FIDO2

Expanded Definition

FIDO2 refers to a passwordless authentication model built on public-key cryptography, where the authenticator proves possession of a private key without ever exposing it to the service. In practice, it is a family of specifications that includes WebAuthn and the Client to Authenticator Protocol, so usage in the industry is still evolving.

For NHI security teams, the key distinction is that FIDO2 replaces reusable shared secrets with device-bound or platform-bound cryptographic proof. That reduces phishing risk and removes a major source of credential replay, but it does not automatically solve identity governance, device trust, or lifecycle management. The standards context is best understood alongside NIST SP 800-63 Digital Identity Guidelines, which frame authenticator strength and assurance, while Ultimate Guide to NHIs shows why secrets reduction matters across the broader identity estate.

The most common misapplication is treating FIDO2 as a complete identity program, which occurs when teams equate phishing resistance with full privilege control, recovery governance, and session oversight.

Examples and Use Cases

Implementing FIDO2 rigorously often introduces enrollment and recovery constraints, requiring organisations to weigh stronger phishing resistance against added help desk, lifecycle, and device-management overhead.

• Employee sign-in to a workforce portal using a hardware security key, reducing the chance that an attacker can reuse stolen passwords or intercept an OTP.
• Privileged administrator access protected with FIDO2 plus PAM, so interactive logons require a strong authenticator and elevated actions remain tightly governed.
• Step-up authentication for sensitive transactions, where the user must reassert possession before approving a payment, config change, or policy exception.
• Modern SaaS federation, where the service relies on a browser-based FIDO2 flow while identity assurance is anchored to NIST SP 800-63 Digital Identity Guidelines.
• Agent operator access, where an AI Agent with execution authority is separated from human-admin credentials and protected with strong authentication and session controls described in the Ultimate Guide to NHIs.

In practice, FIDO2 is most valuable where phishing and credential replay create the highest business risk, and where strong authentication can be paired with logging, device posture, and conditional access decisions.

Why It Matters in NHI Security

FIDO2 matters because the security model removes shared secrets from the login flow, which directly reduces the attack surface created by password reuse, token theft, and credential stuffing. That benefit becomes even more important in environments where identities are numerous and hard to govern: NHI Mgmt Group research shows NHIs outnumber human identities by 25x to 50x in modern enterprises, and the Ultimate Guide to NHIs also notes that 96% of organisations store secrets outside secrets managers in vulnerable locations. FIDO2 is not a cure for those issues, but it demonstrates the same strategic direction: fewer reusable credentials, more cryptographic proof, and less exposure of secrets. That aligns with the assurance principles in NIST SP 800-63 Digital Identity Guidelines and with Zero Trust assumptions that credentials will be challenged continuously. Organisations typically encounter the need for FIDO2 after a phishing incident or credential replay event, at which point passwordless authentication becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• How should organisations roll out FIDO2 without creating new recovery risk?
• What is the difference between FIDO2 and WebAuthn for security teams?
• Should organisations use FIDO2 for privileged access first?