Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk How should security teams use passkeys and digital…
Governance, Ownership & Risk

How should security teams use passkeys and digital credentials together?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Use passkeys for routine authentication and digital credentials for proving verified attributes. The clean pattern is login with a passkey, then use a digital credential only when the workflow needs an issuer-backed claim such as age, licence status, or regulated identity proof. That separation keeps authentication simple while giving high-assurance steps stronger evidence.

Why This Matters for Security Teams

Passkeys and digital credentials solve different problems, and mixing them up creates avoidable friction and weak assurance. Passkeys are best for proving a user is present at login, while digital credentials are best for proving an issuer-backed attribute such as age, licence status, or regulated eligibility. That distinction matters because authentication tells you who is signing in, but an attribute credential tells you what they are allowed to claim.

Security teams often get this wrong by trying to make one mechanism do both jobs. The result is over-sharing, repeated verification prompts, or brittle workflows that bypass controls altogether. Current guidance from the NIST SP 800-63 Digital Identity Guidelines supports using the right assurance primitive for the right step, while NHIMG research on the Ultimate Guide to NHIs — Static vs Dynamic Secrets shows why static trust assumptions fail when verification needs vary by workflow.

In practice, many security teams encounter credential sprawl only after users, apps, and compliance checks have already drifted into inconsistent verification patterns.

How It Works in Practice

The clean operating model is sequential. Use the passkey first to authenticate the person or device holder, then request a digital credential only when the transaction needs a higher-confidence claim. That keeps login simple and limits the disclosure of personal data. It also lets teams separate session establishment from attribute verification, which is easier to audit and explain to users.

At the policy level, the passkey should satisfy the access gate, while the digital credential should satisfy the business rule. For example, a support portal might accept a passkey for account access, then ask for a verifiable licence or employee credential before allowing a regulated workflow. This is consistent with the direction in OWASP Non-Human Identity Top 10 and the broader identity assurance model in NIST SP 800-53 Rev 5 Security and Privacy Controls.

  • Use passkeys for phishing-resistant sign-in and session binding.
  • Use digital credentials only for issuer-backed claims, not every login.
  • Minimise attribute disclosure so the workflow receives only what it needs.
  • Log credential presentation separately from authentication for auditability.
  • Define fallbacks for users whose devices cannot present a passkey or wallet.

NHIMG’s analysis of the Guide to the Secret Sprawl Challenge reinforces a practical lesson: when organisations treat every proof as an all-purpose credential, they create unnecessary exposure and more failure points. These controls tend to break down in legacy portals that cannot separate login, step-up verification, and attribute checks because the application logic was never designed for layered identity assurance.

Common Variations and Edge Cases

Tighter assurance often increases user friction, so organisations have to balance stronger verification against support cost and workflow speed. That tradeoff becomes most visible in regulated onboarding, high-value transactions, and cross-organisation trust flows.

Best practice is evolving for selective disclosure. Some teams want a digital credential to replace repeated identity questions entirely, while others still require a passkey plus a separate claim because their risk model or legal environment demands both. There is no universal standard for this yet, so policy should be explicit about which claims are mandatory, which are optional, and which can be deferred until a higher-risk action.

Edge cases also appear when the identity proof is not for a human at all, but for an operator acting through delegated systems. In those cases, teams should avoid forcing passkeys into machine workflows and instead keep human authentication distinct from credential presentation. The same principle applies when a user must prove one attribute to one relying party but should not reuse that proof elsewhere.

For organisations still maturing their identity stack, the safest path is to start with narrow, high-value use cases and expand only after the assurance and revocation model is proven.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63IAL2Defines identity proofing and verifier assurance for attribute-backed credentials.
NIST CSF 2.0PR.AA-1Supports strong authentication and identity proofing for access decisions.
OWASP Non-Human Identity Top 10NHI-07Relevant to credential scope, misuse, and limiting exposure of identity artifacts.
NIST AI RMFHelps govern identity-related AI and automated decision steps that rely on credentials.
NIST Zero Trust (SP 800-207)DA.RPZero trust aligns with stepwise verification and continuous policy enforcement.

Use verified attributes only where the required assurance level is documented and enforced.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org