HID’s Crescendo authenticator enables Enterprise Attestation to verify device provenance during secure passkey enrollment.
HID has announced the availability of Enterprise Attestation across its FIDO authenticator portfolio of smart cards and keys, introducing a standards-based capability designed to verify device provenance during passkey registration. The new functionality enables organizations to enforce the use of company-issued passkeys, ensuring that only trusted authenticators are enrolled from the outset.
While passkeys are widely recognized for addressing phishing risks, HID emphasized that enterprises also require assurance that the devices generating those credentials are approved and controlled. Enterprise Attestation addresses this need by verifying that an authenticator was issued by the organization before allowing enrollment. Without such verification, personal authenticators could be registered without a reliable way for enterprises to distinguish them from corporate-issued devices.
The capability provides security teams with enhanced governance, traceability and control over authenticators, while maintaining the existing user login experience. According to the FIDO Alliance’s State of Passkey Deployment in the Enterprise report, 20% of organizations cite strict regulations as a barrier to passkey adoption, highlighting the need for stronger device-level assurances.
Enterprise Attestation is integrated into HID’s Crescendo authenticators, including FIDO2-certified smart cards and security keys, and is supported by identity platforms such as PingOne. The feature validates authenticator provenance at the point of registration. Devices that cannot present valid attestation data are blocked from enrollment based on policy, without requiring workflow changes or additional steps for users.
Built on the FIDO Alliance’s WebAuthn and Client to Authenticator Protocol specifications, Enterprise Attestation aligns with industry standards and avoids proprietary authentication flows or application lock-in. The capability is also supported through the FIDO Alliance Enterprise Deployment Working Group.
HID noted that the feature is particularly relevant for regulated industries such as financial services, healthcare and critical infrastructure, where requirements for auditability, device provenance and lifecycle control are critical. It also supports organizations operating under frameworks including the European Union’s NIS2 Directive, the Digital Operational Resilience Act and Zero Trust mandates.
To illustrate its application, HID described how a global retailer could use Enterprise Attestation to move beyond restricting passkey registration to approved authenticator models. Instead, the organization can verify that each device attempting to enroll is tied to a company-issued certificate. Devices lacking valid certification are blocked, while approved devices are registered without altering the user experience. This approach provides organizations with a verifiable and auditable record of all enrolled authenticators.
HID confirmed that Crescendo authenticators with Enterprise Attestation support are now available globally.