Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passkeys, device binding, and AI agents: are controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Passkeys have surpassed 2 billion global uses, but the FIDO plenary discussed how syncable passkeys still leave enterprise control and policy-enforcement gaps compared with device-bound credentials, according to OneSpan. As AI-driven use cases expand, passwordless authentication is becoming an identity governance problem, not just an authentication upgrade.

NHIMG editorial — based on content published by OneSpan: What's ahead for passwordless authentication, with takeaways from the FIDO Alliance plenary

Questions worth separating out

Q: How should security teams decide where to use syncable passkeys versus device-bound keys?

A: Use syncable passkeys where usability and scale matter most, but keep device-bound keys for privileged access, regulated workflows, and any application where the organisation must preserve a stronger device-to-credential binding.

Q: Why do passwordless controls still need governance if phishing resistance is improved?

A: Phishing resistance removes one major attack path, but it does not solve policy enforcement, device trust, or delegated use cases.

Q: What do security teams get wrong about passkeys in regulated environments?

A: They often treat passkeys as a universal replacement for passwords instead of an assurance model with different operating modes.

Practitioner guidance

  • Classify which users can accept syncable passkeys Separate standard users, privileged users, and regulated workflows so that syncable credentials are only allowed where device portability is acceptable.
  • Preserve hardware-backed assurance for high-risk access Require hardware security keys for privileged administration, sensitive financial actions, and any use case where mobile or cloud-synced authenticators weaken assurance.
  • Rework authentication policy for delegated AI actions Map where an AI system is acting on behalf of a user and require separate policy for delegated execution, rather than assuming a normal login event is enough.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

  • Direct takeaways from the FIDO Alliance plenary discussion on syncable passkeys, trust signals, and relational public key approaches
  • OneSpan's perspective on hardware security keys and where they fit in regulated authentication programmes
  • The article's discussion of how agentic AI may force FIDO standards to evolve beyond explicit user presence proof
  • Context on OneSpan's FIDO portfolio and its acquisition of Nok Nok Labs

👉 Read OneSpan's analysis of passkeys, hardware security keys, and AI-driven authentication →

Passkeys, device binding, and AI agents: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Passkey adoption is outpacing enterprise trust design: The market has treated passwordless authentication as a credential-format problem, but the real issue is control boundary design. Syncable passkeys improve reach and usability, yet they weaken the assumption that the enterprise controls the full lifecycle of the authenticator. Practitioners should read this as a warning that authentication strength alone does not equal governance strength.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most teams still cannot reliably govern non-human access at scale.

A question worth separating out:

Q: Who is accountable when an AI system uses delegated authentication to act on a user’s behalf?

A: Accountability should sit with the organisation that approved the delegation model and defined the policy boundaries, not with the authentication method itself. Teams need to specify who can initiate delegated actions, what the system may do, and where human review is required. Without that, passwordless authentication can become a governance blind spot instead of a control.

👉 Read our full editorial: Passwordless authentication gaps remain as passkeys go mainstream



   
ReplyQuote
Share: