Notifications
Clear all
Topic starter
08/06/2026 4:07 pm
TL;DR: FIDO2 strengthens user authentication with phishing-resistant credentials, but it does not cover machines, email signing, or document signing, according to Axiad’s analysis. The practical issue is not password replacement alone, but closing the authentication gaps that remain across human, machine, and interaction identity.
NHIMG editorial — based on content published by Axiad: PKI and FIDO2: The Dynamic Duo of Authentication
By the numbers:
- 87% of large organizations already have adopted MFA solutions.
- There has been a 350% increase in phishing attacks in the last year.
Questions worth separating out
Q: How should security teams use FIDO2 without creating blind spots in IAM?
A: Use FIDO2 for phishing-resistant human authentication, but define where it stops.
Q: Why do PKI and passwordless authentication solve different identity problems?
A: They solve different layers of identity assurance.
Q: What breaks when machine identities are not included in passwordless plans?
A: What breaks is coverage.
Practitioner guidance
- Separate human login from machine trust Inventory where FIDO2 is used for user authentication and where certificates are required for devices, email, or documents.
- Centralise certificate lifecycle ownership Assign clear ownership for issuance, renewal, revocation, and policy enforcement across all certificate types, including those used for endpoints and application trust.
- Measure identity coverage, not password removal Track which business processes still depend on shared secrets, unsecured email trust, or unsigned documents after passwordless rollout.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- How Axiad frames specific FIDO2 use cases across mobile, desktop, and browser-based authentication
- The certificate lifecycle details behind PKI issuance, renewal, and revocation in cloud environments
- The practical examples for email signing, encryption, and document signing that show where PKI extends trust
- The integration model for managing FIDO2 devices and PKI certificates in one platform
👉 Read Axiad's analysis of how PKI and FIDO2 work together for authentication →
PKI and FIDO2: what IAM teams still miss beyond passwordless?
Explore further
08/06/2026 5:34 pm
FIDO2 solves human authentication, not identity coverage. The article is right to separate passwordless login from the broader identity problem. FIDO2 is a user-authentication control, while machines, email, and document trust still need cryptographic identity outside the browser sign-in path. The practitioner conclusion is that passwordless rollouts must be measured against actual coverage, not adoption headlines.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Should organisations manage FIDO2 and PKI in separate programmes?
A: No. Separate programmes usually create duplicated policy, inconsistent revocation, and unclear ownership for assurance decisions. FIDO2 and PKI should sit in one governance model, with different controls for different subjects. That gives IAM, PKI, and security teams a shared view of which identity type is being authenticated, trusted, or signed at any point.
👉 Read our full editorial: PKI and FIDO2 together close authentication gaps beyond passwords
