Identity protection is an essential component of enterprise security in the current era. With phishing, credential theft, and adversary-in-the-middle (AiTM) attacks persisting and morphing, traditional authentication methods like passwords and omnipresent multi-factor authentication (SMS, OTP, push notification, etc.) are proving increasingly inadequate. This article provides an in-depth examination of two modern and popular authentication protocols, namely FIDO2/WebAuthn and Certificate-Based Authentication (CBA). FIDO2 facilitates passwordless authentication with the assistance of cryptographic credentials securely bound to a person's device, offering improved usability and phishing resistance. CBA, rooted in public key infrastructure (PKI), remains a necessary requirement in compliance-focused environments and is crucial for safeguarding human and machine identities. This study explores how these technologies operate across diverse contexts, from enterprise-owned notebooks to personal mobile devices and non-human account systems. Using internationally accepted standards and frameworks—such as NIST SP 800-63-3, the CISA Zero Trust Maturity Model, and eIDAS—the document provides implementation considerations that incorporate policy and identity credential lifecycle approach techniques. It also evaluates operational recovery and fallback processes in cases of credential loss or compromise. A structured framework is provided to enable organizations to achieve identity assurance at scale and support evolving technology and regulatory demands. Future trends such as passkeys, derived credentials, quantum computing, and modular authentication systems are also considered, which will introduce flexibility and strength in the identity assurance landscape.

FIDO2, Certificate-Based Authentication, Identity Assurance, Phishing-Resistant MFA

Verizon. 2024 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/

Microsoft. Digital Defense Report 2024. https://www.microsoft.com/en-us/security/blog/microsoft-digital-defense-report-2024/

Bursztein, E., et al. "Advanced AiTM Phishing Campaigns in 2024: Trends and Defenses." IEEE Security & Privacy, 2024. https://ieeexplore.ieee.org/document/10444122

OWASP. AI Threat Modeling Guide, 2024. https://owasp.org/www-project-threat-modeling-AI/

FIDO Alliance. FIDO2 Technical Overview, 2024. https://fidoalliance.org/specifications/

W3C WebAuthn Working Group. "Web Authentication API Level 2." W3C Recommendation, 2024. https://www.w3.org/TR/webauthn-2/

NIST. Special Publication 800-63-4: Digital Identity Guidelines, April 2024. https://csrc.nist.gov/publications/detail/sp/800-63/4/final

Chen, J. et al. "Policy Languages for Agentic Systems: Limitations and Extensions." IEEE Access, 2025. https://ieeexplore.ieee.org/document/10487192

Liu, M., et al. "Implementing Multi-Factor Authentication at Enterprise Scale: Lessons from Zero Trust." ACM Digital Threats, 2025. https://dl.acm.org/doi/abs/10.1145/3609821

Adams, A., and Sasse, M.A. "The Users Are Not the Enemy Revisited: Two Decades Later." Communications of the ACM, Vol. 67, No. 3, 2024. https://cacm.acm.org/magazines/2024/3/270101-the-users-are-not-the-enemy-revisited/

CISA. Zero Trust Maturity Model 2.0, 2024. https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model

Microsoft. "Identity Governance for Autonomous Systems." Microsoft Tech Community Blog, 2024. https://techcommunity.microsoft.com/

Google. State of Passwordless Authentication 2024. https://security.googleblog.com/

Apple. "Deploying Passkeys for Enterprise Authentication." Apple Developer Documentation, 2024. https://developer.apple.com/passkeys/

Microsoft Entra. Passwordless Authentication with Windows Hello and FIDO2, 2025. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-passwordless

Google Identity. Secure Login with FIDO2 at Scale, 2024. https://developers.google.com/identity/fido

Gutmann, P. "PKI and Smart Cards in 2025: Past Lessons, Future Directions." IEEE Security & Privacy, 2025. https://ieeexplore.ieee.org/document/10498123

U.S. Federal PKI Policy Authority. PIV and Smart Card Compliance Guide 2024. https://www.idmanagement.gov/fpki/

Blaze, M., et al. "Challenges in PKI Lifecycle Management: A 2024 Perspective." IEEE Security & Privacy, 2024. https://ieeexplore.ieee.org/document/10477341

Zhang, R., et al. "Integrating Authentication into Zero Trust Architectures." IEEE Cloud Computing, 2024. https://ieeexplore.ieee.org/document/10467409

Chen, K., Sandhu, R. "Modern Access Control Models in Federated and Agentic Environments." IEEE Computer, 2024. https://ieeexplore.ieee.org/document/10459987

NIST. Special Publication 800-63-4: Digital Identity Guidelines, April 2024. https://csrc.nist.gov/publications/detail/sp/800-63/4/final

Okta. "Adaptive Risk-Based Authentication in 2024." https://www.okta.com/resources/whitepaper/adaptive-authentication/

Ping Identity. DaVinci Orchestration for Context-Aware Access, 2024. https://www.pingidentity.com/en/resources/davinci.html

FIDO Alliance. "Phishing Resistance via Origin Binding and Secure Elements." FIDO Technical Library, 2024. https://fidoalliance.org/specifications/

Cisco. "Implementing Mutual TLS and X.509 Certificate Trust Models." Cisco Secure Blog, 2024. https://www.cisco.com/c/en/us/products/security/

Entrust. "Smartcards vs Derived Credentials in Mobile-First Environments." Entrust Security Insights, 2024. https://www.entrust.com/resources

Microsoft. "Credential Management and Recovery Strategies." Microsoft Security Blog, 2024. https://security.microsoft.com/blog

CISA. Identity and Access Management in Zero Trust Framework. https://www.cisa.gov/zero-trust

European Commission. eIDAS 2.0 Regulatory Updates, 2024. https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation

NIST. Post-Quantum Cryptography Guidelines, 2024. https://csrc.nist.gov/projects/post-quantum-cryptography

FIDO Alliance. Future Directions in Identity Standards, 2024. https://fidoalliance.org/future-standards

NIST. Digital Identity Guidelines Overview, 2024. https://csrc.nist.gov/publications/detail/sp/800-63/4/final

Trusted Computing Group. TPM Specification, 2024. https://trustedcomputinggroup.org/tpm-library

Microsoft. Device Posture and Risk Signals for Conditional Access, 2024. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/device-posture

Okta. Risk-Based Access Control with Policy Engine, 2024. https://www.okta.com/policy-engine

FIDO Alliance. WebAuthn Security Properties, 2024. https://fidoalliance.org/specifications/web-authentication

DigiCert. Understanding X.509 Certificates for Authentication, 2024. https://www.digicert.com/x509

CISA. Guidance on Phishing-Resistant Authentication, 2024. https://www.cisa.gov/phishing-resistant-authentication

ETSI. eIDAS Standards for Authentication Assurance, 2024. https://www.etsi.org/standards/eidas