Passwordless authentication faces new gaps as AI changes FIDO

At a glance

What this is: This analysis argues that passwordless authentication is expanding fast, but synchronised passkeys and AI-driven delegation are creating new governance gaps around control, policy enforcement, and user presence.

Why it matters: IAM, NHI, and human identity teams need to understand where passkey convenience weakens enterprise control, because the next failure mode is likely to sit at the boundary between user authentication and delegated machine action.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read OneSpan's analysis of passwordless authentication, FIDO, and AI

Context

Passwordless authentication is moving from early adoption to enterprise default, but the governance model behind it is still uneven. Passkeys reduce phishing exposure and login friction, yet synchronised credentials can weaken enterprise control when organisations cannot always dictate where, how, and under what policy a credential is used.

The harder problem is no longer whether passwordless can work. It is whether identity programmes can preserve assurance, policy enforcement, and accountability when user access is mediated by device-bound authenticators, synchronised passkeys, and eventually AI systems that initiate actions on behalf of users. That shift is already visible in the FIDO ecosystem and deserves to be treated as an IAM governance issue, not a usability upgrade.

For teams tracking broader identity control maturity, the underlying question is familiar: where does convenience erode the organisation’s ability to bind access to policy? The same tension shows up in workload identity, machine credentials, and human authentication, which is why the passwordless discussion now intersects with NHI governance as much as with user sign-in design.

Key questions

Q: How should organisations decide between synchronised and device-bound passkeys?

A: Use synchronised passkeys where usability matters and the access risk is moderate, but prefer device-bound authenticators when policy fidelity, auditability, or regulated assurance requirements are higher. The deciding factor is not convenience alone. It is whether your programme can tolerate recovery paths and cloud-backed credential mobility without losing control over authenticator binding.

Q: Why do passkeys not fully solve enterprise identity governance?

A: Passkeys remove password weakness, but they do not automatically solve recovery, device portability, delegation, or policy enforcement. Enterprise governance still needs to know where the credential lives, who can recover it, and what authority is exercised after authentication. Without those controls, passwordless can improve login security while leaving governance gaps intact.

Q: How should teams govern AI actions that depend on user authentication?

A: Treat authentication and delegation as separate control layers. A user signing in with a passkey proves presence at login, but it does not define what an AI system may do later on the user’s behalf. Teams should assign explicit authority boundaries, logging, and approval logic to delegated actions instead of inheriting unlimited user access.

Q: What should security teams review before rolling out passkeys at scale?

A: Review recovery workflows, device replacement processes, application risk tiers, and whether a synchronised credential is acceptable for each use case. The critical question is whether the organisation can still enforce policy after the credential moves. If not, the rollout needs tighter binding or stronger authenticator classes.

Technical breakdown

Synchronised passkeys versus device-bound authentication

Passkeys are FIDO credentials that replace passwords with public-key cryptography. In synchronised models, private keys are backed up through a cloud ecosystem and can be restored across devices, which improves usability but reduces enterprise control over the exact binding between authenticator and device. Device-bound passkeys keep that binding local, making policy enforcement and assurance stronger. The technical trade-off is not just convenience versus security. It is whether the organisation can maintain a stable assurance boundary when the authenticator is portable across endpoints and recovery paths.

Practical implication: classify which applications can tolerate synchronised passkeys and reserve stricter device binding for regulated or high-risk workflows.

Why FIDO still matters in AI-assisted identity flows

FIDO was designed to prove user presence at authentication time, which maps well to human login but less cleanly to delegated action by software. As AI systems begin to perform tasks for users, the challenge shifts from authenticating a person to governing the scope of delegated execution. That means the authentication event alone is no longer enough to answer who acted, what authority was delegated, and whether the action stayed within policy. FIDO remains relevant, but it becomes one control in a broader delegation chain rather than the whole answer.

Practical implication: separate human authentication from delegated execution controls so AI-assisted actions do not inherit unlimited user authority.

Hardware security keys and enterprise control

Hardware security keys preserve a stronger form of possession because the secret material stays in a physical authenticator rather than a synchronised cloud store. That makes them more suitable where regulators, auditors, or internal policy require tighter control over the assurance boundary. They also reduce reliance on mobile-only authenticators that are not universally acceptable across user populations or environments. The technical point is not that hardware keys solve every identity problem. It is that they preserve control where portability and recovery mechanisms would otherwise dilute it.

Practical implication: use hardware keys for user groups and applications where assurance, portability constraints, and policy traceability matter most.

