CBA and FIDO together: what identity teams should do now

At a glance

What this is: This is a pragmatic analysis of how FIDO and certificate-based authentication can be combined to cover different authentication use cases.

Why it matters: It matters because IAM teams need to map authentication methods to human and machine identity needs without leaving gaps in coverage, rollout, or governance.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Axiad's analysis of pragmatic FIDO and certificate-based authentication

Context

FIDO and certificate-based authentication solve different parts of the access problem. FIDO is a phishing-resistant authentication standard built for modern user login flows, while certificate-based authentication uses PKI to prove identity for users, devices, and workloads where certificates are already operationally mature.

For identity programmes, the question is not which method is fashionable. It is where each method fits across human IAM and non-human identity governance, especially when enterprises need a transition path that works across browsers, devices, service accounts, and hybrid environments.

Key questions

Q: How should security teams choose between FIDO and certificate-based authentication?

A: Security teams should choose by identity type, environment maturity, and lifecycle control. FIDO fits phishing-resistant human login, while certificate-based authentication fits environments that already rely on PKI for users, devices, or workloads. The right answer is often both, with each method mapped to the use case it governs best.

Q: Why do certificate-based authentication programmes fail in practice?

A: They fail when organisations focus on trust establishment but neglect certificate lifecycle governance. If certificates are not issued, renewed, revoked, and retired cleanly, access can persist beyond the intended relationship or device state. The control problem is usually governance, not cryptography.

Q: What do teams get wrong about passwordless authentication?

A: They often assume passwordless login solves identity governance when it mainly improves authentication assurance. Passwordless reduces phishing risk, but it does not fix provisioning, privileged access, recovery, or offboarding. Governance still has to manage who can access what, for how long, and under which assurance level.

Q: How can organisations run FIDO and CBA together without creating access sprawl?

A: Use a policy model that assigns each method to the identity populations and applications it supports, then govern certificate lifecycle and recovery paths as first-class controls. The goal is not to unify everything under one method, but to keep each trust path visible, accountable, and removable when no longer needed.

Technical breakdown

FIDO and certificate-based authentication solve different trust problems

FIDO2 creates a phishing-resistant login experience by binding authentication to a cryptographic authenticator and the relying party, which removes reusable passwords from the process. Certificate-based authentication proves identity through X.509 certificates issued by a trusted authority, making it useful where device, workload, or managed user identity already depends on PKI. The two methods are not substitutes in every environment because they depend on different operational assumptions, especially around device management, federation, and lifecycle control. In practice, authentication architecture often needs both to cover different populations and applications.

Practical implication: map each application and identity population to the authentication method that matches its operational model before standardising on a single control.

Why CBA remains relevant in mixed identity estates

Certificate-based authentication remains attractive where enterprises already operate PKI and need one method that spans user, device, and workload identity. It can support scenarios that are awkward for passwordless-only rollouts, such as managed devices, certain desktop environments, and hybrid authentication layers that still depend on directory or certificate infrastructure. The governance challenge is not the certificate itself but the full certificate lifecycle: issuance, renewal, revocation, and offboarding. Without that lifecycle discipline, certificate-based authentication can create durable access paths that are hard to detect and harder to retire cleanly.

Practical implication: treat certificate lifecycle governance as part of authentication design, not as an afterthought handled by infrastructure teams later.

Pragmatic FIDO is really an identity architecture choice

A pragmatic approach uses FIDO where it is strongest and certificate-based authentication where it already fits the environment or closes a gap. That is an architecture decision, not a branding exercise. The real issue is control alignment across human IAM and NHI governance, because the same enterprise may need phishing-resistant login for people, certificate-backed trust for managed devices, and separate identity controls for workloads. When those domains are governed separately but designed together, authentication becomes more resilient and easier to phase in without destabilising access operations.

Practical implication: design authentication roadmaps around identity type and operational fit, not around a single technology mandate.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Pragmatic authentication is a governance strategy, not a product decision. The article shows that no single method cleanly covers every enterprise use case, especially when human login, device trust, and workload identity all coexist. That is the right starting point for identity architects because authentication choices have to follow identity type and lifecycle, not procurement convenience. Practitioners should evaluate access paths by population and risk, not by one universal standard.

Certificate-based authentication is most valuable when lifecycle control is already mature. CBA depends on certificate issuance, renewal, revocation, and offboarding discipline. That makes it particularly relevant to NHI governance, where durable credentials can outlive their intended purpose if lifecycle processes are weak. The practical implication is that certificate trust is only as strong as the organisation's ability to retire it quickly when role, device, or relationship changes.

