Prioritise PKI when the business needs certificate-based trust for devices, secure email, document signing, or regulated communications. If the main requirement is user login convenience, another MFA method may be enough. If the requirement is cryptographic assurance across interactions, PKI becomes the stronger fit.
Why This Matters for Security Teams
PKI is not just “another MFA option.” It is a trust model that binds identity to cryptographic proof, which matters when the organisation needs assurance for devices, signed documents, secure email, or regulated workflows. If the requirement is only interactive login, simpler MFA may be sufficient. If the requirement is to prove origin, integrity, and non-repudiation across systems, PKI is usually the stronger control.
This distinction matters because identity failures often show up first in machine and service contexts, not in user sign-in screens. NHI Mgmt Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys in its Ultimate Guide to NHIs. That is a reminder that cryptographic identity becomes critical wherever secrets, automation, and downstream trust decisions are involved. For broader control mapping, the NIST Cybersecurity Framework 2.0 frames this as a governance and protective control decision, not just an authentication preference.
In practice, many security teams encounter the limits of non-PKI MFA only after certificate trust, signing assurance, or device authentication has already become a compliance or incident-response problem.
How It Works in Practice
Organisations should prioritise PKI when they need a cryptographic identity that can be verified by systems, not just a one-time login factor. Certificates can authenticate devices, sign code or documents, protect email, and support mutual TLS. That makes PKI especially useful when the trust decision must survive session boundaries, automate at scale, or be independently validated by another party.
The practical question is whether the workload needs assurance about who or what is connecting, and whether that assurance must be machine-verifiable. For device trust and service-to-service access, certificate-based identity is often paired with Zero Trust policies and short-lived credentials. For administrative access, PKI can be combined with other MFA methods rather than replacing them entirely. Guidance from Microsoft Midnight Blizzard breach and the NIST Cybersecurity Framework 2.0 reinforces a common pattern: stronger identity proof is most valuable where privileged access, automation, and trust propagation intersect.
- Use PKI when the relying party must verify identity cryptographically, such as for mTLS or signed artefacts.
- Prefer PKI for regulated communication, where integrity and non-repudiation are part of the control objective.
- Use another MFA method when the goal is mainly human login convenience and the business does not need certificate trust.
- Combine PKI with strong lifecycle controls, because certificate strength drops quickly if issuance, rotation, and revocation are weak.
These controls tend to break down in environments with poor certificate inventory, weak revocation handling, or unmanaged machine identities because the organisation cannot tell which certificates remain trusted.
Common Variations and Edge Cases
Tighter PKI governance often increases operational overhead, so organisations must balance cryptographic assurance against lifecycle complexity and user friction. That tradeoff is real, especially when teams manage many endpoints, services, or third parties.
There is no universal standard for this yet, but current guidance suggests PKI is most defensible when the trust requirement is external, persistent, or auditable. For example, signed documents and secure email benefit from non-repudiation, while device identity benefits from certificate-based authentication tied to hardware or managed endpoints. In contrast, consumer-facing login flows often do not justify the cost of issuing and revoking certificates for every user.
Edge cases arise when PKI is needed for one layer but not another. A user may authenticate with another MFA method while the managed device presents a certificate. Likewise, an application may use PKI for server trust while relying on OAuth or SSO for the human administrator. The key is to align the control to the trust boundary, not to assume one mechanism fits every identity type. NHI Mgmt Group’s Schneider Electric credentials breach illustrates why secret handling and trust boundaries matter when credentials are exposed beyond the intended scope.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | PKI choice hinges on stronger identity proof for users, devices, and services. |
| NIST SP 800-63 | AAL3 | PKI can satisfy higher-assurance authentication needs in regulated contexts. |
| NIST Zero Trust (SP 800-207) | PR.AC | Certificate trust supports Zero Trust by verifying device and workload identity continuously. |
Use PKI where access decisions require cryptographic assurance, then map it into your identity and access controls.
Related resources from NHI Mgmt Group
- Should organisations prioritise phishing-resistant MFA over other identity projects?
- When should organisations prioritise DSPM over another data security project?
- How can organisations combine CBA and MFA without adding unnecessary friction?
- What do organisations get wrong about passwordless MFA adoption?
