TL;DR: Microsoft’s phased NTLM deprecation is pushing organisations toward certificate-based authentication for remote access and SaaS single sign-on, because legacy challenge-response authentication no longer fits internet-facing identity flows, according to IS Decisions. The real shift is not just protocol substitution: identity assurance now depends on device-bound certificates, certificate lifecycle control, and how well on-prem authentication extends beyond the LAN.
At a glance
What this is: This analysis explains why certificate-based authentication is becoming the practical NTLM replacement for internet-facing remote access and SaaS single sign-on.
Why it matters: It matters because IAM teams must now govern device certificates, remote sign-in assurance, and legacy authentication retirement across both human and machine-adjacent access paths.
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Only 38% have automated certificate lifecycle management in place.
- 57% of organisations lack a complete inventory of their machine identities.
- 69% of organisations now have more machine identities than human ones.
👉 Read IS Decisions's analysis of replacing NTLM with certificate-based authentication
Context
NTLM is a legacy Windows authentication protocol that still survives where remote access has to work without direct line of sight to a domain controller. That made it useful for internet-facing access paths, but it also left organisations relying on a protocol that no longer matches modern identity assurance expectations for remote users, SaaS access, and device-bound trust.
Certificate-based authentication changes the trust anchor from a reusable password-style exchange to a device certificate issued and managed by the organisation. For IAM teams, that turns legacy authentication retirement into a lifecycle problem: certificate issuance, storage, validation, renewal, revocation, and the operational path that connects on-premises identity to remote and SaaS sign-in.
The practical question is not whether NTLM should disappear. It is whether organisations can replace it without creating new governance debt in certificate management, endpoint trust, and the handoff between AD, remote access, and federated SaaS authentication.
Key questions
Q: How should security teams replace NTLM without breaking remote access?
A: Teams should replace NTLM in layers, starting with a dependency inventory, then moving each remote application or access path to a supported alternative such as certificate-based authentication or Kerberos where direct connectivity allows it. The key is to validate the new assurance path before disabling the old one, especially for internet-facing access where domain-controller reachability is limited.
Q: Why do certificate-based logins change identity governance work?
A: Certificate-based logins shift governance from password or protocol control to lifecycle control. Teams must manage issuance, device binding, renewal, revocation, and endpoint storage, which makes certificates behave like governed machine identities. If those processes are weak, access assurance degrades even when the authentication method itself is technically stronger.
Q: What goes wrong when certificate lifecycle is not operationally owned?
A: When no team owns certificate lifecycle, expiry, revocation, and replacement become ad hoc troubleshooting tasks instead of controlled processes. That creates access interruptions, inconsistent trust decisions, and hidden exceptions. In practice, the failure is usually not the certificate mechanism itself but the absence of accountable lifecycle management around it.
Q: Who should own the move from NTLM to certificate-based authentication?
A: Ownership should sit across IAM, endpoint security, and platform operations because the control spans identity policy, device storage, and remote access infrastructure. If one team owns only the protocol change, the programme will miss renewal, recovery, and trust-boundary issues that determine whether the replacement actually works.
Technical breakdown
Why NTLM still lingered in remote access paths
NTLM persisted because it can authenticate a user without contacting a domain controller directly, which made it workable across internet-facing systems where Kerberos could struggle. That convenience came from a simple challenge-response flow, not from strong assurance. The problem is structural: the protocol was designed for compatibility and reach, not for modern device trust, phishing resistance, or fine-grained assurance in zero-trust environments. Once remote access depends on legacy fallback protocols, identity control becomes weaker exactly where exposure is highest.
Practical implication: map every internet-facing dependency on NTLM before deprecation turns it into an outage or an exception-driven security risk.
How certificate-based authentication shifts the trust model
Certificate-based authentication, also called client certificate authentication, validates a device through an X.509 certificate rather than relying on a password-like credential exchange. In practice, the organisation binds trust to a private key stored on the endpoint, often in a TPM or equivalent hardware-backed store. That changes the control objective from session authentication alone to device identity assurance. It also means the strength of the model depends on certificate issuance, storage, renewal, and revocation being tightly governed across the endpoint estate.
Practical implication: treat certificate lifecycle management as part of identity governance, not as an endpoint-only technical setting.
Why SaaS sign-in and remote access need different CBA patterns
The article describes two distinct uses: replacing NTLM for remote access and extending on-prem authentication to SaaS through SSO. Those are not the same control problem. Remote access needs device trust to stand in for the missing domain-controller path, while SaaS integration needs a stronger identity signal at the federation boundary. In both cases, certificate validation becomes part of the sign-in decision, but the operational dependencies differ, especially where an organisation acts as its own identity provider and must keep trust consistent across local and cloud access paths.
Practical implication: separate your design for remote device authentication from your design for SaaS federation, even if both use certificates.
NHI Mgmt Group analysis
NTLM deprecation is really a certificate governance problem in disguise. The article frames a protocol transition, but the operational burden shifts to certificate issuance, renewal, validation, and revocation across remote endpoints and SaaS access paths. That makes identity assurance dependent on lifecycle discipline rather than on a single replacement protocol. Practitioners should read this as a governance change, not a transport upgrade.
