Certificate-based authentication exposes the limits of password-era IAM

At a glance

What this is: This is an independent analysis of certificate-based authentication and how PKI certificates change enterprise login security.

Why it matters: It matters because IAM teams need to treat certificates as governed identities, not just stronger login factors, across human access and lifecycle management.

👉 Read Axiad's explanation of certificate-based authentication and PKI-based MFA

Context

Certificate-based authentication is a phishing-resistant login method built on PKI certificates, hardware tokens, and a PIN. The core governance issue is not whether certificates are stronger than passwords, but whether organisations can manage certificate issuance, device binding, and lifecycle controls tightly enough for human identity programmes.

For IAM and PAM teams, the practical question is how certificate trust, revocation, and renewal behave at scale across Windows, macOS, and federated applications. Once certificates become the authentication layer, access security depends on identity lifecycle discipline as much as on cryptography.

Key questions

Q: How should organisations deploy certificate-based authentication without creating new lifecycle risk?

A: Organisations should deploy certificate-based authentication with the same governance they apply to any privileged identity. That means defined ownership for issuance and revocation, device binding, recurring access review, and offboarding that removes certificates when access is no longer needed. Without those controls, stronger login security can still leave stale access paths in place.

Q: Why do certificate-based logins still need access reviews?

A: Because authentication strength does not limit what an account can do after login. A valid certificate can still unlock excessive or outdated entitlements if authorisation is not reviewed separately. Access reviews help ensure that certificate holders retain only the applications and privileges required for their current role.

Q: What breaks when certificate revocation is slow or inconsistent?

A: The main failure is that a strong credential remains trusted after the business relationship or device context has changed. That creates lingering access for former employees, moved users, or lost tokens. Slow revocation turns certificate-based authentication into a durable access path instead of a controllable one.

Q: Who should own certificate governance in an IAM programme?

A: Identity teams should own policy and lifecycle rules, while infrastructure or workplace teams may operate the hardware and enrollment flow. The key is a clear control boundary: identity governance decides who can receive certificates, how long they remain valid, and when they are revoked. That prevents local convenience from overriding enterprise access policy.

Technical breakdown

How certificate-based authentication works in practice

Certificate-based authentication, or CBA, uses a trusted certificate authority to issue an authentication certificate, which is then stored on a hardware token or smartcard and protected by a PIN. During login, the user presents the token, the system validates the certificate chain, and the PIN releases the certificate for verification. This differs from passwords because the secret is not typed into the target system and is much harder to steal remotely. CBA is especially relevant in environments that need phishing-resistant MFA and support native certificate handling on Windows, macOS, and common identity platforms.

Practical implication: treat certificate issuance and storage as part of the access control plane, not a separate IT convenience.

Why certificate lifecycle management is the real control point

The security value of certificates depends on lifecycle management. A certificate can be technically strong and still become a liability if renewal, revocation, device replacement, or offboarding is slow or inconsistent. In practice, organisations need a credential management system to track issuance, enforce expiry, and remove access when users change roles or leave. That lifecycle is what prevents a strong authentication factor from becoming a long-lived, unmanaged access path. In IAM terms, the problem shifts from password hygiene to certificate governance, where operational discipline determines whether the control actually reduces risk.

Practical implication: map certificate issuance, renewal, and revocation into joiner-mover-leaver and access review processes.

Why phishing-resistant MFA still needs governance

Phishing-resistant MFA reduces one class of credential theft, but it does not eliminate governance problems such as over-broad access, stale entitlements, or weak device assurance. A certificate proves possession of a trusted credential, not whether the user should still have the access being requested. That distinction matters because stronger authentication can create false confidence if organisations stop measuring privilege scope, certificate ownership, and endpoint trust. The control is only as strong as the surrounding IAM and lifecycle processes that define who receives certificates, how they are bound to devices, and when they are removed.

Practical implication: pair certificate-based login with entitlement reviews, device controls, and revocation automation.

Threat narrative

Attacker objective: The attacker aims to gain durable authenticated access without needing the victim's physical token, PIN, or certificate.

