TL;DR: Credential governance must keep pace across certificate, smart card, and badge lifecycles, according to Versasec’s Summer Series 2025. The series frames vSEC:CMS as a way to manage PKI, FIDO2, and physical access credentials from one platform, while citing more than 500 customers and average retention of 95 months.
At a glance
What this is: This is a vendor commentary on managing PKI, FIDO2, and physical access credentials through one credential platform, with the key finding that credential management is increasingly converging across digital and physical access use cases.
Why it matters: It matters because IAM, PAM, and identity governance teams increasingly need a single operational view of credential issuance, lifecycle control, and revocation across multiple credential types, not separate processes for each form factor.
By the numbers:
- 95 months.
- 2007, platform has been managed since 2007, which is nearly two decades of development based on real world needs.
👉 Read Versasec's summer series post on unifying PKI, FIDO2, and physical access
Context
PKI, FIDO2, and physical access credentials are different identity surfaces, but they all create the same governance burden: who issued them, where they are used, how they are revoked, and what happens when one control plane falls behind another. For identity teams, the hard problem is not authenticating one credential type well, but maintaining consistent lifecycle control across all of them.
That challenge spans human IAM, physical access governance, and privileged credential management. When organisations separate certificate management, badge administration, and phishing-resistant authentication into isolated workflows, they create blind spots in revocation, auditability, and administrative ownership.
Versasec’s framing is typical of a broader enterprise pattern: the technology categories are distinct, but the operational failure mode is shared. Multiple credential types without unified governance usually produce multiple offboarding paths, multiple escalation points, and multiple opportunities for stale access to persist.
Key questions
Q: How should organisations govern multiple credential types in one identity programme?
A: Organisations should govern multiple credential types through a single lifecycle model, even if the underlying technologies differ. That means shared ownership for issuance, renewal, revocation, recovery, and audit. Without one model, certificate, badge, and authenticator governance drift apart, creating inconsistent offboarding and avoidable access persistence.
Q: Why do strong authenticators still need identity governance?
A: Strong authenticators reduce one class of attack, but they do not manage registration, device replacement, help desk recovery, or exception handling. Those are governance tasks, not protocol features. If organisations treat the authenticator as self-sufficient, the weakest point moves to onboarding and recovery rather than to password theft.
Q: What breaks when certificate management is not part of lifecycle governance?
A: What breaks is revocation discipline. Certificates can remain valid long after business need changes, especially when ownership is fragmented across teams or systems. That creates stale trust, weak auditability, and access paths that survive the employee, vendor, or device relationship that created them.
Q: How do physical access credentials change offboarding requirements?
A: Physical access credentials extend offboarding beyond applications and VPNs to buildings and facilities. If badge revocation is not tied to the same leaver process as digital access removal, a former user can lose account access but still retain entry to physical locations. The control must be unified, not parallel.
Technical breakdown
How PKI credential management becomes a lifecycle problem
PKI is not just about issuing certificates. In practice, it is about the full lifecycle of cryptographic credentials: generation, distribution, renewal, suspension, revocation, and audit. As certificate populations grow into the hundreds or thousands, the technical risk shifts from cryptography itself to governance consistency. The common failure mode is fragmented ownership, where different teams manage different certificate classes or issuance channels, leaving revocation and renewal out of sync. That creates stale trust, especially where certificates underpin signing, encryption, or authentication workflows.
Practical implication: treat certificate lifecycle as an identity governance process, not a one-time PKI administration task.
Why FIDO2 enterprise controls still need governance
FIDO2 improves phishing resistance by binding authentication to a strong authenticator, but enterprise deployment still depends on policy, device inventory, and administrative control. CTAP 2.1 defines device interaction at the protocol layer, yet organisations still need to decide who can register authenticators, how they are recovered, and how enterprise-grade oversight is maintained across endpoints and users. The protocol reduces credential replay risk, but it does not remove the need for identity governance around issuance, replacement, and exception handling.
Practical implication: build FIDO2 enrollment and recovery rules into identity lifecycle policy instead of treating the authenticator as self-governing.
What unified management means for physical access credentials
Physical access credentials such as RFID badges, NFC tokens, and smart cards are identity credentials with a physical attack surface. When they are managed separately from PKI and FIDO2, the organisation loses a coherent view of who can authenticate, where, and under what assurance level. Unified management does not mean the technologies are identical. It means the governance model needs one control plane for issuance, assignment, revocation, and reporting, even when the underlying credential types differ.
Practical implication: align physical access and logical access governance so badge revocation and digital credential revocation follow the same ownership model.
NHI Mgmt Group analysis
Unified credential governance is the real problem, not credential diversity. PKI, FIDO2, RFID, smart cards, and NFC all create different enforcement surfaces, but they converge on the same governance question: can the organisation issue, track, and revoke credentials consistently across systems? When those paths diverge, administrative ownership fragments and stale access becomes harder to spot. Practitioners should read this as a lifecycle coordination problem, not a feature integration story.
