No. High-risk and privileged accounts should require device-bound authenticators with PIN or biometric verification, while lower-risk use cases may justify more flexible options. One policy for every account usually creates either unnecessary friction or a false sense of assurance.
Why This Matters for Security Teams
Using one FIDO2 policy for every account sounds simple, but it ignores the very different risk profiles of privileged administrators, standard employees, contractors, and automated workflows. FIDO2 is not a single control outcome; it is a family of authenticators and assurance choices. NIST’s identity guidance treats authentication strength as context-dependent, not one-size-fits-all, and the broader governance model in the NIST Cybersecurity Framework 2.0 reinforces risk-based access decisions rather than blanket uniformity.
For NHI and identity teams, the practical issue is that a single policy often collapses two different goals into one control: reducing account takeover risk and preserving usable access. High-risk accounts need stronger phishing-resistant assurance, tighter device binding, and step-up verification. Lower-risk accounts may need easier recovery paths and less friction to avoid bypass behaviour. NHIMG research shows why this matters at scale: in the Ultimate Guide to NHIs, excessive privileges and incomplete lifecycle control remain common, which means authentication policy has to support governance, not just login.
In practice, many security teams discover the weakness of uniform FIDO2 policy only after a privileged account is overexposed or a recovery process becomes the easiest path around the intended control.
How It Works in Practice
A better model is tiered authentication policy. The first step is to classify accounts by privilege, blast radius, and recovery sensitivity. Privileged administrators, finance approvers, security operators, and identity administrators should generally require phishing-resistant FIDO2 authenticators with device binding and local user verification such as PIN or biometric confirmation. That aligns with current guidance in NIST SP 800-63 Digital Identity Guidelines, which emphasise authenticator assurance and verifier resistance to phishing rather than uniform treatment across all identities.
Lower-risk accounts may use less restrictive options if the organisation has compensating controls, such as session limits, conditional access, monitored recovery, and strong device posture checks. This is especially important where service desk load, shared devices, accessibility needs, or workforce diversity make strict uniformity impractical. The Top 10 NHI Issues also highlights that weak lifecycle management and excessive standing access often compound authentication gaps, so policy should be paired with entitlement review and offboarding discipline.
- Define account tiers by business impact, not job title alone.
- Require device-bound, phishing-resistant FIDO2 for privileged access.
- Use step-up authentication for sensitive actions rather than every routine login.
- Separate enrollment, recovery, and reauthentication rules so one weak path does not undo the whole policy.
- Review exceptions on a fixed cadence and retire temporary flexibilities.
These controls tend to break down in large federated environments with inconsistent identity proofing because recovery workflows, legacy apps, and outsourced support models often become the weakest link.
Common Variations and Edge Cases
Tighter FIDO2 requirements often increase support burden and can create accessibility or operational friction, so organisations must balance stronger phishing resistance against usability and recovery complexity. Best practice is evolving, and there is no universal standard for exactly how much assurance each account class should receive.
One common edge case is shared operational access, where multiple staff members need access to the same function but should not share a single weak authenticator. Another is break-glass access, which should remain tightly governed and separately monitored rather than forced into the same everyday policy. A third is service accounts and other non-human identities, which do not fit a human FIDO2 model at all and require distinct lifecycle and secret handling controls as described in NHIMG’s Lifecycle Processes for Managing NHIs.
For audit and governance teams, the key question is not whether every account uses FIDO2, but whether the organisation can justify each policy tier with risk, recovery, and operational evidence. NHIMG’s Regulatory and Audit Perspectives notes that control consistency matters less than documented decision-making and revocation discipline. A uniform policy can be defensible in small, low-risk environments, but it often becomes a liability in mixed estates where privileged access, contractors, and legacy systems coexist.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Guides assurance levels and authenticator strength by risk and use case. | |
| NIST CSF 2.0 | PR.AA-1 | Supports risk-based authentication decisions for different account classes. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Highlights lifecycle and access-control issues that make uniform policies fragile. |
Map each account tier to a matching authenticator assurance level and recovery standard.
Related resources from NHI Mgmt Group
- Should organisations use the same policy model for humans and non-human identities?
- How can organisations keep MFA in place on shared business accounts?
- How can organisations govern AI agents that use service accounts and tokens?
- Should organisations use the same process for onboarding people and machine identities?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
