FIDO passkeys and AI agents: what changes for IAM teams?

TL;DR: FIDO passkeys have surpassed 2 billion global uses, but synchronised credentials still leave policy and control gaps compared with device-bound authenticators, according to OneSpan’s analysis of the FIDO Alliance plenary. As AI begins to act on behalf of users, passwordless governance shifts from login experience to identity assurance and delegation control.

NHIMG editorial — based on content published by OneSpan: L'avenir de l'authentification sans mot de passe: Les enseignements de la réunion plénière de l'Alliance FIDO

Questions worth separating out

Q: How should organisations decide between synchronised and device-bound passkeys?

A: Use synchronised passkeys where usability matters and the access risk is moderate, but prefer device-bound authenticators when policy fidelity, auditability, or regulated assurance requirements are higher.

Q: Why do passkeys not fully solve enterprise identity governance?

A: Passkeys remove password weakness, but they do not automatically solve recovery, device portability, delegation, or policy enforcement.

Q: How should teams govern AI actions that depend on user authentication?

A: Treat authentication and delegation as separate control layers.

Practitioner guidance

• Define authenticator policy by assurance tier Separate low-risk convenience use cases from regulated or high-impact applications, and require device-bound authenticators where assurance, auditability, or recovery controls cannot be weakened.
• Map delegated AI actions to explicit authority boundaries If users will rely on AI to take actions for them, require a separate governance model for delegated execution rather than assuming the login event covers the whole action chain.
• Review passkey recovery paths Examine how account recovery, device replacement, and cloud sync affect the organisation’s ability to preserve control over authenticator ownership and policy enforcement.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• The FIDO plenary themes discussed in Istanbul, including the standards questions raised by synchronised passkeys and AI-assisted identity.
• The case for hardware security keys in regulated environments where mobile authenticator acceptance and policy control differ.
• The practical discussion of trust signals and relational public keys, which this post treats only at a high level.
• The acquisition context around Nok Nok Labs and how OneSpan frames its expanded authentication portfolio.

👉 Read OneSpan's analysis of passwordless authentication, FIDO, and AI →

FIDO passkeys and AI agents: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →