FIDO2 and Passkeys: The Future of MFA for Critical Infrastructure

Multi-Factor Authentication (MFA) has long been heralded as a baseline defense against account compromise. Yet, critical infrastructure—industrial control systems (ICS), SCADA environments, and operational technology (OT) networks—often lags in its adoption due to environmental, usability, and legacy system constraints. With cyberattack sophistication climbing and password-based authentication widely acknowledged as a weak point, the FIDO2 standard and passkey technology emerge as compelling answers for modernization. This article provides a technical dive for CISOs, IT directors, network engineers, and operators seeking to understand how FIDO2 and passkeys can realistically transform secure access in high-stakes, mission-critical environments.

Historical Context: MFA and Its Challenges in Critical Infrastructure

MFA isn’t new. The earliest form dates back to the 1980s: physical tokens generating time-based codes. Unfortunately, these bring cost, logistics, and usability headaches—especially for shift operators in plants or substations. Later, SMS and TOTP (Time-based One-Time Password) became popular for IT systems, but both suffer from phishing susceptibility and/or require a secondary communication channel that may not be robustly available in industrial settings.

In the last decade, critical infrastructure security guidance (e.g., NIST SP 800-53, IEC 62443) increasingly recommends strong authentication. Yet translating these guidelines to operational reality is difficult:

• Password fatigue: Complex password policies overwhelm users and result in insecure “workarounds.”

• Legacy protocols: Many automation systems depend on outdated protocols and interfaces.

• Disconnected or air-gapped environments: Traditional MFA schemes often assume continuous internet access or mobile device communication—not always viable on the plant floor, at a substation, or in remote field sites.

Background: FIDO Alliance, FIDO2, and the Shift to Passwordless Authentication

The FIDO Alliance (Fast Identity Online) formed in 2012, prompted by growing password-related breaches and the rise of phishing. FIDO aimed for practical, open standards for strong authentication—removing the password as primary credential.

FIDO2 is the combination of two core standards:

• WebAuthn (Web Authentication API): A W3C standard that allows browsers and servers to coordinate strong, cryptographically-backed authentication.

• CTAP2 (Client-to-Authenticator Protocol): Defines how external authenticators (e.g., security keys, platform biometrics) communicate with clients such as browsers or native apps.

Together, these standards enable devices and cloud services to verify users using public key cryptography—no shared secrets, SMS, or passwords exposed.

How FIDO2 Works in Practice

• On registration, the authenticator (hardware token, phone, in-device chip, etc.) generates a key pair. The private key never leaves the device; the public key is registered with the service.

• On login, a challenge is sent by the service. The authenticator signs it with the private key, sometimes gated by local user presence (touch sensor, PIN, biometric, etc.).

• The server then verifies the challenge signature using the stored public key. No sensitive credentials are ever transmitted or stored on the server side.

Critically, FIDO2 is designed to be phishing-resistant: The binding between authenticator, user, and service is cryptographically enforced, not reliant on user awareness of phishing attempts.

What's a Passkey?

A passkey is essentially a user-friendly, cloud-synced FIDO credential. Instead of requiring a USB token or platform-bound authenticator, passkeys are securely synchronized across devices (e.g., via iCloud Keychain or Google Password Manager on mobile OSes) and can be used for seamless logins. This is particularly valuable in environments where shared workstations, rapid user switching, or dynamic shifts are common.

Consider a technician moving between the control room, plant floor, and field tablet—all requiring rapid, secure access to industrial HMIs, asset management solutions, or even jump hosts. Passkeys, with their user convenience and robustness, bridge that gap.

Why FIDO2 and Passkeys Matter in Critical Environments

1. Phishing and Credential Theft are Rampant

Industrial compromises often begin with credential phishing—sometimes targeting remote access systems exposed for vendor support or ICS admin convenience. FIDO2 stops these in their tracks; the cryptographic challenge cannot be replayed or phished.

2. Simplification: The End of Password Fatigue

No more “double-checking the Post-It” in the SCADA room or cycling through password resets for field operators lacking corporate devices. Local biometric or PIN unlock suffices to release the authenticator, with no secrets traversing the network.

3. Interoperability and Standards

FIDO2, being standard-based and vendor-neutral, is now supported by all major browser vendors, and security hardware from Yubico, Feitian, and others. Windows Hello, Android, and Apple platforms are embedding it natively. This ecosystem growth erodes common “vendor lock-in” pain for IT/OT cross-collaboration.

