Almost nine in ten enterprises have already started rolling out passkeys, but complexity and cost still hold back full-scale deployments. HID aims to smash those last barriers with a new wave of FIDO2 authenticators and a centralized Enterprise Passkey Management service built for Windows environments.
New research from the FIDO Alliance shows that 87% of organizations in the US and UK are deploying passkeys for workforce sign-ins. Of those, 47% are deploying a mix of device-bound security keys or cards and synced passkeys across devices. The study, conducted in early 2025, pinpoints the top priority groups for deployment: users who access intellectual property (39%), admin account holders (39%), and executive-level staff (34%). Organizations report moderate to strong positive impact on user experience (82%), security (90%), help desk call reduction (77%), productivity (73%), and digital transformation goals (83%).
But for the 13% not yet on board—or those stuck in pilot purgatory—three obstacles persist. Complexity (43%), cost (33%), and lack of clarity (29%) are the most cited reasons for not starting. That’s where HID’s latest announcement lands: a packaged answer to the lifecycle headaches that have slowed even willing adopters.
Passwordless Momentum: 87% of Enterprises Are Deploying Passkeys
Passkeys have moved from cautious experiment to mainstream authentication. The FIDO Alliance’s survey of enterprise decision-makers reveals not just high adoption but also measurable returns. Security improvements and lower help desk volumes are the headline wins. In practice, a phishing-resistant FIDO2 signature cuts off the most common credential theft vector—phishing—and eliminates the password reset treadmill.
Yet even with these gains, the missing piece for many IT departments is centralized management. Provisioning passkeys one by one, recovering lost hardware, and revoking access across a fleet of 10,000 devices is a logistical nightmare without proper tooling. That deficiency explains the complexity and cost fears cited by laggards. HID’s new Enterprise Passkey Management (EPM) platform directly addresses those gaps, offering a single pane of glass to provision, monitor, and revoke credentials at scale.
HID’s Answer: A Unified Portfolio of FIDO2 Hardware and Centralized Management
HID Global’s announcement is a three-part package: new Crescendo security keys and cards, a low-cost OMNIKEY 5022 contactless reader, and the EPM subscription service.
Enterprise Passkey Management (EPM)
EPM is a cloud-based, subscription-managed service that gives IT administrators remote control over FIDO2 credential lifecycles. Two capabilities stand out:
- On-behalf-of provisioning: Admins can initiate and manage passkey enrollment for users without touching each endpoint. This mirrors the Graph API preview Microsoft released for Entra ID, which allows provisioning security key credentials for a user. EPM orchestrates that flow across the Crescendo ecosystem.
- Lifecycle visibility and audit: Issuance, revocation, and all management actions are logged with full audit trails. Compliance teams can trace who had what credential and when it was revoked—critical for regulated industries and incident response.
Early channel reactions underscore the “at scale” promise. Security integrators and analysts point to the combination of hardware and management as a missing link for passwordless rollouts.
Next-Generation Crescendo Authenticators
HID redesigned its Crescendo line for flexibility across mixed environments. The portfolio now includes:
- Crescendo Keys: Physically redesigned for better ergonomics, these USB/NFC keys support FIDO2, PKI (smart card), and OATH-TOTP. A remote PIN reset function simplifies support.
- Crescendo Cards: Dual-interface cards that double as corporate badges. They carry both a physical access control (PACS) credential—like Seos or MIFARE DESFire—and a FIDO2 key for passwordless desktop login. One badge opens doors and signs into Windows.
- FIDO-enabled Seos and MIFARE DESFire EV3 Cards: For organizations already using these credential technologies for physical access, the new variants embed FIDO 2.1 authentication, merging logical and physical security onto a single card.
OMNIKEY 5022 Contactless Reader
Positioned as a cost-effective workstation reader, the OMNIKEY 5022 supports high-frequency contactless (13.56MHz) and NFC, including FIDO2. It’s driverless on major operating systems—Windows, macOS, Linux—and designed for environments that require a cleanable, durable reader, like healthcare labs or thin client setups. For users without NFC laptops, the OMNIKEY 5022 bridges the gap.
Under the Hood: Standards and Enterprise Features
This wave of hardware leans on recent updates to FIDO2 and WebAuthn standards. CTAP 2.1 and the newly published CTAP 2.2 specification introduce several enterprise-friendly features:
- Minimum PIN length enforcement: Admins can set a required PIN complexity via policy, rather than relying on user choice.
- AlwaysUV (Always User Verification): Forces user verification (PIN or biometric) on every assertion, not just registration. This prevents silent use of a lost key.
- Enterprise attestation: Allows an organization to identify a key as its own for inventory and compliance tracking. While powerful, it must be deployed with care to avoid privacy pitfalls.
These capabilities align with Microsoft’s own guidance for passwordless deployments. Windows 10 and 11 already support FIDO2 security keys for sign-in to Entra ID-joined and hybrid-joined devices. Microsoft’s Graph API (preview) further enables on-behalf-of provisioning, and the upcoming WebAuthn Level 2 enhancements will deepen integration.
