They should extend identity assurance beyond login by signing email and documents with certificates. That way, the organisation can validate not just who authenticated, but whether downstream communications and approvals came from a trusted identity. This matters because phishing often targets workflow trust rather than the initial sign-in.
Why This Matters for Security Teams
Passwordless authentication reduces phishing success at the login prompt, but it does not eliminate phishing as a workflow attack. Once a user is signed in, attackers still try to hijack trust through email, document review, payment approval, ticketing, and executive impersonation. That is why identity assurance has to extend beyond authentication into downstream communication integrity, including signing sensitive messages and approvals with certificates.
Current guidance from NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs — Why NHI Security Matters Now points to a broader control model: verify the identity behind the action, not just the identity behind the login. This is especially important where phishing has shifted toward consent abuse, fraudulent approvals, and conversation hijacking. In those cases, a passwordless sign-in can be fully legitimate while the downstream action is still malicious. In practice, many security teams encounter this only after a trusted inbox or approval path has already been used to authorize the fraud.
How It Works in Practice
The practical response is to add cryptographic proof to workflows that matter. Email signing, document signing, and approval signing let recipients and systems verify that a message or action came from a trusted identity and has not been altered. This is not a replacement for passwordless login; it is a second trust layer for the business processes most often abused by phishers.
That usually means pairing passwordless authentication with certificate-backed identity, strong device posture, and policy controls on what can be approved, when, and by whom. Organisations should distinguish between authentication events and authorization events, because the risk sits in the gap between the two. For example, a user may authenticate with a FIDO2 credential, but a payment release, supplier change, or legal sign-off may still need a signed approval flow. Research in the Top 10 NHI Issues and the Ultimate Guide to NHIs — Key Challenges and Risks shows how identity failures often show up after the initial trust boundary is crossed, not at first login.
- Use certificate-based signing for email, contracts, invoices, and privileged approvals.
- Bind approvals to context such as device posture, application, risk score, and transaction type.
- Require step-up verification for high-impact actions even in passwordless environments.
- Monitor for anomalous forwarding rules, delegated access, and approval path changes.
- Validate downstream trust artifacts, not just session tokens.
For teams aligning control language, NIST Cybersecurity Framework 2.0 supports stronger identity verification and transaction integrity, while NHI governance research from NHIMG shows that identity misuse often persists after authentication is technically sound. These controls tend to break down in high-velocity business processes where approvals are informal, email is the default trust channel, and certificate issuance is not operationally integrated with the workflow.
Common Variations and Edge Cases
Tighter signing and approval controls often increase operational overhead, requiring organisations to balance stronger anti-phishing assurance against user friction and certificate lifecycle complexity. Best practice is evolving here, and there is no universal standard for every workflow.
Some environments can adopt signed email immediately, while others need selective deployment because external partners, legacy systems, or mobile-heavy users may not support end-to-end certificate validation. In those cases, organisations should prioritise the highest-risk workflows first: payments, HR changes, legal approvals, and admin requests. Another common edge case is that phishing may target the approver’s delegated authority rather than the primary account, so controls must account for shared inboxes, assistants, and service accounts.
The broader lesson from Ultimate Guide to NHIs — Why NHI Security Matters Now is that identity trust has to be lifecycle-managed, not treated as a single sign-in event. Organisations that only secure authentication often leave workflow integrity exposed, which means attackers can still exploit the business process even when password prompts are gone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authentication support stronger downstream trust decisions. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Phishing often abuses trust in identities and credentials beyond the initial login. |
| NIST AI RMF | Risk governance helps evaluate phishing exposure in automated and semi-automated workflows. |
Bind high-risk approvals to verified identity and validated transaction context, not login alone.
