Public key cryptography-based authentication methods such as FIDO/WebAuthn can provide a number of security improvements over passwords. However, the need to register every device the user wishes to use reduces its usability for consumer applications. In 2022, the FIDO Alliance introduced a multi-device credential model, which claims to offer numerous convenience and usability enhancements for end users; however, the fact that the WebAuthn credential can leave the protection of a hardware security module undermines the security guarantees previously provided by the FIDO/WebAuthn framework. This limits FIDO’s usefulness for applications which require more rigorous protection. Furthermore, FIDO does not specify key management aspects, instead, end users and relying parties are left responsible for credential management. These trade-offs force a difficult compromise between overall security and convenience. In this paper, we propose a protocol for a split-key FIDO mechanism, in which each user device maintains a portion of the user’s credential instead of a fully-usable private key. By proving access to multiple devices, the user can use a cloud provider to reassemble their private key in an HSM-protected environment, then use the cloud provider to authenticate on their behalf. Service providers can preserve many of the benefits of multi-device credentials, while still providing relatively strong private key protections. In addition, our proposal adds a key management overlay to the existing FIDO/WebAuthn framework. Our approach uses a user’s existing cloud provider to reduce access to a user’s private key, thus reducing the potential for credential theft, even if one of the user’s devices is fully compromised.