-optimized.jpg){kind=avatar}
New from the identity security product company HID is Enterprise Attestation in its FIDO authenticator portfolio of smart cards and keys, a FIDO standards-based capability that enables users to enforce only company-issued passkeys at registration. This proves authenticator provenance before a credential is accepted.
While passkeys address phishing, businesses need assurance that the devices creating those credentials are ones they have issued and trust. In the FIDO Allianceโs State of Passkey Deployment in the Enterprise report, 20 per cent cite strict regulations as a key barrier to passkey adoption. Hence, Enterprise Attestation, says HID; by making device trust and authenticator governance explicit and enforceable. Without it, a personal authenticator could be registered to an employee, with no reliable way for the enterprise to tell it apart from a credential enrolled on a device the business controls, monitors and can revoke. Enterprise Attestation verifies that the device being registered was issued by the business. It gives governance, traceability and device control without changing the user login experience.
Device verificationย ย
Built into HIDโs Crescendo authenticators, including FIDO2-certified smart cards and security keys, and supported by identity platforms such as PingOne, Enterprise Attestation verifies authenticator provenance at the point of passkey registration. If a device cannot present valid attestation data, enrollment is blocked by policy, without requiring changes to application workflows or additional steps for users.
Enterprise Attestation is part of the FIDO Allianceโs WebAuthn and Client to Authenticator Protocol (CTAP) specifications and is supported through the FIDO Alliance Enterprise Deployment Working Group. This standards-based foundation means HID adds that users can enforce passkey governance without proprietary authentication flows, application lock-in or deviations from the standard user experience.
Zero Trust Mandates
For highly regulated industries such as financial services, healthcare and critical infrastructure, this supports compliance requirements around auditability, device provenance and lifecycle control. Global businesses operating under frameworks such as the European Union’s NIS2 Directive, the Digital Operational Resilience Act (DORA, applicable to EU financial services firms) and Zero Trust mandates can enforce policy at the authenticator level.
To understand what Enterprise Attestation adds in practice, consider, HID adds, a retailer that restricts passkey registration to approved authenticator models. This approach filters unauthorised hardware, but it cannot confirm whether a specific device was actually issued by the company or sourced independently by an employee. Enterprise Attestation solves that problem. When a device attempts to enrol, the system checks for a certificate that ties it to a known, company-issued authenticator. If that certificate is absent or unrecognised, enrollment is blocked. If granted access, the end user sees no change to their login experience, but the retailer gains a verifiable, auditable record of every device that has been granted access at registration.
