Passkeys for shared apps: what changes for IAM teams?

TL;DR: Passkeys replace passwords with cryptographic authentication tied to a user’s device and are positioned by Cerby for shared-app access, admin visibility, and reduced password overhead, according to Cerby and the FIDO Alliance. Passwordless controls improve sign-in security, but they also force IAM teams to rethink how shared accounts, revocation, and access logging are governed.

NHIMG editorial — based on content published by Cerby: Passkeys in Cerby

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern passkeys for shared application accounts?

A: Security teams should treat the shared account as the governed object and the passkey as the authentication method attached to it.

Q: Why do passkeys reduce phishing risk but not governance risk?

A: Passkeys reduce phishing risk because there is no reusable password for an attacker to steal or replay.

Q: What breaks when shared accounts move to passkeys without lifecycle controls?

A: The biggest failure is false confidence.

Practitioner guidance

• Map passkey use to account ownership Inventory which applications use passkeys for shared or delegated access, then assign a clear owner for enrolment, recovery, and deletion decisions.
• Define recovery and revocation workflows Document how a passkey is removed when a user leaves, a device is lost, or a vendor relationship ends, and make the workflow auditable.
• Separate authentication strength from lifecycle control Review whether the account can still be misused after a passkey is issued, especially where the same login is shared across teams or third parties.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step passkey creation and login flows in the Cerby mobile app.
• Platform support details for iOS, Android, and version-specific passkey behaviour.
• How Cerby stores passkeys in its encrypted vault and assigns them to existing credentials on iOS.
• Practical guidance for deleting or removing passkeys from an account after enrolment.

👉 Read Cerby's passkey guidance for shared app authentication and setup detail →

Passkeys for shared apps: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →