Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

FIDO passkeys and AI agents: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: FIDO passkeys have surpassed 2 billion global uses, but synchronised credentials still leave policy and control gaps compared with device-bound authenticators, according to OneSpan’s analysis of the FIDO Alliance plenary. As AI begins to act on behalf of users, passwordless governance shifts from login experience to identity assurance and delegation control.

NHIMG editorial — based on content published by OneSpan: L'avenir de l'authentification sans mot de passe: Les enseignements de la réunion plénière de l'Alliance FIDO

Questions worth separating out

Q: How should organisations decide between synchronised and device-bound passkeys?

A: Use synchronised passkeys where usability matters and the access risk is moderate, but prefer device-bound authenticators when policy fidelity, auditability, or regulated assurance requirements are higher.

Q: Why do passkeys not fully solve enterprise identity governance?

A: Passkeys remove password weakness, but they do not automatically solve recovery, device portability, delegation, or policy enforcement.

Q: How should teams govern AI actions that depend on user authentication?

A: Treat authentication and delegation as separate control layers.

Practitioner guidance

  • Define authenticator policy by assurance tier Separate low-risk convenience use cases from regulated or high-impact applications, and require device-bound authenticators where assurance, auditability, or recovery controls cannot be weakened.
  • Map delegated AI actions to explicit authority boundaries If users will rely on AI to take actions for them, require a separate governance model for delegated execution rather than assuming the login event covers the whole action chain.
  • Review passkey recovery paths Examine how account recovery, device replacement, and cloud sync affect the organisation’s ability to preserve control over authenticator ownership and policy enforcement.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

  • The FIDO plenary themes discussed in Istanbul, including the standards questions raised by synchronised passkeys and AI-assisted identity.
  • The case for hardware security keys in regulated environments where mobile authenticator acceptance and policy control differ.
  • The practical discussion of trust signals and relational public keys, which this post treats only at a high level.
  • The acquisition context around Nok Nok Labs and how OneSpan frames its expanded authentication portfolio.

👉 Read OneSpan's analysis of passwordless authentication, FIDO, and AI →

FIDO passkeys and AI agents: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Synchronised passkeys solve adoption friction, but they also create trust dilution. The more a credential can move across devices and recovery paths, the less deterministic the enterprise’s control over its use becomes. That is a governance problem, not merely an authentication design choice. Practitioners should treat synchronisation as an assurance decision, not a default setting.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: What should security teams review before rolling out passkeys at scale?

A: Review recovery workflows, device replacement processes, application risk tiers, and whether a synchronised credential is acceptable for each use case. The critical question is whether the organisation can still enforce policy after the credential moves. If not, the rollout needs tighter binding or stronger authenticator classes.

👉 Read our full editorial: Passwordless authentication faces new gaps as AI changes FIDO



   
ReplyQuote
Share: