PKI and FIDO2 together close authentication gaps beyond passwords

At a glance

What this is: This is an Axiad blog post arguing that FIDO2 and PKI work best as a paired authentication model because FIDO2 alone leaves machine and interaction use cases uncovered.

Why it matters: It matters because IAM teams cannot treat passwordless rollout as a complete identity strategy if service endpoints, email trust, and document signing still rely on weaker controls.

By the numbers:

• 87% of large organizations already have adopted MFA solutions.
• There has been a 350% increase in phishing attacks in the last year.

👉 Read Axiad's analysis of how PKI and FIDO2 work together for authentication

Context

FIDO2 closes a real user authentication problem, but it does not by itself solve the broader identity perimeter. When organisations move work to homes, mobile devices, and cloud services, the remaining gap is not just login friction. It is whether the programme can verify machines, signed communications, and digitally executed transactions with the same rigor it applies to people.

That gap matters for IAM because passwordless authentication is often mistaken for complete identity coverage. In practice, human authentication, machine identity, and cryptographic trust for email or document exchange sit in different control planes. A mature programme has to decide where FIDO2 ends and where PKI takes over, rather than assuming one credential model can govern every use case.

Key questions

Q: How should security teams use FIDO2 without creating blind spots in IAM?

A: Use FIDO2 for phishing-resistant human authentication, but define where it stops. If your programme also depends on devices, email integrity, or signed documents, add PKI governance so non-human trust is explicitly covered. The test is not whether passwords are gone. The test is whether every identity use case has an assurance control that matches the risk.

Q: Why do PKI and passwordless authentication solve different identity problems?

A: They solve different layers of identity assurance. Passwordless and FIDO2 improve how people authenticate, while PKI establishes trust for certificates, devices, messages, and documents. If teams treat them as interchangeable, they leave machine identity and transactional integrity outside the control model. Mature IAM programmes separate the use cases and govern both.

Q: What breaks when machine identities are not included in passwordless plans?

A: What breaks is coverage. Users may log in securely, but servers, IoT devices, mobile endpoints, and signed communications remain governed by weaker or inconsistent trust patterns. That creates a split identity perimeter where the human path is hardened but the machine path is not. Security teams should assess whether every non-human subject has a certificate-based trust mechanism.

Q: Should organisations manage FIDO2 and PKI in separate programmes?

A: No. Separate programmes usually create duplicated policy, inconsistent revocation, and unclear ownership for assurance decisions. FIDO2 and PKI should sit in one governance model, with different controls for different subjects. That gives IAM, PKI, and security teams a shared view of which identity type is being authenticated, trusted, or signed at any point.

Technical breakdown

FIDO2 authentication and passwordless access

FIDO2 combines WebAuthn and the Client to Authenticator Protocol so a browser or application can challenge a local authenticator without sending a shared secret to a server. The key property is phishing resistance: the private key stays on the device and the credential is bound to the relying party. That makes it strong for human sign-in, but it is still a user authentication model, not a general trust layer for devices, messages, or signed business artefacts.

Practical implication: treat FIDO2 as the primary control for human authentication, not as a replacement for all identity assurance.

PKI for machine identity, email signing, and document trust

PKI uses certificate authorities to issue and validate public key certificates across users, machines, and transactions. Unlike FIDO2, it can express trust for non-interactive use cases such as device authentication, email signing, encryption, and document signatures. That is why PKI remains relevant wherever identity must be proven outside a login flow. It also introduces lifecycle management complexity because issuance, renewal, revocation, and policy enforcement all have to stay consistent.

Practical implication: build certificate lifecycle controls around the non-human use cases that passwordless authentication does not touch.

Why unified credential governance matters

The core architectural issue is not whether FIDO2 or PKI is better, but whether they are governed together. A fragmented programme may secure user login while leaving device trust and signed interactions inconsistently managed. A unified model reduces this split by aligning issuance, assurance level, policy, and revocation across both credential types. That is especially important in cloud-heavy environments where identity boundaries extend far beyond the office network.

