The Cybersecurity and Infrastructure Security Agency has issued a binding operational directive requiring all federal civilian agencies to implement FIDO2 passkey authentication for employee access to government systems by October 1, 2026.
The directive follows a series of credential-based attacks that compromised multiple agency networks over the past year. CISA estimates that phishing-resistant authentication would have prevented 85 percent of those incidents.
Agencies must submit implementation plans within 30 days and begin phased rollouts by July. CISA will provide technical assistance and standardized deployment templates to accelerate adoption across the federal enterprise.
