FIDO’s focus on account recovery and device identity changes IAM

At a glance

What this is: FIDO Alliance’s new working groups sharpen the industry focus on account recovery, device onboarding, and broader identity assurance beyond passwords.

Why it matters: IAM teams need to treat human, machine, and transaction authentication as one governance problem because recovery, onboarding, and trust boundaries now intersect.

By the numbers:

• Today authentication for NPE (non-person entities) represents over 30% of the identities on Axiad ID Cloud, and this percentage is growing.

👉 Read Axiad's blog on FIDO, account recovery, and device identity

Context

Passwords are no longer the centre of gravity for identity security, but the replacement problem is bigger than a simple move to MFA. Once account recovery, device onboarding, and transaction trust become separate governance issues, identity programmes have to control who or what is authenticating, how recovery is verified, and where trust is established.

This article is really about the widening scope of identity assurance. Axiad uses the FIDO Alliance’s new working groups to argue that enterprises must manage human recovery flows, non-person entity authentication, and transaction integrity as a connected set of controls rather than as isolated projects.

Key questions

Q: How should security teams handle account recovery in passwordless environments?

A: Treat account recovery as a privileged identity event, not a support function. Recovery should require stronger verification than everyday sign-in because it is the place where attackers can exploit weaker proofing, lost devices, or rushed exception handling. Map the recovery journey, tighten re-binding checks, and ensure every reset is auditable and revocable.

Q: Why do non-person entities need the same lifecycle discipline as user identities?

A: Because machine identities now make up a substantial share of enterprise identity populations and they can create the same access and audit risks as humans, only at higher scale. If devices and applications are onboarded without clear issuance, ownership, and revocation paths, they become persistent trust anchors rather than governed identities.

Q: What breaks when device onboarding still relies on passwords?

A: Password-based device onboarding creates shared secrets, slow revocation, and weak accountability. It also makes large fleets hard to audit because the secret, not the device lifecycle, becomes the control point. Standardised, revocable onboarding avoids that problem by tying trust to the device identity rather than to an embedded password.

Q: How can organisations tell whether identity assurance is actually working?

A: Look for evidence that recovery, onboarding, and transaction controls are all auditable and independently revocable. If a user can be recovered without strong proof, a device can join with a shared secret, or a transaction can be altered after authentication, assurance is incomplete even if login success rates look strong.

Technical breakdown

Identity verification and account recovery

When organisations move away from passwords, recovery becomes its own attack surface. The core issue is not only whether a user can sign in, but whether a recovered account is bound to the right identity after a lost credential, locked device, or stolen authenticator. Recovery flows often rely on weaker checks than primary authentication, which makes them attractive to attackers. In identity governance terms, recovery is a trust re-binding process, not an administrative convenience. If the re-binding step is weak, the whole authentication model inherits that weakness.

Practical implication: review account recovery as a privileged identity event and apply stronger verification than the routine sign-in path.

Device identity and passwordless IoT onboarding

IoT onboarding changes the problem from user authentication to machine identity assurance. Devices, applications, and systems need a reliable way to prove identity without shared passwords, because passwords do not scale cleanly across large device fleets and create persistent secret exposure. Standardised onboarding matters because it determines whether a device joins with a durable identity, a revocable trust anchor, and auditable lifecycle control. Without that structure, device authentication becomes an unmanaged secret distribution problem instead of a governed identity process.

Practical implication: move device onboarding toward revocable, standardised identity credentials rather than shared passwords or embedded secrets.

Transaction authentication and trust in the interaction

Transaction authentication extends identity beyond sign-in and device enrollment into the integrity of each digital interaction. The question is not only whether an entity is authenticated, but whether the data in motion remains confidential, unmodified, and available to the right party. That makes transaction trust a governance layer that sits above individual authentication events. It is especially relevant where machine-to-machine communication, delegated access, or high-value approvals can be manipulated mid-flow. Identity programmes that stop at login miss this middle layer entirely.

Practical implication: add transaction-level trust checks for workflows where authentication alone does not protect the integrity of the exchange.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Account recovery is the new weak link in passwordless identity design. Once the enterprise removes passwords and leans harder on MFA, recovery becomes the place where assurance drops. That is where account takeover pressure shifts, because the recovery path often has to prove identity under stress, ambiguity, or device loss. Practitioners should treat recovery as a governed trust event, not a support workaround.

