By NHI Mgmt Group Editorial TeamPublished 2026-04-14Domain: Best PracticesSource: Versasec

TL;DR: Passwordless authentication is only sustainable when governance, lifecycle discipline, and architecture evolve together, according to Versasec. The real risk is not the authentication method itself, but the assumption that stronger login controls eliminate the need for rigorous identity management across users, certificates, and credentials.


At a glance

What this is: This is a perspective piece arguing that passwordless security depends on long-term identity governance, not just modern authentication mechanics.

Why it matters: It matters because IAM, PAM, and NHI teams still have to manage credential lifecycle, trust anchors, and access boundaries even when passwords are removed from the user experience.

👉 Read Versasec's perspective on 25 years of trust and the future of passwordless identity


Context

Passwordless authentication reduces reliance on shared secrets, but it does not remove the identity governance burden behind issuance, trust, and revocation. The article argues that modern access models still depend on PKI, certificates, and lifecycle discipline, which means IAM programmes have to govern the full credential state rather than only the login step.

For identity teams, the larger question is how to keep credential management, certificate trust, and access control coherent as architectures move away from passwords. That challenge cuts across human identities and non-human identities because both still require issuance, rotation, revocation, and auditability.

The source is a founder-and-board perspective piece from Versasec, so the value is in the strategic framing rather than technical depth. Its underlying message is typical for mature identity environments: authentication changes faster than governance models do.


Key questions

Q: How should organisations govern passwordless authentication without losing lifecycle control?

A: They should treat passwordless as an identity governance programme, not a login project. That means assigning ownership for issuance, renewal, revocation, and exception handling, then verifying that certificate and key lifecycle events are linked to joiner-mover-leaver processes. If revocation is unreliable, passwordless reduces friction without reducing risk.

Q: Why does passwordless authentication still need PAM and access reviews?

A: Because authentication proves who or what is presenting the credential, not what that identity is allowed to do. Privilege can still be excessive after a strong login, especially for admin workflows, service credentials, and shared infrastructure. PAM and access reviews remain necessary to limit the blast radius of compromised or over-scoped identities.

Q: What breaks when certificate revocation is slow or incomplete?

A: Expired business need does not equal expired access if revocation lags behind reality. A certificate can remain trusted after a user, device, or workload should no longer have access, which creates persistence risk and audit gaps. The failure is usually operational, not cryptographic.

Q: How do human IAM teams and NHI teams align on passwordless governance?

A: They should align on shared lifecycle controls while accepting that the identities differ. Human certificates, service credentials, and workload identities all need issuance rules, revocation paths, and review cadences, even if the tooling is different. The goal is one governance model with different execution patterns.


Technical breakdown

How PKI underpins passwordless authentication

Passwordless authentication usually replaces reusable passwords with cryptographic proof, most often through certificates, device-bound keys, or FIDO-style authenticators. PKI is the trust fabric that makes those credentials verifiable, while certificate authorities, issuance policies, and revocation paths determine whether trust can be maintained after enrolment. The control problem shifts from password strength to lifecycle correctness. If issuance, renewal, revocation, and device binding are weak, passwordless becomes a different packaging of the same identity risk.

Practical implication: treat passwordless as a lifecycle and trust-management programme, not just an MFA upgrade.

Credential lifecycle control for certificates and keys

Certificate-based identity only works when the full lifecycle is visible: creation, binding, renewal, rotation, and offboarding. Unlike passwords, certificates and keys can remain valid in infrastructure long after the original operator, device, or workload has changed, which makes revocation and expiry policy central to security. In practice, this is where NHI-style governance overlaps with human IAM, because the same organisation often manages both user certificates and machine credentials through different systems but the same trust model.

Practical implication: align certificate renewal and revocation processes with joiner-mover-leaver controls and non-human identity oversight.

Why passwordless still depends on access control design

Removing passwords does not remove authorisation, privilege boundaries, or assurance requirements. A passwordless login can still lead to excessive access if roles are too broad, if device trust is over-assumed, or if privileged workflows are not separated from standard access paths. The architectural error is assuming that stronger authentication solves governance problems that actually belong to IAM, IGA, and PAM. Authentication proves identity; it does not define what that identity should be allowed to do.

Practical implication: keep access reviews, role design, and privileged access controls independent from the authentication method.


NHI Mgmt Group analysis

Passwordless success depends on identity governance maturity, not authentication branding. The article’s core message is that removing passwords only improves security if issuance, trust, and revocation are managed with discipline. PKI, certificates, and device trust still create lifecycle obligations that many organisations underweight when they treat passwordless as a user-experience project. The practitioner conclusion is simple: modern authentication does not simplify governance, it raises the cost of getting governance wrong.

