Notifications
Clear all
Topic starter
08/06/2026 4:03 pm
TL;DR: FIDO Alliance’s new working groups target identity verification for account recovery and passwordless device onboarding for IoT, while Axiad notes that non-person entities already represent over 30% of identities in its cloud service. The governance gap is broader than authentication alone: enterprises now need identity assurance that spans people, devices, and transactions.
NHIMG editorial — based on content published by Axiad: FIDO Alliance takes aim at two new cybersecurity challenges
By the numbers:
- Today authentication for NPE (non-person entities) represents over 30% of the identities on Axiad ID Cloud, and this percentage is growing.
Questions worth separating out
Q: How should security teams handle account recovery in passwordless environments?
A: Treat account recovery as a privileged identity event, not a support function.
Q: Why do non-person entities need the same lifecycle discipline as user identities?
A: Because machine identities now make up a substantial share of enterprise identity populations and they can create the same access and audit risks as humans, only at higher scale.
Q: What breaks when device onboarding still relies on passwords?
A: Password-based device onboarding creates shared secrets, slow revocation, and weak accountability.
Practitioner guidance
- Re-map account recovery as a high-risk identity flow Document every step in the recovery process, identify where identity proofing is weaker than primary authentication, and require stronger verification for credential reset and re-binding events.
- Inventory non-person entity populations and onboarding paths Count devices, applications, and system identities separately from human users, then trace how each one is enrolled, authenticated, and revoked across its lifecycle.
- Standardise machine identity issuance and revocation Replace ad hoc device passwords with revocable identity credentials, and require a uniform onboarding process that can be audited across fleets and environments.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The FIDO Alliance working group context and how the two initiatives map to current authentication pain points.
- Axiad's explanation of account recovery challenges after password reduction and MFA adoption.
- The role of non-person entity authentication in Axiad ID Cloud and why machine identity standardisation matters.
- The article's three-part view of confidentiality, integrity, and availability in digital trust.
👉 Read Axiad's blog on FIDO, account recovery, and device identity →
Account recovery and device identity: what IAM teams need now?
Explore further
08/06/2026 5:28 pm
Account recovery is the new weak link in passwordless identity design. Once the enterprise removes passwords and leans harder on MFA, recovery becomes the place where assurance drops. That is where account takeover pressure shifts, because the recovery path often has to prove identity under stress, ambiguity, or device loss. Practitioners should treat recovery as a governed trust event, not a support workaround.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably verify who or what is still active in the estate.
A question worth separating out:
Q: How can organisations tell whether identity assurance is actually working?
A: Look for evidence that recovery, onboarding, and transaction controls are all auditable and independently revocable. If a user can be recovered without strong proof, a device can join with a shared secret, or a transaction can be altered after authentication, assurance is incomplete even if login success rates look strong.
👉 Read our full editorial: FIDO’s focus on account recovery and device identity changes IAM
