Notifications
Clear all
Topic starter
22/06/2026 4:56 pm
TL;DR: FIDO2 combines WebAuthn and CTAP to deliver phishing-resistant, public-key authentication with hardware-protected private keys, supporting both platform authenticators and roaming security keys, according to Scramble ID. The architectural shift matters because authentication no longer depends on shared secrets, but recovery, proofing, and authorization still remain separate governance problems.
NHIMG editorial — based on content published by Scramble ID: What Is FIDO2?
Questions worth separating out
Q: How should organisations roll out FIDO2 without breaking recovery and support?
A: Start with high-risk populations, then design recovery before broad enforcement.
Q: Why do FIDO2 and passkeys reduce phishing risk more effectively than OTP codes?
A: FIDO2 binds the authentication response to the relying-party origin, so a lookalike site cannot reuse the assertion.
Q: What should IAM teams monitor when passkeys become the default login method?
A: Watch for anomalous registration events, unexpected recovery requests, and sudden changes in platform-account ownership.
Practitioner guidance
- Map fallback paths that reintroduce shared secrets Audit every application that supports FIDO2 and identify whether password, SMS OTP, or email recovery still exists as an alternate path.
- Define enrollment and recovery trust boundaries Require step-up verification for new authenticator registration, lost-device recovery, and platform-account changes.
- Prefer phishing-resistant MFA for high-value access Use FIDO2 or equivalent phishing-resistant methods for privileged users, administrators, and sensitive internal applications first.
What's in the full article
Scramble ID's full explanation covers the operational detail this post intentionally leaves for the source:
- Step-by-step WebAuthn ceremony flows for registration and login across browsers and authenticators.
- Detailed comparison of platform authenticators, roaming keys, and passkey sync behaviour.
- Browser, OS, and authenticator boundary diagrams that show where the cryptographic trust anchor actually sits.
- Practical notes on what FIDO2 does not solve, including identity proofing and recovery design.
👉 Read Scramble ID's full explanation of FIDO2 and passwordless authentication →
FIDO2 passwordless authentication: are your IAM controls ready?
Explore further
22/06/2026 5:07 pm
FIDO2 is a control redesign, not just a stronger login method. The standard removes reusable shared secrets from the primary authentication ceremony, which is why it materially changes phishing economics. But it does not remove the need for identity proofing, account recovery, or authorization policy. That means IAM teams must separate authentication assurance from lifecycle governance instead of treating them as one problem.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What is the difference between authentication assurance and authorization in FIDO2 deployments?
A: Authentication assurance answers whether the user proved possession of a trusted authenticator. Authorization answers what that authenticated user can do afterward. FIDO2 strengthens the first problem only, so teams still need RBAC, ABAC, scoped tokens, and privilege review to control downstream access.
👉 Read our full editorial: FIDO2 and passwordless authentication: what IAM teams need to know