Practical implication: map human and machine trust requirements into one governance model so control ownership does not split across teams.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

FIDO2 solves human authentication, not identity coverage. The article is right to separate passwordless login from the broader identity problem. FIDO2 is a user-authentication control, while machines, email, and document trust still need cryptographic identity outside the browser sign-in path. The practitioner conclusion is that passwordless rollouts must be measured against actual coverage, not adoption headlines.

PKI is the governance layer that closes the non-human gap. When machines outnumber people and digital interactions carry operational weight, certificate-based trust becomes part of the identity perimeter. That is an NHI governance problem as much as an authentication problem, because issuance, renewal, revocation, and policy enforcement now govern how a non-human subject is trusted. The practitioner conclusion is that PKI cannot be treated as legacy plumbing.

Credential fragmentation creates blind spots across human and machine identity. A programme that buys passwordless for users and leaves certificates to a separate operations team ends up with inconsistent lifecycle control. That inconsistency is where risk accumulates, because the organisation can no longer answer which identities are bound to what assurance level. The practitioner conclusion is to unify governance before expanding the stack.

Unified authentication models are becoming a Zero Trust requirement, not an architecture preference. The article’s core insight is that perimeter loss forces identity controls to follow the subject, not the network. FIDO2 and PKI together represent two different trust expressions, one for people and one for machines and interactions. The practitioner conclusion is that Zero Trust programmes should define both, or they will remain partial.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• For a broader view: The Top 10 NHI Issues breaks down the governance failures that keep identity programmes incomplete.

What this signals

Credential bifurcation is the real programme risk. Once organisations split human authentication and machine trust into separate operating models, the governance story becomes harder to audit and easier to misread. The result is a policy surface where login can be modernised while certificates, signing, and revocation remain uneven. That is why identity teams should treat unified assurance as a design requirement, not an integration afterthought.

Unified assurance is the concept worth naming here. It means people, devices, and signed interactions are governed under one identity decision model even though the controls differ. For practitioners, that changes roadmap sequencing: passwordless adoption, certificate lifecycle, and Zero Trust policy should be planned together, not as parallel projects. The closer the environment gets to distributed work, the more that alignment determines whether identity control is real or cosmetic.

For practitioners

• Separate human login from machine trust Inventory where FIDO2 is used for user authentication and where certificates are required for devices, email, or documents. Document the handoff so teams do not assume one control covers the other.
• Centralise certificate lifecycle ownership Assign clear ownership for issuance, renewal, revocation, and policy enforcement across all certificate types, including those used for endpoints and application trust.
• Measure identity coverage, not password removal Track which business processes still depend on shared secrets, unsecured email trust, or unsigned documents after passwordless rollout. The goal is complete trust coverage, not just fewer passwords.
• Align authentication and Zero Trust policy Map FIDO2 and PKI into the same access architecture so assurance levels, device trust, and transaction trust are governed consistently across environments.

Key takeaways

• FIDO2 improves human authentication, but it does not by itself govern machines, signed email, or document trust.
• The scale of the gap is operational, not theoretical, because machines already outnumber humans by a wide margin in modern enterprises.
• IAM teams should treat PKI and passwordless as complementary controls under one governance model, not as separate modernization tracks.

Key terms

• FIDO2: FIDO2 is a phishing-resistant authentication standard for people signing in to applications and web services. It uses public key cryptography with local authenticators, which reduces shared-secret exposure. In practice, it is strongest for human login and weaker as a complete trust model for machines or signed transactions.
• Public Key Infrastructure: Public Key Infrastructure is the system used to issue, manage, validate, and revoke digital certificates. It underpins trust for devices, email, documents, and other non-interactive identity use cases. In identity programmes, PKI becomes a governance problem because certificate lifecycle and policy enforcement determine whether trust stays current.
• Machine Identity: Machine identity is the identity assigned to a non-human subject such as a server, application, device, or IoT endpoint. It is usually expressed through certificates, keys, tokens, or secrets rather than human credentials. The control challenge is lifecycle management, because machine trust can persist long after ownership or purpose changes.

Deepen your knowledge

PKI and FIDO2 governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning human authentication with machine trust and certificate lifecycle control, it is worth exploring.

This post draws on content published by Axiad: PKI and FIDO2: The Dynamic Duo of Authentication. Read the original.