Credential lifecycle failure is the real architectural risk hiding behind passwordless narratives. Certificates and keys can outlive the user, device, or workload they were issued to, which means the security model breaks when offboarding and rotation are incomplete. This is where NHI governance and human IAM converge, because both require proof that access no longer persists after business need ends. Practitioners should assess whether revocation is operationally reliable before they expand passwordless further.

PKI remains the trust substrate for passwordless, and that makes it an enterprise control plane, not a niche protocol. The article points to decades of experience with certificates and access control, which is the right way to frame passwordless adoption. Organisations that separate authentication ownership from lifecycle ownership create blind spots between identity proofing, key management, and access enforcement. The conclusion is that passwordless architecture must be governed as part of the broader identity stack, not as a standalone feature.

Identity programmes that modernise login without modernising privilege will carry the same blast radius under a cleaner interface. The user experience improves, but the control gap remains if access reviews, certificate renewal, and privileged workflow separation are still manual or fragmented. That is especially relevant for organisations running both human access and machine credentials through adjacent systems. The practitioner implication is to judge passwordless by lifecycle integrity and privilege containment, not by adoption rate alone.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably prove who or what still has access.
  • For lifecycle-focused practitioners, the Ultimate Guide to NHIs , Key Challenges and Risks is the better companion resource for closing visibility and revocation gaps.

What this signals

Passwordless is not a control endpoint. As organisations remove passwords from the front end, the governance burden shifts into certificate lifecycle, trust anchor management, and access review discipline. Teams that do not align human IAM and NHI lifecycle controls will simply move exposure from passwords to keys and certificates.

Trust fabric matters more than authentication style. PKI and certificate governance will keep becoming more central as phishing-resistant authentication expands, especially where the same enterprise must manage both users and machine identities. The practical signal is to look for unified ownership of issuance, renewal, and revocation before the next rollout.

The strongest programmes will measure passwordless by revocation reliability and privilege containment, not by adoption metrics alone. If a certificate can survive long after the business reason for it has vanished, the organisation has changed the interface but not the risk model.


For practitioners

  • Map passwordless controls to lifecycle ownership Assign explicit ownership for issuance, renewal, revocation, and exception handling across certificates, keys, and device trust so that authentication is not left detached from governance.
  • Review revocation paths before expanding certificate use Test whether certificates and keys are actually invalidated when users leave, devices are retired, or workloads change purpose, especially where multiple admin tools touch the same trust fabric.
  • Separate authentication assurance from privilege decisions Keep access reviews, role design, and privileged access workflows in scope even when passwordless is in place, because strong login does not prevent excessive authorisation.
  • Unify human and non-human credential governance Use the same governance lens for user certificates, service credentials, and workload identities so that lifecycle gaps do not move between tools and escape detection.

Key takeaways

  • Passwordless authentication improves login security, but it does not remove the governance work behind certificates, keys, and trust.
  • The most important failure mode is lifecycle drift, where access persists after the user, device, or workload should no longer be trusted.
  • IAM, PAM, and NHI teams need one control model for issuance, revocation, and privilege review, even when the authentication method changes.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Certificate and key lifecycle discipline maps to NHI credential rotation and revocation.
NIST CSF 2.0PR.AC-1Passwordless still depends on identities, credentials, and access control.
NIST SP 800-53 Rev 5IA-5Authenticator management covers keys, certificates, and lifecycle handling.
NIST Zero Trust (SP 800-207)Passwordless is commonly deployed inside zero trust architectures.

Align passwordless rollout with PR.AC-1 so authentication, authorization, and lifecycle ownership remain connected.


Key terms

  • Passwordless Authentication: An authentication approach that replaces reusable passwords with stronger methods such as cryptographic keys, device-bound credentials, or phishing-resistant authenticators. The security value comes from reducing secret reuse and phishing exposure, but only if issuance, revocation, and lifecycle controls are managed tightly.
  • Public Key Infrastructure: The trust system used to issue, validate, and revoke digital certificates and keys. In identity programmes, PKI becomes the mechanism that proves which identities can be trusted, making certificate lifecycle management a core security obligation rather than a background protocol detail.
  • Certificate Lifecycle Management: The operational discipline of issuing, renewing, rotating, and revoking certificates across their usable life. It is central to passwordless and machine identity security because trust is only safe while the credential is valid, bound correctly, and removed when business need ends.

What's in the full article

Versasec's full article covers the strategic perspective this post intentionally leaves to the source:

  • The founder and board-member backstory behind the company’s 25-year identity focus
  • The “inside-outside” board perspective on balancing growth, cash flow, and operational risk
  • The verticalisation strategy discussion, including why industry-specific messaging matters
  • The company’s own framing of its passwordless and PKI direction

👉 Versasec's full article expands on the board conversation, vertical strategy, and the company’s long-term identity view.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-14.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org