FIDO passkey

Expanded Definition

A FIDO passkey is a phishing-resistant, passwordless credential bound to a user device and a relying party through public-key cryptography. In practice, the authenticator can be a platform feature or a roaming security key, but the security model is the same: the private key never leaves the device, and the user unlocks it locally with a PIN or biometric factor. The FIDO Alliance and the browser ecosystem have driven broad adoption, while the identity assurance concepts align closely with NIST SP 800-63 Digital Identity Guidelines.

In NHI and IAM discussions, passkeys are often grouped with other passwordless methods, but they are distinct because they are designed to resist phishing, replay, and credential stuffing by default. Definitions vary across vendors when they label synced passkey, device-bound passkeys, and enterprise-managed authenticators, so governance should distinguish user convenience from control over device trust, recovery, and lifecycle. The most common misapplication is treating any biometric login as a passkey, which occurs when a biometric unlocks a password or token rather than a FIDO-authenticated public-key credential.

Examples and Use Cases

Implementing passkeys rigorously often introduces account recovery and device-enrolment constraints, requiring organisations to weigh stronger phishing resistance against support overhead and endpoint trust decisions.

• An employee signs into a corporate portal with a platform passkey stored on a managed laptop, reducing exposure to phishing kits and helpdesk password resets.
• A developer uses a roaming FIDO security key to approve access to a CI/CD console, where the organisation wants stronger assurance for privileged operations.
• A customer-facing application replaces password reset flows with passkey sign-in, lowering the risk of credential reuse across consumer accounts.
• An identity team references the Ultimate Guide to NHIs to separate human authentication controls from service-account governance, then maps the user experience to NIST SP 800-63 Digital Identity Guidelines for assurance planning.
• A support desk allows passkey recovery only after identity proofing, because synced credentials still need controlled re-binding when devices are lost or replaced.

Why It Matters in NHI Security

FIDO passkeys matter because they reduce dependence on secrets that are easy to steal, reuse, or phish, which makes them a practical countermeasure in environments where identity abuse is the primary intrusion path. They also influence governance decisions around device assurance, user recovery, and step-up authentication for higher-risk actions. For NHI programs, the lesson is directional: user authentication can become more resilient, but only if teams do not confuse human passkeys with service identity controls such as API keys, certificates, and workload tokens.

NHI Management Group notes that 79% of organisations have experienced secrets leaks, with 77% of those incidents resulting in tangible damage, underscoring why passwordless human login is only one part of a broader identity hardening strategy. The same program that adopts passkeys should still address NHI visibility, rotation, and offboarding through sources such as the Ultimate Guide to NHIs. Organisations typically encounter the operational value of passkeys only after a phishing compromise or password spraying event, at which point the term becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• How can security teams reduce passkey downgrade risk?
• How can IAM teams tell whether passkey adoption is actually working?
• What do IAM teams get wrong about passkey adoption?
• Should organisations build or buy a passkey solution?