Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passkeys for shared apps: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Passkeys replace passwords with cryptographic authentication tied to a user’s device and are positioned by Cerby for shared-app access, admin visibility, and reduced password overhead, according to Cerby and the FIDO Alliance. Passwordless controls improve sign-in security, but they also force IAM teams to rethink how shared accounts, revocation, and access logging are governed.

NHIMG editorial — based on content published by Cerby: Passkeys in Cerby

By the numbers:

Questions worth separating out

Q: How should security teams govern passkeys for shared application accounts?

A: Security teams should treat the shared account as the governed object and the passkey as the authentication method attached to it.

Q: Why do passkeys reduce phishing risk but not governance risk?

A: Passkeys reduce phishing risk because there is no reusable password for an attacker to steal or replay.

Q: What breaks when shared accounts move to passkeys without lifecycle controls?

A: The biggest failure is false confidence.

Practitioner guidance

  • Map passkey use to account ownership Inventory which applications use passkeys for shared or delegated access, then assign a clear owner for enrolment, recovery, and deletion decisions.
  • Define recovery and revocation workflows Document how a passkey is removed when a user leaves, a device is lost, or a vendor relationship ends, and make the workflow auditable.
  • Separate authentication strength from lifecycle control Review whether the account can still be misused after a passkey is issued, especially where the same login is shared across teams or third parties.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step passkey creation and login flows in the Cerby mobile app.
  • Platform support details for iOS, Android, and version-specific passkey behaviour.
  • How Cerby stores passkeys in its encrypted vault and assigns them to existing credentials on iOS.
  • Practical guidance for deleting or removing passkeys from an account after enrolment.

👉 Read Cerby's passkey guidance for shared app authentication and setup detail →

Passkeys for shared apps: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Passkeys strengthen authentication, but they do not solve identity governance. A passwordless login flow removes a reusable secret, yet the organisation still has to decide who can create, inherit, recover, and revoke access. The control shifts the problem from password handling to lifecycle governance, which is where many programmes are weakest. Practitioners should treat passkeys as one control in a broader identity model, not as a complete access strategy.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: How do passkeys fit into broader IAM and zero trust programmes?

A: Passkeys fit best as part of a broader IAM and zero trust model that also governs device trust, access scope, and revocation. They improve the authentication step, but zero trust still requires continuous verification of identity, device, and policy state across the access lifecycle.

👉 Read our full editorial: Passkeys in Cerby shift shared-app access toward phishing resistance



   
ReplyQuote
Share: