Notifications
Clear all
Topic starter
12/06/2026 10:13 pm
TL;DR: Passwordless access, MFA adoption friction, and SCIM-based lifecycle automation for users, machines, devices, and authenticated interactions are at the center of a partnership with Ping Identity, according to Axiad, with machines now outnumbering employees 3 to 1 and MFA cited as a major control gap. The governance problem is no longer login experience alone, but whether identity programmes can cover every credentialed actor consistently.
NHIMG editorial — based on content published by Axiad: Ping Identity and Axiad on the identity-first partnership and passwordless authentication
Questions worth separating out
Q: How should security teams extend passwordless beyond workforce users?
A: They should start by separating human authentication from machine authentication, then map which devices, certificates, and service interactions need distinct control paths.
Q: Why do machine identities complicate Zero Trust programmes?
A: Because Zero Trust assumes every subject can be verified continuously, yet machines and devices often authenticate through certificates, tokens, or embedded trust that are managed differently from users.
Q: What fails when MFA is unpopular with employees?
A: Adoption fails when the user experience is so poor that people search for workarounds, reuse weaker paths, or avoid the control altogether.
Practitioner guidance
- Map every credentialed actor in scope Build one inventory for users, devices, service endpoints, certificates, and authenticated interactions.
- Tie passwordless rollout to MFA exception analysis Identify where users resist MFA, where they use workarounds, and where application coverage is incomplete.
- Automate joiner, mover and leaver flows through the source of truth Use SCIM or equivalent provisioning logic so account creation, updates, and deletion are driven by authoritative identity data rather than manual administration.
What's in the full article
Axiad's full article covers the operational detail this post intentionally leaves for the source:
- The integration mechanics between Ping Identity and Axiad Cloud for extending authentication coverage across users and devices.
- The PKI and certificate management details for machines, email signing, and encrypted documents.
- The SCIM-based provisioning flow that automates user addition, modification, and deletion across the connected identity stack.
- The specific authentication device options supported in the platform, including tokens, biometrics, smart cards, and mobile authenticators.
👉 Read Axiad's analysis of identity-first passwordless and machine authentication →
Identity-first passwordless for users and machines: what changes now?
Explore further
13/06/2026 12:51 am
Passwordless projects fail when they are treated as login modernisation instead of identity governance. The article shows the real issue is not whether users can authenticate with less friction, but whether the programme also covers machines, devices, and other non-human identities. When those actors remain outside the control model, the organisation improves one access path while leaving another exposed. Practitioners should treat passwordless as a cross-actor governance problem, not a front-end convenience project.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do organisations govern certificates and device identities alongside IAM?
A: They should manage certificates and device identities as first-class identity objects, not as sidecar infrastructure. That means defining issuance, renewal, and revocation ownership, then connecting those actions to joiner, mover, and leaver processes so machine trust does not drift away from human governance.
👉 Read our full editorial: Identity-first passwordless must cover users, machines and devices