FIDO reduces phishing exposure, but it does not eliminate identity governance work. Passwordless login changes the attack surface for human identity, yet it still leaves provisioning, recovery, federation, and privileged access decisions in place. For identity programmes, this means authentication modernisation should not be mistaken for governance modernisation. Practitioners should separate login assurance from entitlement governance and lifecycle control.

Hybrid authentication stacks create an identity blast radius if they are not modelled by actor type. The same enterprise may have people on FIDO, managed devices on certificates, and workloads on certificate-backed trust paths. That mixture is normal, but it becomes risky when teams apply one control model across all three. The implication is clear: identity architecture should be segmented by actor type so governance, rotation, and offboarding remain accurate.

Certificate lifecycle governance is the named concept hiding inside pragmatic authentication. The article's real operational lesson is that authentication method selection is inseparable from certificate issuance and revocation discipline. If organisations can authenticate a user or device but cannot retire the credential cleanly, they have only shifted the control problem. Practitioners should treat lifecycle visibility as part of the access design itself.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why authentication decisions must be paired with lifecycle visibility.
• For a broader governance view, 97% of NHIs carry excessive privileges, and that remains the control problem when authentication changes do not change entitlement scope.

What this signals

Certificate lifecycle is the hidden dependency in mixed authentication estates: organisations can adopt FIDO for human login and still leave governance gaps if certificate issuance and revocation remain fragmented. The practical signal is that identity programmes need to track who owns trust retirement, not just who owns authentication rollout.

The broader market signal is that authentication modernisation is drifting toward actor-specific control stacks. Human authentication, managed-device trust, and workload identity are being governed through different primitives, and teams that keep treating them as one domain will miss the operational boundaries that matter.

As enterprises blend FIDO with CBA, the most important programme question is whether identity assurance can be revoked as quickly as it is granted. That is where lifecycle discipline, directory hygiene, and certificate governance become measurable rather than assumed.

For practitioners

• Map authentication methods by identity type Separate human login, managed device trust, and workload access into distinct policy paths. Use FIDO where phishing-resistant user authentication is the requirement, and use certificate-based authentication where the environment already depends on PKI and certificate lifecycle controls are mature.
• Review certificate lifecycle ownership Assign clear ownership for issuance, renewal, revocation, and emergency retirement of certificates. Ensure offboarding and revocation are tied to the same governance process that manages access changes, not to a separate infrastructure task.
• Test authentication coverage across mixed estates Validate which applications, devices, and accounts can actually authenticate under the current architecture. Look for gaps where FIDO cannot yet be used, where CBA is already entrenched, and where workload trust still depends on long-lived credentials.
• Separate login assurance from access governance Modern authentication does not remove the need for access reviews, privileged access control, or lifecycle offboarding. Keep assurance level decisions distinct from entitlement decisions so the programme does not confuse stronger login with stronger governance.

Key takeaways

• FIDO and certificate-based authentication are complementary controls, not interchangeable ones, because they solve different trust problems across identity types.
• The operational risk is not the cryptography itself but the lifecycle governance around issuance, renewal, revocation, and offboarding.
• Identity teams should design authentication by actor type and environment fit, then tie every trust path to clear ownership and retirement controls.

Key terms

• FIDO2: A phishing-resistant authentication standard that uses cryptographic authenticators instead of reusable passwords. In practice, it improves user login assurance, but it still sits inside a wider IAM and governance model that must handle recovery, enrollment, and privilege decisions.
• Certificate-Based Authentication: An authentication method that uses digital certificates and public key infrastructure to prove identity. It is common where organisations already manage trusted devices, users, or workloads through certificates, but it only works cleanly when issuance, renewal, and revocation are tightly governed.
• Certificate Lifecycle Governance: The discipline of managing certificates from issuance through renewal, revocation, and retirement. For identity programmes, it is the control layer that determines whether certificate-based trust is temporary and accountable, or durable enough to become an access risk when offboarding fails.
• Pragmatic Authentication Architecture: An identity design approach that assigns each authentication method to the use case it handles best. It avoids forced standardisation and instead aligns human, device, and workload identity flows with the trust model, lifecycle controls, and operational maturity each one requires.

Deepen your knowledge

FIDO and certificate-based authentication are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a mixed authentication model across people, devices, and workloads, it is worth exploring.

This post draws on content published by Axiad: CBA and FIDO: One, Other, or Both? Read the original.