Notifications
Clear all
Topic starter
08/06/2026 4:01 pm
TL;DR: Enterprises are increasingly treating FIDO and certificate-based authentication as complementary rather than competing methods, because FIDO remains uneven across environments while CBA already fits user and machine identity use cases today, according to Axiad. The practical issue is not choosing one standard but aligning each to the authentication problem it solves without creating governance gaps.
NHIMG editorial — based on content published by Axiad: CBA and FIDO: One, Other, or Both?
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams choose between FIDO and certificate-based authentication?
A: Security teams should choose by identity type, environment maturity, and lifecycle control.
Q: Why do certificate-based authentication programmes fail in practice?
A: They fail when organisations focus on trust establishment but neglect certificate lifecycle governance.
Q: What do teams get wrong about passwordless authentication?
A: They often assume passwordless login solves identity governance when it mainly improves authentication assurance.
Practitioner guidance
- Map authentication methods by identity type Separate human login, managed device trust, and workload access into distinct policy paths.
- Review certificate lifecycle ownership Assign clear ownership for issuance, renewal, revocation, and emergency retirement of certificates.
- Test authentication coverage across mixed estates Validate which applications, devices, and accounts can actually authenticate under the current architecture.
What's in the full article
Axiad's full blog post covers the implementation details this post intentionally leaves for the source:
- How the platform supports both FIDO and certificate-based authentication in one environment
- The specific use cases where certificate-based authentication is positioned as the better operational fit
- The authentication methods and authenticators that the platform says it supports today
- The product-specific rollout guidance behind its pragmatic FIDO approach
👉 Read Axiad's analysis of pragmatic FIDO and certificate-based authentication →
CBA and FIDO: what does a pragmatic authentication mix mean?
Explore further
08/06/2026 5:24 pm
Pragmatic authentication is a governance strategy, not a product decision. The article shows that no single method cleanly covers every enterprise use case, especially when human login, device trust, and workload identity all coexist. That is the right starting point for identity architects because authentication choices have to follow identity type and lifecycle, not procurement convenience. Practitioners should evaluate access paths by population and risk, not by one universal standard.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why authentication decisions must be paired with lifecycle visibility.
A question worth separating out:
Q: How can organisations run FIDO and CBA together without creating access sprawl?
A: Use a policy model that assigns each method to the identity populations and applications it supports, then govern certificate lifecycle and recovery paths as first-class controls. The goal is not to unify everything under one method, but to keep each trust path visible, accountable, and removable when no longer needed.
👉 Read our full editorial: CBA and FIDO together: what identity teams should do now
