TroutTrout
TroutTrout
Language||
Request a Demo
Back to Blog
Authentication

FIDO2 and Passkeys The Future of MFA for Critical Infrastructure

Trout Team5 min read

Passwords are the single most exploited authentication factor in industrial breaches. Shared credentials on HMI workstations, default passwords on PLCs, and sticky notes on control room monitors are still common across OT environments. FIDO2 and Passkeys eliminate the password entirely, replacing it with public-key cryptography tied to a physical device. This post covers how FIDO2 works, where it fits in critical infrastructure authentication, and how to deploy it alongside compliance requirements like NIST 800-171, CMMC, and NIS2.

Understanding FIDO2 and Passkeys

What is FIDO2?

FIDO2 stands for Fast Identity Online 2.0, a set of specifications that enable passwordless authentication. The FIDO Alliance developed it in collaboration with the World Wide Web Consortium (W3C). It consists of two main components:

  • WebAuthn: A web standard published by the W3C that provides an API for web applications to create and use public key credentials.
  • CTAP (Client to Authenticator Protocol): A protocol enabling external devices like smartphones and security keys to communicate with web applications.

What are Passkeys?

Passkeys are essentially cryptographic keys used in FIDO2 for authentication. Unlike passwords, passkeys are not shared or stored on a server; they remain on the user's device, reducing the risk of being exposed during data breaches.

The Benefits of FIDO2 and Passkeys for Critical Infrastructure

Implementing FIDO2 and Passkeys offers several benefits, especially for critical infrastructure sectors:

  • Enhanced Security: Passkeys are resistant to phishing, replay attacks, and man-in-the-middle attacks because the private key never leaves the authenticator device.
  • User Convenience: As a passwordless solution, FIDO2 eliminates the need for users to remember complex passwords, reducing friction and improving user experience.
  • Scalability: The protocols are designed to be easily integrated into existing systems, offering scalability for large enterprises.
  • Compliance: Aligns with security requirements outlined in standards like NIST 800-171, CMMC, and NIS2, offering a compliant pathway to securing sensitive data.

Implementing FIDO2 and Passkeys in Critical Infrastructure

Steps to Implementation

  1. Evaluate Current Authentication Mechanisms: Assess existing systems and identify areas where FIDO2 and Passkeys can enhance security.
  2. Integrate WebAuthn and CTAP: Work with IT teams to integrate these protocols into web applications and systems.
  3. Deploy Hardware Security Keys: Consider using hardware tokens or mobile devices for storing passkeys, ensuring they are FIDO2 compliant.
  4. Educate and Train Staff: Conduct training sessions to familiarize staff with new authentication processes, emphasizing security benefits.

Addressing Challenges

  • Legacy Systems Compatibility: Ensure that FIDO2 integration is compatible with legacy systems, a common challenge in industrial environments.
  • User Adoption: Develop a strategy to encourage user adoption, highlighting the benefits of security and ease of use.
  • Cost Considerations: While initial setup may require investment, the long-term benefits in security and compliance can outweigh these costs.

FIDO2 and Passkeys vs. Traditional MFA

Security Comparison

Traditional MFA methods, such as SMS or email-based tokens, can be vulnerable to interception and phishing. In contrast, FIDO2's use of public-key cryptography ensures that authentication data cannot be reused or intercepted, providing a higher security level.

Usability

FIDO2 and Passkeys offer a seamless user experience, removing the need for password management and reducing the cognitive load on users. This can lead to higher user satisfaction and fewer IT support requests related to password issues.

Compliance with NIST 800-171, CMMC, and NIS2

NIST 800-171

This standard requires the protection of Controlled Unclassified Information (CUI) in non-federal systems. FIDO2's robust authentication aligns with NIST's access control requirements, ensuring that only authorized users can access sensitive data.

CMMC

The Cybersecurity Maturity Model Certification (CMMC) emphasizes the need for strong access controls. Implementing FIDO2 ensures compliance with CMMC Level 2 and 3 requirements, providing enhanced security for defense contractors.

NIS2

The NIS2 Directive outlines cybersecurity requirements for operators of essential services. FIDO2's strong authentication mechanisms help organizations meet these requirements, reducing risks associated with unauthorized access.

Practical Use Cases

Securing Industrial Control Systems (ICS)

FIDO2 can be integrated into ICS environments to secure operator access to critical systems, reducing the risk of unauthorized control changes.

Protecting Remote Access

Remote access to critical infrastructure can be secured using FIDO2, ensuring that only verified users can access sensitive systems.

Enhancing Supply Chain Security

By implementing passwordless authentication, organizations can secure supply chain interactions, ensuring that only trusted partners have access to shared systems.

Conclusion

FIDO2 and Passkeys eliminate the weakest link in most authentication chains: the password. Start by deploying FIDO2-compatible hardware keys to operators who access critical systems. Integrate WebAuthn into your web-based SCADA and historian interfaces. For legacy systems that cannot support FIDO2 directly, place an authentication gateway in front of them. Map each deployment to the specific NIST 800-171 or CMMC access control requirements it satisfies, and document the results for your next audit.

Other Articles

NIS2Compliance

NIS2 Management Liability: Why Executives Are Personally on the Hook

NIS2 introduces personal liability for senior management. Executives can face temporary bans from management roles for gross negligence. Here's what that means in practice.

CMMCCompliance

The C3PAO Bottleneck: How to Prepare When There Aren't Enough Assessors

With only ~100 C3PAOs serving 80,000+ defense contractors, assessment wait times are stretching past 18 months. Here's how to use that time wisely.

RansomwareManufacturing

Ransomware Targeting Manufacturing in 2026: A 49% Increase and What to Do About It

119 ransomware groups. 3,300 industrial victims. A 49% year-over-year increase. Manufacturing is the #1 target. Here's what the data says and what actually stops it.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles

Have a question? Ask Trout AI.

Get instant answers about our products, pricing, compliance coverage, and deployment options.