TL;DR: Passkeys are moving from consumer authentication into enterprise and organisational login models, driven in part by Japan’s financial sector guidance on phishing-resistant authentication, according to Cybertrust Japan. The real governance question is not whether passkeys are safer in isolation, but how device binding, recovery, and unmanaged endpoints change identity assurance and account control.
NHIMG editorial — based on content published by Cybertrust Japan: BtoC passkeys and whether they can be used for enterprise and organisational authentication
By the numbers:
- In 2025, 9,752 incidents of unauthorised access to securities accounts were reported over one year in Japan.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Certificate expiry is the leading cause of outages for 45% of organisations.
Questions worth separating out
Q: What breaks when passkeys are used without endpoint governance?
A: Passkeys can still authenticate the wrong endpoint if organisations do not control device provenance.
Q: Why do passkeys matter for enterprise IAM beyond password replacement?
A: Passkeys matter because they change the control plane for human authentication.
Q: What do security teams get wrong about passkey adoption?
A: The common mistake is to treat passkeys as a simple MFA upgrade.
Practitioner guidance
- Map passkey assurance to device provenance Document whether your policy accepts synchronised credentials, device-bound keys, or both.
- Restrict cross-device flows on unmanaged endpoints Limit QR-code approval and Bluetooth proximity login to devices that meet your managed endpoint standard.
- Rework recovery and reset processes before rollout Replace password-reset assumptions with a passkey recovery playbook that covers lost devices, account compromise, and user offboarding.
What's in the full article
Cybertrust Japan's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step passkey setup guidance for Apple, Google, and Microsoft ecosystems.
- Detailed comparison of synchronised passkeys, fixed device-bound keys, and cross-device flows.
- Configuration examples for restricting passkey use to managed devices and approved endpoints.
- Operational discussion of how financial-sector guidance is influencing adoption decisions.
👉 Read Cybertrust Japan's analysis of passkeys for enterprise and organisational authentication →
Passkeys for enterprise login: what changes for IAM teams?
Explore further
Passkeys are a human IAM control, but they become a lifecycle problem the moment organisations try to operationalise them. The article is really about assurance transfer: moving from shared secrets to device-bound credentials changes how enrolment, recovery, and revocation work. That aligns directly with NIST SP 800-63C federation thinking and NIST CSF access control outcomes. Practitioners should treat passkey rollout as an identity lifecycle redesign, not an authentication settings change.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when passkey-based authentication fails in a regulated environment?
A: Accountability usually sits with the IAM owner, the endpoint management team, and the business system owner together. If passkey failures are caused by unmanaged devices, weak recovery rules, or poor offboarding, the issue is not the cryptography itself. It is the governance model around how the credential is issued, stored, and revoked.
👉 Read our full editorial: Passkeys can extend to enterprise and org login controls