Certificate sprawl turns PKI into an offboarding problem. Once certificate populations reach hundreds or thousands, manual oversight stops being credible. Renewal, revocation, and exception handling become the true control points, and any gap creates trust that outlives business need. The practical takeaway is that PKI governance must be measured by revocation discipline and ownership clarity, not by issuance volume.
FIDO2 adoption does not eliminate governance obligations. Strong authenticators reduce phishing exposure, but they still need registration controls, recovery rules, and administrative oversight. Enterprise deployment fails when teams assume the authenticator is the control rather than part of the control stack. That assumption leaves recovery paths, device resets, and help desk exceptions outside policy.
Physical access credentials belong in the same identity model as digital credentials. RFID, NFC, and smart cards are not separate from IAM simply because they open doors instead of applications. If physical and logical credentials are governed differently, offboarding and audit trails fracture. Practitioners should unify the governance model even when the credential technologies remain distinct.
Named concept: credential-plane convergence. This article reflects a broader shift in which logical authentication, cryptographic identity, and physical access are managed under one operational model. That convergence reduces administrative duplication, but it also exposes weak ownership boundaries if lifecycle processes remain siloed. Teams should use the convergence to standardise governance, not to multiply tool-specific exceptions.
From our research:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For lifecycle and offboarding depth, see NHI Lifecycle Management Guide for how revocation discipline changes once credentials are treated as governed identities.
What this signals
Credential-plane convergence: enterprises are moving toward one governance model for certificates, authenticators, and physical access credentials because fragmented administration is now a control risk in its own right. Teams should expect offboarding, audit, and recovery processes to be judged by consistency across the whole credential estate, not by individual technology stacks.
The practical signal for IAM and security architects is that identity programmes need to absorb physical access, not sit beside it. As environments mix PKI, FIDO2, badges, and smart cards, the deciding factor becomes whether one control model can express ownership, lifecycle state, and revocation across all of them.
For practitioners
- Map credential lifecycles across all issuance paths Inventory certificate, FIDO2, RFID, NFC, and smart card issuance, then document who owns enrollment, renewal, suspension, and revocation for each path. Use the mapping to find duplicate or missing offboarding steps.
- Unify revocation and recovery policy Create one policy layer for credential revocation, replacement, and emergency recovery so help desk exceptions, lost devices, and expired certificates follow the same approval logic.
- Measure certificate and authenticator ownership clarity Track which teams can approve issuance, which teams can revoke access, and where accountability breaks between physical access and logical authentication.
- Review batch issuance and bulk administration controls If you use batch issuance for smart cards or FIDO credentials, verify that bulk operations still enforce identity proofing, approval, and revocation traceability.
- Align physical access with IAM offboarding Make badge deprovisioning part of the same leaver process used for digital credentials so access removal is consistent across buildings, devices, and applications.
Key takeaways
- Credential diversity is not the problem. Fragmented lifecycle governance across credential types is the problem.
- PKI, FIDO2, and physical access controls all require shared ownership for issuance, recovery, and revocation to prevent stale access.
- Unified identity governance now has to cover certificates, authenticators, and badges as one operational estate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207), NIST SP 800-63 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access control and credential governance underpin the article's unified identity model. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management fits the article's focus on credential lifecycle and revocation. |
| NIST Zero Trust (SP 800-207) | Zero Trust principles support treating credentials as continuously governed access artifacts. | |
| NIST SP 800-63 | SP 800-63B | FIDO2 authentication and authenticator handling align directly with digital identity guidance. |
| CIS Controls v8 | CIS-5 , Account Management | Account and credential lifecycle control is central to the article's offboarding focus. |
Apply Zero Trust principles so physical and digital credentials are validated, tracked, and revoked under one model.
Key terms
- Credential-Plane Convergence: The operational model where certificates, phishing-resistant authenticators, and physical access credentials are governed through one lifecycle and ownership structure. It reduces duplicated administration, but only if issuance, revocation, recovery, and audit are standardised across all credential types.
- Certificate Lifecycle Governance: The discipline of controlling a certificate from creation to revocation, including renewal, suspension, distribution, and audit. In practice, it matters more than certificate issuance volume because stale or unmanaged certificates create trust that persists after the business need has changed.
- Authenticator Recovery: The process used to restore access when a strong authenticator is lost, reset, or replaced. It is a governance function, not a protocol feature, and it often becomes the weakest point in phishing-resistant authentication if approval and identity proofing are not tightly controlled.
- Physical Access Credential Offboarding: The removal of badges, tokens, or other facility access credentials when a user, contractor, or vendor leaves or changes role. It must be linked to identity lifecycle processes so that physical access is revoked with the same rigor as application and network access.
What's in the full article
Versasec's full article covers the operational detail this post intentionally leaves for the source:
- Detailed examples of how vSEC:CMS handles PKI, FIDO2, and physical access credential administration in one workflow.
- Specific release detail on smart card batch issuance for FIDO in vSEC:CMS 7.1.
- Operational notes on PIN unblock options, including offline, online, and air-gapped use cases.
- Examples of enterprise credential management scenarios across government, finance, healthcare, and manufacturing.
👉 The full Versasec article covers platform scope, credential types, and release details.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org