Notifications
Clear all
Topic starter
12/06/2026 10:12 pm
TL;DR: FIDO2 improves user authentication, but it does not cover machine identities, email signing, or document signing, making PKI the missing complement for broader identity protection, according to Axiad. The real issue is that passwordless authentication solves one layer of identity risk while leaving machine and interaction trust unresolved.
NHIMG editorial — based on content published by Axiad: PKI and FIDO2: The Dynamic Duo of Authentication
By the numbers:
- 90% of IT leaders have seen an increase in cyberattacks since the transition to remote work.
- 87% of large organizations already have adopted MFA solutions.
Questions worth separating out
Q: How should security teams combine FIDO2 and PKI without creating overlap?
A: Use FIDO2 for strong human authentication and PKI for machine identities, email signing, encryption, and document trust.
Q: Why do passwordless programmes still leave identity risk behind?
A: Passwordless reduces credential theft at the login layer, but it does not address non-human identities, device trust, or cryptographic proof for signed communications.
Q: When should organisations prioritise PKI over another MFA method?
A: Prioritise PKI when the business needs certificate-based trust for devices, secure email, document signing, or regulated communications.
Practitioner guidance
- Separate human login modernisation from machine identity governance Use FIDO2 to improve user authentication, but inventory devices, applications, and other non-human identities that still need certificate-based trust controls.
- Map where signed communications depend on identity assurance Identify email and document workflows that require signing, encryption, or non-repudiation so PKI policy matches the business process.
- Put certificate lifecycle under explicit ownership Define issuance, renewal, revocation, and offboarding responsibilities before scaling PKI across cloud and hybrid environments.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The specific FIDO2 and PKI use cases the vendor maps to users, devices, email, and documents.
- The operational explanation of how its platform handles certificate management across cloud and hybrid environments.
- The implementation framing for combining mobile authenticators, hardware keys, and PKI in one credential strategy.
👉 Read Axiad’s analysis of why PKI complements FIDO2 for authentication →
PKI and FIDO2 for IAM teams: what changes in practice?
Explore further
13/06/2026 12:50 am
Passwordless authentication does not equal complete identity coverage. FIDO2 reduces user login risk, but it was designed for user authentication flows, not for the broader trust problems created by machines, signed email, and document workflows. The assumption that a modern login standard can stand in for a complete identity programme fails as soon as the organisation must govern non-human trust. Practitioners should separate human authentication improvement from full identity coverage.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes still cannot see the full machine identity surface they are meant to govern.
A question worth separating out:
Q: What is the difference between user authentication and identity trust for communications?
A: User authentication proves a person or device can log in. Identity trust for communications proves the sender, message, or document has not been altered and can be verified later. That distinction matters because many enterprise risks sit in what happens after login, not only at the login event.
👉 Read our full editorial: PKI and FIDO2 together close authentication gaps
