDO2 is a common example because it binds authentication to a real authenticator and a specific relying party.

Deepen your knowledge

FIDO2 passwordless authentication and its impact on identity lifecycle controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning access governance around phishing-resistant authentication, it is worth exploring.

This post draws on content published by StrongDM: The Definitive Guide to FIDO2 Web Authentication. Read the original.