4. Secure Provisioning for Air-Gapped and Edge Environments

Unlike legacy TOTP apps, FIDO authenticators can be provisioned offline, with local attestation. Hardware tokens (NFC, BLE, USB) work in isolated zones. Platform authenticators can, via QR or Bluetooth, negotiate sign-in even on air-gapped HMI workstations.

Adoption and Integration Challenges

It is not all plug-and-play. Real-world deployments must account for:

• Legacy apps: Core ICS components (MODBUS gateways, historians, vendor-specific operator consoles) may not support SAML/OpenID/FIDO2 out-of-the-box. An authentication proxy or secure jump host may be required.

• Physical Security: Relying on hardware tokens demands robust loss/theft management. Shared environments (e.g., control rooms) may require individual issue or shift-based token pools and logged check-out/in procedures.

• Recovery and Emergency Access: A fallback is required for lost authenticators—without reintroducing password or SMS-based weaknesses. Well-documented break-glass procedures are non-negotiable in operational settings.

• Policy Alignment: Regulatory and internal compliance requirements (logging, auditing) may influence integration architecture, e.g., multi-factor enforcement on critical operations, not just access.

• IT/OT Collaboration: Credentialing and identity lifecycle management straddle IT and OT domains. Seamless onboarding, revocation, and offboarding processes avoid dangerous orphaned accounts.

Migrating to FIDO2 in Critical Infrastructure: Stepwise Guidance

1. Asset and User Inventory: Map all remote access paths, privileged interfaces, and user identities—across IT, OT, and 3rd-party/vendor channels. Identify where password-based auth is present, and evaluate protocol support.

2. Pilot with Priority Use-Cases: For example, start with remote engineering access (RDP, SSH, VPN), which already transit the IT/OT boundary. Use modern bastion hosts (e.g., with WebAuthn support) as a gateway.

3. Bridge to Legacy: Where direct FIDO2 is impossible, leverage authentication proxies or Identity Providers (IdPs) that translate FIDO2 downstream, enforcing strong auth even for older applications.

4. Credential Management: Define how hardware or platform authenticators are provisioned, tracked, revoked, and recovered. Integrate with existing ITAM/IAM processes; automate where possible.

5. Operator UX and Training: Involve user champions from the shop floor to ensure ergonomics and acceptance. Biometric and NFC workflows, if well-tested, lower friction. Document and rehearse fallback (break-glass) procedures.

6. Iterate and Expand Coverage: Roll out FIDO2/passkey auth to more use-cases, emphasizing least privilege and privilege escalation gating—especially for plant-control functions or remote vendor sessions.

Case Study: Securing OT Remote Access Jump Hosts

A practical illustration: A mid-large electric utility operates several hydro plants. Engineering teams require periodic vendor remote access to PLC programming stations. Historically, VPNs and Windows credentials suffice—a known vector for credential replay and brute force.

After adopting FIDO2-enabled jump hosts (e.g., with Yubikey or built-in Windows Hello), all remote sessions must authenticate via WebAuthn. These jump hosts are the only pathway to sensitive OT networks. Tokens are issued per engineer, with auditing on access logs.

Result: Credential compromise risk plummets. A breach requires not just token theft, but physical bypass of the utility’s issuance, with biometric presence.

Conclusion

FIDO2 and passkeys represent not only a technological evolution but one of operational pragmatism in the industrial security domain. By decoupling authentication from passwords and offering mechanisms resilient to phishing and replay, these standards set a foundation for robust, user-friendly, and regulator-aligned MFA in environments where mistakes may have real-world ripple effects. As with all security architecture, tool adoption must align with practical realities—legacy integration, device provisioning, and user workflows. In the hands of attentive IT/OT collaboration, FIDO2 and passkeys signal a step toward making "secure by default" real in the world's most critical systems.

Further Reading and Standards

• FIDO Alliance Specifications

• W3C WebAuthn

• NIST SP 800-63B Digital Identity Guidelines

• IEC 62443 Security for industrial automation and control systems

About the Author

Written with input from security engineers, industrial operators, and infrastructure practitioners who have grown tired of hearing “just use MFA.” No AI techno-chatter—just hard-earned insight.