Device-bound certificates tighten trust, but they also expand the machine identity estate. Every endpoint certificate becomes a governed identity object with ownership, expiry, and recovery requirements. The same failure patterns seen in broader machine identity programmes appear here: weak inventory, inconsistent renewal, and unclear responsibility when access breaks. Teams need to manage certificates as a population, not as isolated implementation details.
Remote access identity assurance now depends on the quality of the trust boundary, not just the sign-in method. When organisations extend on-premises identity to users connecting over the internet, they are asserting that device trust can compensate for the absence of a LAN or VPN path. That assertion only holds if certificate validation, endpoint storage, and federated policy are aligned. The field implication is that remote identity control is becoming a cross-domain discipline spanning IAM, endpoint security, and NHI governance.
Certificate-based authentication is becoming part of zero-trust enforcement, not a side control. The article correctly links CBA to phishing resistance and zero-trust models, because device identity is now one of the signals used to decide whether access should be allowed at all. That puts certificate operations into the same governance conversation as MFA, conditional access, and access reviews. Practitioners should expect certificate trust to be audited with the same seriousness as other high-impact identity controls.
From our research:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to The Critical Gaps in Machine Identity Management report.
- 59% of companies face greater difficulties auditing machine identities, primarily due to lack of clear ownership and limited visibility.
- If you are building the governance side of this transition, the NHI Lifecycle Management Guide explains how provisioning, rotation, and offboarding change when identity objects have an expiry-driven lifecycle.
What this signals
Certificate-based authentication will fail as a control programme unless organisations manage certificates as governed identities. The transition away from NTLM pushes more trust decisions into endpoint-bound certificates, which means lifecycle ownership matters as much as cryptography. With 57% of organisations lacking a complete inventory of their machine identities, the operational risk is not the protocol swap itself but the unmanaged population behind it.
Remote access policy is converging with machine identity governance. Once device certificates become the trust anchor for external sign-in, certificate expiry, revocation, and recovery sit inside the same control plane as access assurance. Teams that already struggle with machine identity visibility should expect the same weaknesses to surface in remote access exceptions, recovery workflows, and audit evidence.
NTLM retirement is a forcing function for better boundary design. Organisations should use the migration to separate LAN assumptions from internet-facing identity flows and to align the control set with NIST Cybersecurity Framework 2.0. The practical test is whether the new model can survive certificate failure, endpoint rebuilds, and SaaS federation without reintroducing ad hoc trust.
For practitioners
- Inventory every NTLM dependency Identify each application, remote access path, and third-party integration that still relies on NTLM before default disablement begins. Classify them by business criticality and whether the replacement path is direct Kerberos, certificate-based authentication, or another federated control.
- Treat certificate lifecycle as identity lifecycle Assign ownership for issuance, renewal, revocation, and recovery of device certificates, including where private keys are stored on endpoints such as TPM-backed hardware. If no process exists for expiry handling and revocation testing, the replacement control will fail under routine churn.
- Separate remote access from SaaS federation design Design one control pattern for internet-facing remote access and a second for SaaS SSO, even if both use client certificates. The assurance boundary, validation point, and failure mode differ, so a single blended policy usually hides operational gaps.
- Test certificate failure and recovery paths Validate what happens when a certificate expires, a device is reimaged, or a trusted certificate authority is unavailable. These are the points where certificate-based authentication either proves it can replace NTLM or exposes hidden dependency debt.
Key takeaways
- NTLM retirement is not only a protocol migration, it is a governance migration from reusable authentication to managed device trust.
- Certificate-based authentication can improve remote access assurance, but only if certificate lifecycle, storage, and revocation are run as a disciplined identity process.
- Organisations that treat the change as a simple replacement will miss the real risk, which is unmanaged certificate sprawl and weak ownership across remote and SaaS access paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle and rotation are central to this NTLM replacement discussion. |
| NIST CSF 2.0 | PR.AC-4 | The article centers on stronger identity assurance for remote and SaaS access. |
| NIST Zero Trust (SP 800-207) | Certificate-based authentication is presented as part of zero-trust identity assurance. |
Map remote authentication changes to access control policies and verify the new trust boundary end to end.
Key terms
- Certificate-Based Authentication: An authentication method that validates a device or user by checking a digital certificate rather than relying on a password-style exchange. In identity programmes, it shifts trust toward managed keys, certificate authorities, and endpoint storage, making lifecycle control part of the access decision.
- Machine Identity: A non-human identity used by a device, workload, service, or application to prove who or what it is. Machine identities often depend on certificates, tokens, or keys, and they create governance pressure because they must be inventoried, owned, rotated, and revoked at scale.
- Certificate Lifecycle: The end-to-end process of issuing, storing, renewing, validating, and revoking a digital certificate. For security teams, lifecycle control determines whether certificates remain trustworthy over time, especially when endpoints are rebuilt, users move roles, or remote access paths change.
- Trust Boundary: The point where an organisation decides whether to accept an identity signal as sufficient for access. In remote authentication, the trust boundary matters because it defines where certificates, federation, device posture, and access policy combine to allow or deny entry.
What's in the full article
IS Decisions's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step configuration guidance for UserLock Anywhere with certificate-based authentication enabled.
- The specific IIS and SSL settings required to accept client certificates on the hosting server.
- How UserLock SSO extends on-premises AD trust to SaaS sign-in with certificate validation.
- Implementation detail for TPM-backed certificate storage on managed endpoints.
👉 The full IS Decisions article covers implementation details for remote access and SaaS SSO.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org