IAM Academy - FIDO Authenticators

1. With so many types of FIDO authenticators—device-bound passkeys, synced passkeys, hardware tokens, and more—how can organizations even begin to choose the right fit?

That’s a question a lot of organizations are asking right now. The first step is really understanding your users: what devices they’re using, which digital resources they’re accessing, how tech-savvy they are, and what level of risk they face. For example, high-risk roles like system admins might need hardware security keys, while everyday users accessing non-sensitive data could do just fine with synced passkeys or built-in biometrics like Face ID.
It’s also about balance—security versus convenience. The good news is that FIDO gives you options, so it’s more about picking the right mix than finding one magic solution.

2. What options are available?

There’s quite a bit of flexibility. Thales platforms support both synced and device-bound passkeys, and organizations can choose from a range of authenticators—like Thales FIDO hardware tokens, smart cards, or mobile apps—combined with biometrics instead of a PIN. That means you can give different groups of users the type that makes the most sense for their needs.

3. Do most organizations favor one form, or is there a shift toward blended approaches based on role or risk?

We’re seeing more organizations move toward a blended approach. Synced passkeys are popular for low-risk scenarios because they’re easy to use across devices, while device-bound passkeys are preferred for higher-risk situations like workforce MFA or sensitive financial transactions. Hardware options (tokens, smart cards, badges) are common for roles in mobile-free or high-security environments, for users without company phones, or for admins and executives who face greater risk. Mobile-app passkeys, on the other hand, are a good fit for employees with company phones or banking customers who are comfortable using their mobile for sensitive operations.
In practice, it’s about matching the authenticator to the context.

4. What hurdles come up when rolling this out, especially with a mixed or remote workforce?

Two things tend to trip organizations up. The first is user adoption—making sure people understand how to use their new authenticators and get a smooth authentication experience. The second is lifecycle management—thinking ahead about how authenticators will be configured, enrolled, managed on a daily basis, replaced, or revoked over time. Both can make or break a deployment if they’re not planned for early.
The FIDO Alliance’s recent State of Passkey Deployment in Enterprise report dives deeper into these challenges and how enterprises are tackling them.

5. What benefits are organizations seeing from FIDO adoption?

For sure. And the numbers back it up. According to the same report, most organizations that have rolled out passkeys are seeing clear benefits:

• 90% report stronger security
• 82% say user experience has improved
• 77% see gains in employee productivity
• 73% have cut help desk costs

6. How are consumer tools like passkeys shaping employee expectations at work?

We’re seeing a clear spillover effect. As people get used to passwordless logins, passkeys, and biometrics in their personal lives, they start to expect the same simplicity at work. Employees don’t just want stronger security—they want faster, smoother access that helps them stay productive. In that sense, consumer adoption of passkeys is paving the way for enterprises, making it easier to introduce the same experience in the workplace.

Final takeaway? FIDO isn’t about finding a one-size-fits-all solution, as it turns out, it’s about mixing and matching authenticators to fit your users, your risks, and your goals.