Passkeys, device binding, and AI agents: are controls keeping up?

TL;DR: Passkeys have surpassed 2 billion global uses, but the FIDO plenary discussed how syncable passkeys still leave enterprise control and policy-enforcement gaps compared with device-bound credentials, according to OneSpan. As AI-driven use cases expand, passwordless authentication is becoming an identity governance problem, not just an authentication upgrade.

NHIMG editorial — based on content published by OneSpan: What's ahead for passwordless authentication, with takeaways from the FIDO Alliance plenary

Questions worth separating out

Q: How should security teams decide where to use syncable passkeys versus device-bound keys?

A: Use syncable passkeys where usability and scale matter most, but keep device-bound keys for privileged access, regulated workflows, and any application where the organisation must preserve a stronger device-to-credential binding.

Q: Why do passwordless controls still need governance if phishing resistance is improved?

A: Phishing resistance removes one major attack path, but it does not solve policy enforcement, device trust, or delegated use cases.

Q: What do security teams get wrong about passkeys in regulated environments?

A: They often treat passkeys as a universal replacement for passwords instead of an assurance model with different operating modes.

Practitioner guidance

• Classify which users can accept syncable passkeys Separate standard users, privileged users, and regulated workflows so that syncable credentials are only allowed where device portability is acceptable.
• Preserve hardware-backed assurance for high-risk access Require hardware security keys for privileged administration, sensitive financial actions, and any use case where mobile or cloud-synced authenticators weaken assurance.
• Rework authentication policy for delegated AI actions Map where an AI system is acting on behalf of a user and require separate policy for delegated execution, rather than assuming a normal login event is enough.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• Direct takeaways from the FIDO Alliance plenary discussion on syncable passkeys, trust signals, and relational public key approaches
• OneSpan's perspective on hardware security keys and where they fit in regulated authentication programmes
• The article's discussion of how agentic AI may force FIDO standards to evolve beyond explicit user presence proof
• Context on OneSpan's FIDO portfolio and its acquisition of Nok Nok Labs

👉 Read OneSpan's analysis of passkeys, hardware security keys, and AI-driven authentication →

Passkeys, device binding, and AI agents: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →