HID, a global leader in trusted identity solutions, today announced the availability of Enterprise Attestation in its FIDO authenticator portfolio of smart cards and keys, a FIDO standards-based capability that enables organizations to enforce only company-issued passkeys at registration, proving authenticator provenance before a credential is ever accepted. By doing so, Enterprise Attestation helps organizations strengthen device trust, gain visibility into authenticator origin and support high-assurance authentication without adding friction for users.
Passkeys verify the user, enterprise attestation verifies the device
While passkeys address phishing, enterprises also need assurance that the devices creating those credentials are ones they have issued and trust. In the FIDO Alliance’s
State of Passkey Deployment in the Enterprise report, 20% of organizations cite strict regulations as a key barrier to passkey adoption. Enterprise Attestation addresses this gap by making device trust and authenticator governance explicit and enforceable. Without it, a personal authenticator could be registered to an employee, with no reliable way for the enterprise to distinguish it from a credential enrolled on a device the organization controls, monitors and can revoke. Enterprise Attestation verifies that the device being registered was issued by the organization. It gives security teams the governance, traceability and device control they need without changing the user login experience.
Device verification at the point of enrollment
Built into HID’s Crescendo authenticators, including FIDO2-certified smart cards and security keys, and supported by identity platforms such as PingOne, Enterprise Attestation verifies authenticator provenance at the point of passkey registration. If a device cannot present valid attestation data, enrollment is blocked by policy, without requiring any changes to application workflows or additional steps for users.
Enterprise Attestation is part of the FIDO Alliance’s WebAuthn and Client to Authenticator Protocol (CTAP) specifications and is actively supported through the FIDO Alliance Enterprise Deployment Working Group. This standards-based foundation ensures organizations can enforce passkey governance without proprietary authentication flows, application lock-in or deviations from the standard user experience.
Built for regulated industries and zero-trust mandates
For highly regulated industries such as financial services, healthcare and critical infrastructure, the capability directly supports compliance requirements around auditability, device provenance and lifecycle control. Global organizations operating under frameworks such as the European Union's NIS2 Directive, the Digital Operational Resilience Act (DORA, applicable to EU financial services organizations) and Zero Trust mandates gain a practical mechanism to enforce policy at the authenticator level.
To understand what Enterprise Attestation adds in practice, consider a global retailer that currently restricts passkey registration to approved authenticator models. This approach filters unauthorized hardware, but it cannot confirm whether a specific device was actually issued by the company or sourced independently by an employee. Enterprise Attestation solves that problem. When a device attempts to enroll, the system checks for a certificate that ties it to a known, company-issued authenticator. If that certificate is absent or unrecognized, enrollment is blocked. If granted access, the end user sees no change to their login experience, but the organization gains a verifiable, auditable record of every device that has been granted access at registration.