PKI and FIDO2 together close authentication gaps

At a glance

What this is: This is Axiad’s analysis of why FIDO2 alone leaves important authentication gaps and how PKI fills them for users, machines, email, and documents.

Why it matters: It matters because IAM programmes that stop at human login assurance can still leave machine identities, signed communications, and document workflows exposed.

By the numbers:

• 90% of IT leaders have seen an increase in cyberattacks since the transition to remote work.
• 87% of large organizations already have adopted MFA solutions.

👉 Read Axiad’s analysis of why PKI complements FIDO2 for authentication

Context

FIDO2 is a strong user authentication standard, but it only solves part of the identity problem. The wider issue is that modern enterprises must authenticate not just people, but also devices, applications, emails, and documents across distributed work environments.

For IAM and security teams, that means passwordless adoption cannot be treated as a complete identity strategy. If machine identity management and cryptographic trust for communications are not covered, the programme still has material gaps even when user login is modernised.

Key questions

Q: How should security teams combine FIDO2 and PKI without creating overlap?

A: Use FIDO2 for strong human authentication and PKI for machine identities, email signing, encryption, and document trust. The two controls solve different problems. Teams should align each with the identity type and workflow they actually govern, then manage certificates and authenticators through separate but coordinated lifecycle processes.

Q: Why do passwordless programmes still leave identity risk behind?

A: Passwordless reduces credential theft at the login layer, but it does not address non-human identities, device trust, or cryptographic proof for signed communications. A programme can therefore improve user experience while still leaving major identity surfaces outside its control model, especially where machines outnumber humans.

Q: When should organisations prioritise PKI over another MFA method?

A: Prioritise PKI when the business needs certificate-based trust for devices, secure email, document signing, or regulated communications. If the main requirement is user login convenience, another MFA method may be enough. If the requirement is cryptographic assurance across interactions, PKI becomes the stronger fit.

Q: What is the difference between user authentication and identity trust for communications?

A: User authentication proves a person or device can log in. Identity trust for communications proves the sender, message, or document has not been altered and can be verified later. That distinction matters because many enterprise risks sit in what happens after login, not only at the login event.

Technical breakdown

Why FIDO2 solves user login but not machine identity

FIDO2 uses public key cryptography tied to a user device, with WebAuthn and related flows enabling strong authentication without passwords. That design is well suited to proving a person’s presence at login, but it does not extend to server certificates, application trust, or other machine-to-machine identities. In practice, the control boundary is the user authentication event, not the broader identity fabric. When organisations assume FIDO2 covers everything, they confuse strong user auth with complete identity governance.

Practical implication: treat FIDO2 as a human authentication control, not a substitute for machine identity governance or certificate-based trust.

How PKI extends identity trust to emails and documents

PKI adds certificate-based trust for interactions that need cryptographic proof beyond a login session. Email signing lets recipients verify that a message really came from the expected sender, while email encryption protects content in transit and at rest. Document signing uses the same trust model to validate approval and integrity for contracts or other records. These are identity problems because the organisation is proving who or what is allowed to sign, not just who can authenticate to a portal.

Practical implication: use PKI where the business needs non-repudiation, signing integrity, or encrypted business communications.

Why lifecycle management becomes the hidden challenge in PKI programmes

PKI is often harder to operationalise than password-based or token-based authentication because certificates carry issuance, renewal, revocation, and policy dependencies. That makes lifecycle management central to security outcomes. If certificates are not governed across provisioning, rotation, and offboarding, the cryptographic trust model becomes cluttered with stale or mis-scoped credentials. The article’s core point is that the technology works, but the programme discipline around it is what determines whether it actually closes risk.

Practical implication: manage certificate issuance and revocation as a lifecycle process, not as a one-time deployment.

NHI Mgmt Group analysis

Passwordless authentication does not equal complete identity coverage. FIDO2 reduces user login risk, but it was designed for user authentication flows, not for the broader trust problems created by machines, signed email, and document workflows. The assumption that a modern login standard can stand in for a complete identity programme fails as soon as the organisation must govern non-human trust. Practitioners should separate human authentication improvement from full identity coverage.

