Phishing-Resistant MFA vs Passport Chip: NIST AAL2 in 2026

NIST SP 800-63B-4 makes phishing-resistant authentication mandatory at AAL2 in 2026. Both FIDO passkeys and passport-chip verification meet the standard — but they answer different questions. Passkeys solve AAL (authentication assurance). Passport-chip enrolment solves IAL (identity assurance). NIST treats the two as independent axes; a regulated workforce identity needs both.

In 2026, the phishing-resistant MFA question has a definitive answer. NIST Special Publication 800-63B-4 — the successor to the long-serving 800-63B-3 guidelines — requires that every verifier operating at Authentication Assurance Level 2 (AAL2) "SHALL offer at least one phishing-resistant authentication option" (NIST SP 800-63B-4 — Authenticators). Both device-bound and synced FIDO passkeys are explicitly integrated into AAL2 and AAL3. Microsoft has auto-enabled passkey profiles across all Entra ID tenants in early 2026, and 87% of US and UK companies have deployed or are actively deploying passkeys (Passkeys 2026 — 87% company adoption). Phishing resistance, as a technology problem, is solved. What is not yet solved — and what many enterprises have not yet noticed is a separate axis of assurance entirely — is how strongly the identity bound to that passkey was ever verified in the first place.

NIST 800-63 Has Two Axes, Not One

The framework that underpins federal identity guidance, and that the rest of the regulated world increasingly defers to, distinguishes between two independent levels of assurance:

• IAL (Identity Assurance Level) — how strongly the identity bound to a credential has been proven at enrolment
• AAL (Authenticator Assurance Level) — how strongly the authentication event itself resists compromise

IAL asks who proved this is the right person, and with what evidence? AAL asks how strong is the authentication when that person logs in? The two axes are independent. An organisation can deploy AAL2 passkeys across a workforce whose enrolment evidence is a scanned photo of a driving licence verified by an internal HR reviewer — strong AAL, weak IAL. Conversely, an organisation can verify identity cryptographically at onboarding and then back it with a password-and-SMS authenticator — strong IAL, weak AAL. Neither configuration satisfies a modern regulated context. Both halves matter.

The reason this distinction has not been the centre of the 2026 passkey rollout conversation is practical. FIDO passkeys — device-bound or synced — deliver a transformative improvement on the AAL side, moving enterprises out of the phishing-target class that password-plus-OTP occupied. That improvement is worth celebrating. It does not, however, shift the IAL needle.

What Phishing-Resistant Actually Means

Phishing resistance, in NIST's definition, is the property that a credential cannot be extracted or replayed by a site masquerading as a legitimate verifier. The property is achieved in FIDO passkeys by the cryptographic protocol binding a private key to both a specific relying party and, in most implementations, to attestation from the user-presence factor on the authenticator device. A fake sign-in page cannot induce the authenticator to produce a usable assertion.

Federal guidance has consolidated around this property. OMB Memorandum M-22-09 requires federal agencies to mandate phishing-resistant authentication for staff, contractors, and partners; CISA's guidance explicitly points to WebAuthn/FIDO2 as the baseline implementation (CISA — Implementing Phishing-Resistant MFA). The enterprise sector has followed: two-thirds of IT professionals now rank passkey workforce adoption as a high or critical priority, 82% of executives are implementing or considering device-bound passkeys, and 47% of organisations are mixing synced and device-bound deployments to match application sensitivity (FIDO Alliance — Passkey Index 2025).

Passkeys make it hard to steal a credential. They do not, on their own, tell you who the credential belongs to.

That is not a criticism of FIDO. It is a statement about the design scope of FIDO. A passkey is an authentication instrument. Identity proofing is not an authentication problem; it is an enrolment problem, addressed on the IAL axis.

