Subscribe to the Non-Human & AI Identity Journal
Home FAQ NHI Lifecycle Management How should security teams govern FIDO2 credentials across…
NHI Lifecycle Management

How should security teams govern FIDO2 credentials across their lifecycle?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: NHI Lifecycle Management

Security teams should govern FIDO2 as a full credential lifecycle, not as a one-time enrollment event. That means defining who can issue, bind, reset, re-provision, and revoke credentials, then attaching logging and approval to each step. The objective is to keep phishing resistance aligned with operational control throughout the credential's life.

Why This Matters for Security Teams

FIDO2 changes the phishing equation, but it does not remove operational risk. A credential can still be over-issued, reset without approval, left bound to an abandoned device, or recovered through weak helpdesk processes. Security teams need lifecycle governance because the strongest authenticator still depends on how enrollment, recovery, and revocation are controlled in practice. NIST’s NIST SP 800-63 Digital Identity Guidelines treat authenticator management as part of identity assurance, not an afterthought.

The same lesson appears in NHI operations. NHIMG’s NHI Lifecycle Management Guide shows that control failures usually happen at the edges of the lifecycle, where ownership, reset authority, and deprovisioning are unclear. That is why FIDO2 governance should be mapped to specific approval paths, audit events, and break-glass handling, rather than assumed safe because the token itself is resistant to phishing. In practice, many security teams discover weak recovery and stale registrations only after a user takeover or device loss has already been exploited.

How It Works in Practice

Effective FIDO2 governance starts with defining the lifecycle states: issuance, binding, replacement, temporary suspension, recovery, and revocation. Each state should have a named owner, an approval requirement, and a loggable event. That approach aligns with the OWASP Non-Human Identity Top 10 principle that credentials must be managed as active attack surfaces, not static assets.

For most organisations, the practical controls are straightforward:

  • Bind a FIDO2 credential to a specific user, device, and assurance level at enrollment.
  • Require step-up approval for replacement or recovery, especially when support staff are involved.
  • Track hardware token serials or passkey registrations to detect duplicates and orphaned bindings.
  • Revoke credentials automatically when a device is lost, a user exits, or a risk signal indicates compromise.
  • Review recovery channels such as email, SMS, or helpdesk identity proofing for downgrade risk.

For teams managing broader identity estates, the NHI pattern from NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful because it treats issuance and revocation as governed events with observable controls. The same mindset applies to FIDO2: the credential should be treated as a governed authenticator with recorded ownership, not a one-time registration artifact.

Teams should also align recovery with NIST SP 800-53 control intent, especially where authentication, auditability, and account recovery intersect. These controls tend to break down in large service desks with delegated resets and inconsistent proofing, because the recovery path becomes easier to abuse than the login path itself.

Common Variations and Edge Cases

Tighter FIDO2 governance often increases helpdesk friction and user recovery time, so organisations must balance phishing resistance against operational continuity. There is no universal standard for recovery workflows yet, and current guidance suggests choosing controls based on account criticality rather than applying one policy everywhere.

One common edge case is shared or administrative access. FIDO2 works best when a credential maps to a single accountable identity, so shared tokens, pooled kiosks, and generic admin accounts create ambiguity about ownership and revocation. Another issue is BYOD and cross-device passkeys, where sync convenience can weaken device-level assurance if policy does not distinguish between platform authenticators and hardware keys.

Security teams should also watch for lifecycle drift after onboarding. A credential issued during enrollment may remain valid long after role changes, contractor offboarding, or device replacement unless the organization enforces periodic review. NHIMG’s Guide to the Secret Sprawl Challenge is a reminder that unmanaged credentials accumulate silently when governance focuses only on issuance and ignores cleanup. The right model is to make every FIDO2 event observable, reviewed, and revocable, with the assumption that recovery paths are part of the attack surface.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63Defines authenticator lifecycle and recovery assurance requirements.
OWASP Non-Human Identity Top 10NHI-03Covers credential lifecycle risks and weak rotation or revocation.
NIST CSF 2.0PR.AA-01Supports identity proofing, authentication, and access governance.
NIST AI RMFUseful when FIDO2 protects AI-enabled or automated workflows.

Use NIST 800-63 to set issuance, binding, recovery, and revocation rules for every FIDO2 authenticator.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org