Machine identity is the structural gap that passwordless alone leaves behind. The article’s own framing is clear that devices, servers, applications, and IoT identities outnumber humans and therefore require their own trust model. That makes the gap operational, not theoretical, because a large share of enterprise identity surface is not human at all. Security leaders should treat machine identity as a parallel control plane, not an afterthought to MFA adoption.

PKI is not a niche add-on when organisations need signed trust. Email signing, encryption, and document signing are all identity assurance problems because they verify authenticity and integrity across business interactions. This broadens identity governance beyond interactive login into the evidence chain that supports communication and approval. Practitioners should map which business workflows depend on cryptographic proof rather than username and password replacement.

Lifecycle discipline determines whether PKI reduces risk or adds operational drag. The article correctly notes that policy, compliance, and lifecycle management are the friction points that stop teams from using PKI well. That is a governance problem, not a cryptography problem, and it is exactly where identity programmes need ownership clarity. Security teams should judge PKI by operational governability, not by encryption strength alone.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes still cannot see the full machine identity surface they are meant to govern.
• For a broader baseline on sprawl and over-privilege, see Ultimate Guide to NHIs , Key Challenges and Risks for the governance patterns that make PKI and related controls hard to operationalise.

What this signals

Machine identity coverage will increasingly sit beside MFA as a board-level IAM question. As organisations modernise authentication, the pressure will shift toward whether they can verify non-human identities with the same discipline they apply to people. The practical signal is that teams need one programme view across login, devices, and signed business interactions, not separate security conversations.

Certificate lifecycle management will become the difference between control and clutter. PKI only improves security when issuance, renewal, revocation, and offboarding are governed with the same rigor as access provisioning. Teams that cannot operationalise those steps will keep strong cryptography but weak identity governance, which is a common failure mode in hybrid environments.

NHI sprawl remains the hidden multiplier here: 96% of organisations store secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs. That is why authentication strategy and secret hygiene have to be designed together, not treated as separate workstreams.

For practitioners

• Separate human login modernisation from machine identity governance Use FIDO2 to improve user authentication, but inventory devices, applications, and other non-human identities that still need certificate-based trust controls.
• Map where signed communications depend on identity assurance Identify email and document workflows that require signing, encryption, or non-repudiation so PKI policy matches the business process.
• Put certificate lifecycle under explicit ownership Define issuance, renewal, revocation, and offboarding responsibilities before scaling PKI across cloud and hybrid environments.
• Review machine identity coverage alongside MFA adoption Check whether MFA rollout has left servers, printers, APIs, and IoT devices outside the programme’s trust model.

Key takeaways

• FIDO2 improves human authentication, but it does not on its own solve machine identity, signed communications, or document trust.
• PKI closes important identity gaps by extending cryptographic assurance to emails, devices, and business documents.
• The real governance challenge is operational lifecycle control, because certificate issuance, renewal, and revocation determine whether PKI reduces risk or adds complexity.

Key terms

• FIDO2: FIDO2 is a modern authentication standard that enables strong login using cryptographic credentials instead of passwords. It is designed to improve user authentication for web and device access, but it does not by itself govern machine identities, email signing, or document trust.
• Public Key Infrastructure: Public Key Infrastructure is the system used to issue, manage, and revoke digital certificates that prove identity and secure communications. In identity programmes, PKI extends trust beyond login and is often used for devices, email signing, encryption, and document validation.
• Machine Identity: Machine identity is the identity assigned to a non-human entity such as a server, application, device, or IoT system. It needs governance because machines authenticate, exchange data, and sign interactions just like people do, but often at much larger scale and with weaker visibility.
• Certificate Lifecycle: Certificate lifecycle is the process of issuing, renewing, rotating, and revoking digital certificates over time. It is a governance discipline, not just a technical task, because stale or unmanaged certificates can leave trust in place long after they should have been removed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: PKI and FIDO2: The Dynamic Duo of Authentication. Read the original.