For enterprises straddling legacy PKI smart cards and modern FIDO2, HID’s multi-protocol keys offer a bridge. A single Crescendo Key can handle Windows logon via PKI, website two-factor via FIDO2, and OATH codes for services that haven’t yet moved to passkeys.
Why This Matters for Windows and Microsoft Entra ID Shops
Organizations standardizing on Microsoft’s stack get a drop-in solution. HID explicitly states that its new devices are compatible with Entra ID and other major identity providers. For a Windows admin, that means:
- Entra ID-joined devices: Users can sign in with a Crescendo Key or tap a Crescendo Card on the OMNIKEY 5022 reader, leveraging the built-in FIDO2 provider in Windows.
- Hybrid environments: Where on-premises AD and cloud exist side by side, PKI support on the same key allows a phased migration. Users keep their smart card experience until passkeys replace it.
- VDI and remote desktop scenarios: While some RDP/VDI flows without WebAuthn redirection are still unsupported by Microsoft, the combination of NFC and USB-C/A connectivity on Crescendo Keys covers most modern thin clients and workstations.
The Graph API alignment is particularly important. EPM’s on-behalf-of provisioning mimics what Microsoft envisions—centrally issuing security key credentials without user interaction—and should reduce the last-mile friction of bulk enrollment.
Risks, Gaps, and Unanswered Questions
No launch is without its gotchas. Several areas require scrutiny:
- Pricing opacity: HID has not published EPM license tiers or per-user costs. Budgeting for hardware plus a subscription will vary widely depending on seat count and desired features. Organizations should request a formal quote and compare against alternatives like YubiKey Enterprise Subscription or traditional smart card management systems.
- Recovery and resilience: Centralized management adds a platform dependency. If EPM is unavailable, can admins still revoke keys? Microsoft’s documentation advises break-glass accounts that bypass FIDO2—make sure those are defined and tested. Lost or stolen keys also require a fast revocation path, and Windows still struggles with offline sign-in when a security key is lost.
- Enterprise attestation and privacy: Attestation can track a key’s origin, but if misused, it becomes a tracking vector. Ensure that any deployment respects regional regulations (GDPR, CCPA) and that users are informed about what’s being collected.
- Ecosystem maturity: Graph API on-behalf-of provisioning remains in preview. Piloting is essential to discover whether it works reliably across your specific Azure AD tenant configuration and device mix. Fallback to manual enrollment must be planned.
What Windows Admins Should Do Next
HID’s announcement arrives at a moment when the barriers are well-known and the benefits clearly proven. For Windows administrators considering a move, here is a concrete action plan:
- Map workforce segments to passkey types. Start with high-risk roles—administrators, executives, finance—and decide where device-bound security keys make more sense than synced passkeys. Crescendo Cards fit employees who already carry a physical badge; Crescendo Keys suit remote workers or those without a PACS card.
- Validate platform prerequisites. Enable FIDO2 security key sign-in on test Entra ID-joined or hybrid-joined Windows 10/11 devices. Confirm browser support for WebAuthn and test with a few machines.
- Pilot EPM with Graph API. In a sandbox tenant, exercise on-behalf-of provisioning, minimum PIN policies, and remote revocation. Integrate this with change management processes and ticketing—automating the “new starter” flow.
- Plan lifecycle and recovery. Standardize break-glass procedures, define issuance and reissue SLAs, settle shipping logistics, and train help desk staff on remote PIN reset for Crescendo Keys.
- Unify physical and logical access. If you currently use Seos or DESFire EV3 for door access, evaluate the FIDO-enabled variants. One credential for both worlds slashes management overhead and user confusion.
- Harden policy. Enforce AlwaysUV where feasible, set a minimum PIN length (CTAP 2.1+), and enable enterprise attestation only where justified and legally reviewed.
- Measure outcomes. Track sign-in success rates, help desk call reduction, and user sentiment before and after pilot. Quantifying the benefit builds the case for wider rollout.
Competitive Landscape
Several vendors offer FIDO2 security keys, but HID’s positioning is unique in its breadth. Yubico’s YubiKey line supports FIDO2, PKI, and OATH, but lacks the same depth in physical access integration and centralized management across those layers. Other passwordless platforms, like HYPR or 1Password, focus on synced passkeys and software-based authentication, leaving device-bound keys with separate management. HID’s combination of card-form-factor credentials, PACS interoperability, and a purpose-built management console tailored for Entra ID deployments gives it an edge in regulated industries (finance, healthcare, government) that already rely on HID for physical access.
Channel feedback from security buyers and integrators highlights strong interest in this “one-stop” approach. By consolidating PKI, OATH, FIDO2, and physical access onto a single badge family, HID reduces the vendor count and integration friction.
Bottom Line
For Windows organizations accelerating passwordless sign-in, HID’s next-generation Crescendo portfolio plus Enterprise Passkey Management directly targets the toughest parts of the journey: issuance, lifecycle, and compliance at scale. With Entra ID compatibility and features shaped by CTAP 2.1/2.2 and WebAuthn, the stack brings phishing-resistant MFA and passkeys from theory to day-to-day operations—provided teams plan recovery, privacy, and pilot rigorously before broad rollout.