HID mandates passkey device attestation

Passkeys are supposed to make logins easier and safer. But for big companies, they also created a new governance problem — if any employee can register any authenticator, then “passwordless” can quietly turn into “bring your own security device.” HID’s update is about closing that gap. On May 1, the company said its Crescendo smart cards and security keys now support Enterprise Attestation, a FIDO feature that lets an identity system verify the device at the moment a passkey is registered. ### What changed here? HID added Enterprise Attestation across its FIDO authenticator portfolio, especially the Crescendo line of smart cards and security keys. In plain English, the authenticator can now prove what it is and where it came from during registration, so the relying party can accept only approved corporate devices instead of any random passkey-capable phone, browser, or password manager. ### Why does registration matter so much? Because that is the control point that decides what kind of credential enters the system. If a company waits until login time, the passkey already exists and policy gets messy fast. HID’s pitch is that enforcement happens before the credential is ever accepted — if the device cannot present valid attestation data, enrollment is blocked, but the employee’s later sign-in flow does not need extra steps. ### What is Enterprise Attestation, really? It is a FIDO standards-based way for an authenticator to present provenance information to an identity platform. The important word is provenance — not just “does this user have a passkey,” but “was this passkey created on hardware the organization recognizes and allows?” FIDO’s own enterprise guidance has been pointing toward this model for high-assurance deployments, especially where synced consumer passkeys are too loose for policy or compliance needs. ### Why not just allow any passkey? Because consumer passkeys optimize for convenience, not fleet control. They can live in personal phones, laptops, or password managers and may sync across ecosystems. That is great for mainstream adoption, but it weakens the clean link between employee, device, and enterprise policy. In regulated or Zero Trust settings, security teams often want device-bound credentials issued, reset, and revoked like any other managed asset. ### Does this change the user experience? Not much — and that is the whole selling point. The extra check happens during passkey enrollment, not during every authentication ceremony. So the employee still signs in with the same PIN, touch, or biometric flow, but the organization gets stronger assurance that the credential came from approved hardware. Basically, HID is trying to add governance without reintroducing friction. ### Who is this really for? Mostly large enterprises, government, and other security-heavy environments that already issue credentials and care about lifecycle control. HID’s Crescendo line already sits in that world — smart cards, security keys, physical access badges, and compliance-driven identity programs. Enterprise Attestation makes those devices more useful in the passkey era because they can now act as governed passkey containers, not just generic FIDO authenticators. ### What is the bigger shift? The bigger shift is that passkeys are splitting into two tracks. One track is consumer-friendly and synced everywhere. The other is enterprise-governed and device-bound. FIDO has been explicit that both models will coexist, and organizations will choose based on risk, regulation, and user population. HID is betting that a lot of enterprise identity teams now want the second model. ### Bottom line? This is not a flashy new login method. It is infrastructure. But it matters because enterprise passwordless projects often stall on one simple question — “approved by whom?” HID’s answer is to move that decision to enrollment and tie passkeys back to issued hardware. That makes passkeys look less like a consumer convenience feature and more like a managed corporate credential.