1. Entry begins when attackers exploit password phishing or OTP weakness to obtain credentials that would otherwise protect access to enterprise systems.
2. Escalation occurs when those weaker credentials allow access to accounts, applications, or admin workflows that could have been protected by certificate-based authentication.
3. Impact follows when the organisation lacks phishing-resistant MFA and strong lifecycle controls, enabling unauthorised access to email, collaboration, or business applications.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Certificate-based authentication is really a lifecycle control, not just a stronger login method. The article frames CBA as a replacement for password weakness, but the governance value is broader: certificates only reduce risk when issuance, renewal, device binding, and revocation are controlled as a single identity process. That makes CBA an IAM and lifecycle problem, not a point technology decision. Practitioners should evaluate it as part of access governance, not as an isolated MFA swap.

Phishing-resistant authentication reduces compromise risk, but it does not solve privilege scope. A valid certificate can still authenticate an account that has far more access than it needs, which means authentication strength and authorisation quality remain separate controls. In other words, the attack surface may shrink at the login layer while the entitlement surface stays unchanged. Practitioners need to see certificate rollout as one control in a wider least-privilege programme.

Certificate trust becomes fragile when identity programmes treat tokens as assets instead of governed identities. Hardware storage and PIN protection reduce extraction risk, but they do not prevent stale certificates, orphaned access, or inconsistent revocation after role changes. That is the failure mode this topic exposes: secure credential form factors do not compensate for weak lifecycle governance. The implication is that identity teams must measure certificate ownership and offboarding with the same rigor they apply to human accounts.

Phishing-resistant MFA is a necessary response to credential theft, but it should not be confused with complete identity assurance. CBA strengthens the authentication step, yet organisations still need assurance about device state, account status, and business need. The practical conclusion is that PKI-based access should sit inside a broader trust model, not replace it.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity inventory still is across machine and human-adjacent access paths.
• For a broader lifecycle view, review Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and privilege patterns that make certificate governance hard.

What this signals

Certificate-based authentication will keep expanding as organisations look for phishing-resistant access, but the governance burden shifts rather than disappears. Identity teams should expect more pressure to manage tokens, device binding, and certificate expiry with the same operational discipline they already apply to privileged access and secrets.

The programme signal is clear: if certificate lifecycle is not integrated into joiner-mover-leaver workflows, the control will remain brittle. Organisations that still rely on manual revocation or ad hoc token management will struggle to keep pace with role changes and endpoint turnover.

Certificate governance becomes a measurable identity control when ownership, expiry, and revocation are tracked explicitly. Teams that can prove those three signals will have a much better story for audit, resilience, and phishing resistance than teams that only report MFA adoption.

For practitioners

• Map certificate lifecycle ownership Assign clear responsibility for issuance, renewal, revocation, and replacement so certificate-based access is governed like any other identity lifecycle process.
• Bind certificates to managed devices Require strong device enrollment and hardware-backed storage so certificates are not treated as portable credentials without endpoint context.
• Tie CBA to access reviews Use recurring entitlement reviews to confirm that certificate holders still need the applications and administrative paths their certificates unlock.
• Automate revocation on offboarding Make certificate revocation part of joiner-mover-leaver workflows so departed users do not retain valid authentication paths after role changes.

Key takeaways

• Certificate-based authentication strengthens login security, but the real control point is certificate lifecycle governance.
• Phishing-resistant MFA does not solve over-privilege or stale access if revocation and access reviews are weak.
• IAM teams should manage certificates as governed identities with clear ownership, expiry, and offboarding rules.

Key terms

• Certificate-based authentication: An authentication method that uses a trusted digital certificate instead of a reusable password to prove identity. The certificate is validated against a certificate authority and typically released only after the user proves possession of the token and PIN holding it.
• Public key infrastructure: The trust system that issues, validates, and manages digital certificates. In identity programmes, PKI is the control plane that determines which certificates are trusted, how they are distributed, and when they must be revoked or renewed.
• Certificate lifecycle management: The governance process that tracks certificate issuance, renewal, replacement, and revocation from creation to retirement. In practice, it is what keeps a strong authentication credential from becoming a stale, orphaned, or over-extended access path.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: The Why and What of Certificate-Based Authentication. Read the original.