The accelerating shift toward passwordless authentication, driven by technological advances in device-bound biometrics, platform authenticators, and standardized protocols, has created both opportunity and complexity for enterprise identity assurance. This article critically examines the integration of FIDO2-based passwordless mechanisms (including passkeys and CTAP/WebAuthn paradigms) with traditional certificate-based authentication to construct a hybrid, phishing-resistant, privacy-aware, and scalable identity architecture suited to modern enterprises. Drawing strictly from the provided literature, the paper synthesizes empirical and normative findings about mobile biometric advances, behavioral biometrics, FIDO2 usability and privacy implications, certificate lifecycle management, and data-protection regulation constraints (notably GDPR). The work articulates a detailed methodology for combining FIDO2 client- and server-side flows with enterprise Public Key Infrastructure (PKI), including trust anchoring, credential lifecycle orchestration, fallback and account recovery strategies, and privacy-preserving biometric handling aligned with regulatory obligations. Results are presented as descriptive analyses of anticipated security posture improvements, usability trade-offs, and operational complexity, supported by comparative studies of FIDO2 usability and biometric misconceptions. The discussion explores theoretical implications for identity assurance, counter-arguments regarding centralization and vendor lock-in, limitations in biometric entropy and behavioral approaches, and directions for future research including decentralized identifiers and semantic design patterns for passwordless applications. The article concludes with practical recommendations for phased enterprise adoption, governance controls, and technical blueprints aimed at realizing phishing-resistant, GDPR-compliant, and user-friendly authentication in heterogeneous enterprise ecosystems. (Abstract 238 words)

FIDO2, passkeys, certificate-based authentication, passwordless

Das, A.; Galdi, C.; Han, H.; Ramachandra, R.; Dugelay, J.-L.; Dantcheva, A. Recent Advances in Biometric Technology for Mobile Devices. 2018. Available online: https://ieeexplore.ieee.org/document/8698587 (accessed on 26 June 2025).

Stragapede, G.; Vera-Rodriguez, R.; Tolosana, R.; Morales, A.; Acien, A.; Le Lan, G. Mobile Behavioral Biometrics for Passive Authentication. Pattern Recognit. Lett. 2022, 157, 35–41.

Malik, G. Biometric Authentication-Risks and Advancements in Biometric Security Systems. J. Comput. Sci. Technol. Stud. 2024, 6, 159–180.

Bridging Identity Assurance Gaps: Integrating FIDO2 and Certificate-Based Authentication for Phishing-Resistant, Scalable Enterprise Security. (2025). International Journal of Data Science and Machine Learning, 5(02), 9-24. https://doi.org/10.55640/ijdsml-05-02-02

GDPR. General Data Protection Regulation—Official Legal Text. 2016. Available online: https://gdpr-info.eu/ (accessed on 9 June 2025).

FIDO Alliance. Passkeys. 2025. Available online: https://fidoalliance.org/passkeys/ (accessed on 2 August 2025).

FIDO Alliance. Passkeys: Specifications Overview. 2025. Available online: https://fidoalliance.org/specifications-overview/ (accessed on 2 August 2025).

FIDO Alliance. Client to Authenticator Protocol (CTAP). 2019. Available online: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html (accessed on 9 June 2025).

FIDO Alliance. Sign in With Passkey. 2023. Available online: https://www.passkeycentral.org/design-guidelines/required-patterns/sign-in-with-a-passkey (accessed on 15 June 2025).

Lyastani, S.G.; Schilling, M.; Neumayr, M.; Backes, M.; Bugiel, S. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. 2020. Available online: https://ieeexplore.ieee.org/document/9152694 (accessed on 9 June 2025).

FIDO Alliance. FAQ on FIDO Relevance for the GDPR. 2018. Available online: https://fidoalliance.org/wp-content/uploads/FIDO_Alliance_GDPR_FAQ_September2018.pdf (accessed on 15 June 2025).

Zhidovich, A.; Lubenko, A.; Vojteshenko, I.; Andrushevich, A. Semantic Approach to Designing Applications with Passwordless Authentication According to the FIDO2 Specification.

Adams, A.; Sasse, M.A. Users are not the enemy. Commun. ACM 42(12), 40–46 (1999).

FIDO Alliance. FIDO2: WebAuthn & CTAP. Available online: https://fidoalliance.org/fido2/.

Parmar, V.; Sanghvi, H.; Patel, R.; Pandya, A. A comprehensive study on passwordless authentication. In: Proceedings 3rd International Conference on Smart Systems and Inventive Technology, Tirunelveli, India, pp. 991–997 (2020).

Singh, R.; Jain, Y.; Khawade, S.; Jinde, A.; Zanwar, S. Blockchain-based decentralized passwordless user authentication system: a Survey. Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol. 5(1), 478–485 (2019).

Lassak, L.; Hildebrandt, A.; Golla, M.; Ur, B. It’s Stored, Hopefully, on an Encrypted Server: Mitigating Users’ Misconceptions About FIDO2 Biometric WebAuthn (2021).

Owens, K.; Ur, B.; Anise, O. A Framework for Evaluating the Usability and Security of Smartphones as FIDO2 Roaming Authenticators (2020).

W3C Web Authentication Working Group. Web Authentication: An API for Accessing Scoped Credentials. W3C Recommendation (2019). Available: https://www.w3.org/TR/webauthn-1/.

Farke, F.M.; Lorenz, L.; Schnitzler, T.; Markert, P.; Dürmuth, M. “You still use the password after all”—Exploring FIDO2 Security Keys in a Small Company (2020).

Mitra, A.; Ghosh, A.; Sethuraman, S. TUSH-Key: Transferable User Secrets on Hardware Key (2023).