The Passport Chip on the IAL Axis

The cryptographic side of the identity-proofing world is not new; it has been deployed in travel documents for a decade and a half. Every biometric passport issued under ICAO Doc 9303 — approximately 180 countries and regions by late 2025 — contains an NFC chip holding identity data signed by the issuing government (Signicat, December 2025). Reading that chip at an enrolment terminal produces three distinct pieces of cryptographic evidence:

• Passive Authentication — verification that the data-group contents on the chip are signed by the issuing state, and that the state's signer certificate chains to the ICAO trust list
• Active Authentication or Chip Authentication — proof that the chip is the original physical chip, not a cloned copy
• PACE (Password Authenticated Connection Establishment) — binding the chip read to physical presence of the document with its holder

Countersigned under a qualified electronic signature at enrolment, that evidence becomes an IAL3-class record: the highest identity assurance level NIST recognises. The difference between that and a selfie-plus-document pipeline, which typically reaches IAL2 at best, is not incremental. IAL3 evidence is independently verifiable against the issuing authority's public infrastructure. IAL2 evidence relies on a vendor's scoring model.

Why "Both" Is the Only Coherent Answer

The meaningful question for a security architect in 2026 is not "passkey or passport chip." It is "what does the regulated workforce identity look like on both axes?" A privileged administrator handling data subject to NIS2, DORA, or AMLR should, by 2026 good practice, have:

• IAL3 enrolment — passport-chip verification at onboarding, countersigned under eIDAS, capable of surviving a regulator's walk-back from any authentication event to its originating identity proof
• AAL2 or AAL3 authentication — a FIDO passkey (device-bound for sensitive roles; synced acceptable for less-sensitive) binding each session to the cryptographic enrolment record

The practical implementation unbundles into two decisions. For IAL: onboard human identity once, at a supervised enrolment terminal or during an equivalent remote flow that reads the passport chip rather than its surface. For AAL: issue a passkey bound at issuance to the IAL3 enrolment record, and enforce its use thereafter. The passkey is what the user holds and presents. The enrolment record is what the passkey refers back to when an auditor, insurer, or incident responder asks who this user actually is.

The Synced-Passkey Question

A subsidiary debate has emerged over whether synced passkeys — passkeys stored in cloud-backed ecosystems like iCloud Keychain or Google Password Manager — belong in high-assurance workforce contexts. NIST SP 800-63B-4 explicitly categorises synced passkeys under AAL2, confirming their phishing resistance. The market has split roughly evenly, with the 47% hybrid deployment figure reflecting that most organisations treat synced passkeys as appropriate for moderate-sensitivity applications and device-bound passkeys for administrative or regulated workloads.

From the IAL perspective, the debate is somewhat secondary. A synced passkey enrolled against an IAL3 identity record carries the enrolment evidence regardless of where the key material lives. A device-bound passkey enrolled against weak or no identity proofing does not acquire identity assurance from being device-bound. The key-material-location question is orthogonal to the identity-proofing question — another reminder that AAL decisions and IAL decisions are independent.

2026 Is the Year IAL Gets Its Turn

The 2024–2025 rollout cycle was AAL's: passwords out, MFA floor up, phishing-resistant options mandatory at AAL2. The 2026 rollout cycle is IAL's — driven by NIS2 Article 21(2)(i) evidence expectations, cyber insurance adjudicators walking back from incidents to enrolment, and AMLR's July 2027 deadline for verifiable identity in financial onboarding. Enterprises whose authentication layer is excellent and whose identity layer is vendor-scored will find themselves in the same class of finding across all three — the vendor's pass flag, not the issuing authority's signature.

Passkeys and passport chips are not competitors. They are the two axes of a single assurance picture, and in 2026, regulated workforces need both.

Sources

NIST SP 800-63B-4

• NIST SP 800-63B-4 — Authenticators
• NIST SP 800-63B-4 — Authentication Assurance Levels
• NIST SP 800-63B-4 PDF

Federal guidance

• CISA — Implementing Phishing-Resistant MFA
• IDManagement — Phishing-Resistant Authenticator Playbook

Enterprise passkey adoption

• FIDO Alliance — Passkey Index 2025
• FIDO Alliance — Passkeys homepage
• Passkeys 2026 — Microsoft auto-enables, 87% company adoption
• Dark Reading — Enterprise Passkey Adoption Tops 85%
• Biometric Update — FIDO enterprise passkey report

Microsoft Entra implementation

• Microsoft Entra — Passkeys (FIDO2) authentication method
• Microsoft Entra — Require phishing-resistant MFA for administrator roles

ePassport standard (IAL3 source)

• Signicat — Which countries have ePassports (December 2025)
• ICAO — Doc 9303 Machine Readable Travel Documents

About the author

Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.