NHI Mgmt Group analysis

Synchronised passkeys solve adoption friction, but they also create trust dilution. The more a credential can move across devices and recovery paths, the less deterministic the enterprise’s control over its use becomes. That is a governance problem, not merely an authentication design choice. Practitioners should treat synchronisation as an assurance decision, not a default setting.

AI-assisted sign-in changes the meaning of user presence. FIDO’s model assumes an interactive person is present at the point of authentication, but AI agents can increasingly sit between the user and the action. When software begins to act with user-derived authority, authentication proves less than organisations think unless delegation boundaries are explicit. The implication is that identity teams must distinguish user authentication from machine execution authority.

Device-bound authenticators remain the cleanest answer where policy fidelity matters. Hardware security keys preserve a clearer trust boundary than synchronised credentials, especially in regulated environments where portability and recovery paths can weaken assurance. This is not a rejection of passkeys. It is a reminder that enterprise identity control depends on where the secret lives and who can move it. Practitioners should align authenticator type to risk tier.

Passwordless governance is converging with NHI governance. The same control questions now appear in human login, workload identity, and AI-mediated access: who holds the secret, who can recover it, and what policy governs use. That convergence means IAM teams can no longer treat passwordless as a standalone UX programme. It belongs inside broader identity lifecycle and access governance.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• From our research: Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• Synchronised passkeys, hardware keys, and delegated AI actions all depend on the same governance question. If control is fragmented, assurance erodes even when the authentication technology itself is strong.

What this signals

Passkey governance is becoming an identity architecture decision, not just an authentication choice. Teams that treat synchronised credentials as a universal default will discover that assurance varies by use case, recovery model, and regulatory pressure. The next programme decision is not whether to adopt passwordless, but where to preserve device binding and where convenience can be safely allowed.

Delegated execution will pull passwordless into the same control plane as NHI governance. Once AI systems can act on behalf of users, identity programmes must decide how much authority can survive beyond the authentication moment. That is where policy, recovery, and auditability start to matter more than the sign-in ceremony.

With 43% of security professionals already concerned that AI systems may learn and reproduce sensitive information patterns from codebases, the governance issue extends beyond access control into downstream exposure. Teams should prepare for identity controls that have to govern both people and software acting under human-derived authority.

For practitioners

• Define authenticator policy by assurance tier Separate low-risk convenience use cases from regulated or high-impact applications, and require device-bound authenticators where assurance, auditability, or recovery controls cannot be weakened.
• Map delegated AI actions to explicit authority boundaries If users will rely on AI to take actions for them, require a separate governance model for delegated execution rather than assuming the login event covers the whole action chain.
• Review passkey recovery paths Examine how account recovery, device replacement, and cloud sync affect the organisation’s ability to preserve control over authenticator ownership and policy enforcement.
• Align authentication controls with regulated use cases For environments with stricter identity assurance requirements, prioritise hardware security keys and document where synchronised passkeys are acceptable and where they are not.

Key takeaways

• Passkeys reduce phishing exposure, but synchronised models can dilute enterprise control over where credentials are used and recovered.
• AI-mediated actions turn authentication into only one part of the governance problem, because delegated execution needs its own authority boundaries.
• Device-bound authenticators remain the clearest fit for regulated or high-assurance use cases where policy fidelity matters more than convenience.

Key terms

• Synchronised Passkey: A synchronised passkey is a FIDO credential whose private key can be restored across devices through a cloud-backed account. It improves usability and adoption, but it also changes the assurance boundary because enterprises may not control every device, recovery step, or replication path that can use the credential.
• Device-bound Authenticator: A device-bound authenticator stores credential material on a specific device or hardware key, rather than syncing it across multiple endpoints. It gives security teams a clearer control boundary for regulated or high-assurance use cases because the credential is tied to a known possession factor and a narrower recovery model.
• Delegated Execution: Delegated execution is the act of allowing software, including AI systems, to carry out actions on behalf of a user after authentication has completed. The governance challenge is that the login event does not define the action scope, so the organisation must set separate authority, logging, and approval controls.
• Assurance Boundary: An assurance boundary is the point at which an organisation decides what level of confidence it has in an identity or authenticator. In passwordless programmes, the boundary shifts depending on whether a credential is device-bound, synchronised, recoverable, or reused by another system acting under derived authority.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by OneSpan: L'avenir de l'authentification sans mot de passe: Les enseignements de la réunion plénière de l'Alliance FIDO. Read the original.