Non-person entity authentication has already crossed the threshold from edge case to core population. Axiad’s disclosure that NPEs represent over 30% of its identities reflects a broader enterprise reality: machine identities are no longer auxiliary. That means onboarding, lifecycle, and revocation need the same governance discipline applied to users, but with machine-scale velocity and auditability.

Transaction authentication closes a gap that traditional sign-in controls leave open. Authentication can confirm an identity and still fail to protect the trustworthiness of what that identity does next. The industry’s focus on transaction trust is a sign that identity governance is moving from access control alone to interaction assurance. Practitioners should expect identity programmes to absorb more integrity and availability requirements over time.

Standardisation is becoming a governance requirement, not just an interoperability preference. The FIDO Alliance’s working groups highlight that recovery and device onboarding both break when every implementation invents its own trust model. Fragmented identity flows create uneven assurance and weak lifecycle control. Practitioners should push for standardised, auditable identity pathways wherever possible.

Identity assurance now spans three layers at once: person, machine, and transaction. That is the real shift in this article. The old model assumed one authenticated subject and one access decision; the newer model has to govern who recovered the account, what device was enrolled, and whether the interaction itself remained trustworthy. Practitioners should design identity control points across all three layers, not just at login.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably verify who or what is still active in the estate.
• For lifecycle context, see Ultimate Guide to NHIs for how visibility, rotation, and offboarding work together across machine identities.

What this signals

Identity programmes should expect recovery and onboarding to become the next audit focus. As passwordless adoption expands, the failure point shifts from initial sign-in to how identities are re-bound, enrolled, and revoked. Teams that still separate user IAM from machine identity governance will miss the operational overlap that attackers exploit.

Transaction trust is the missing middle layer in many identity architectures. Sign-in success does not prove that the action taken afterwards was safe, unchanged, or authorised at the right level. Practitioners should widen their identity telemetry so they can see not only who authenticated, but what the interaction did after authentication.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, per our Ultimate Guide to NHIs, the path from identity assurance to identity sprawl is short. That means device onboarding and recovery controls must be designed as lifecycle controls, not one-off security fixes.

For practitioners

• Re-map account recovery as a high-risk identity flow Document every step in the recovery process, identify where identity proofing is weaker than primary authentication, and require stronger verification for credential reset and re-binding events.
• Inventory non-person entity populations and onboarding paths Count devices, applications, and system identities separately from human users, then trace how each one is enrolled, authenticated, and revoked across its lifecycle.
• Standardise machine identity issuance and revocation Replace ad hoc device passwords with revocable identity credentials, and require a uniform onboarding process that can be audited across fleets and environments.
• Add transaction integrity checks to critical workflows Use additional trust controls where an authenticated identity can still alter, redirect, or replay a high-value transaction without detection.
• Align identity governance across people and machines Build one governance model that covers user recovery, device onboarding, and revocation evidence so audit and security teams can review them together.

Key takeaways

• The article shows that passwordless security does not remove identity risk, it shifts it into recovery, device onboarding, and transaction trust.
• Axiad’s cited figure that non-person entities make up over 30% of its identities illustrates how quickly machine identity governance is becoming a core IAM concern.
• Practitioners should treat recovery, enrolment, and revocation as governed identity events if they want assurance to hold beyond the login screen.

Key terms

• Account Recovery: Account recovery is the governed process used to restore access when an authenticator is lost, locked, or compromised. In mature identity programmes, it is treated as a high-assurance identity event because it re-establishes trust and can create takeover risk if proofing is weak.
• Non-Person Entity: A non-person entity is a machine identity such as a device, application, service account, or system that authenticates without a human operator. These identities require lifecycle controls, ownership, and revocation evidence because they can persist far beyond the original business need.
• Transaction Authentication: Transaction authentication is the control layer that validates the trustworthiness of a digital interaction after identity has been established. It focuses on confidentiality, integrity, and availability of the exchange itself, which makes it especially relevant when sign-in alone does not protect the action.

Deepen your knowledge

Identity verification, recovery, and machine onboarding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme that now spans people and devices, it is worth exploring.

This post draws on content published by Axiad: FIDO Alliance takes aim at two new cybersecurity challenges. Read the original.