TL;DR: Passwordless authentication is only sustainable when governance, lifecycle discipline, and architecture evolve together, according to Versasec. The real risk is not the authentication method itself, but the assumption that stronger login controls eliminate the need for rigorous identity management across users, certificates, and credentials.
NHIMG editorial — based on content published by Versasec: The Stockholm Perspective: 25 Years of Trust and the Future of Versasec
Questions worth separating out
Q: How should organisations govern passwordless authentication without losing lifecycle control?
A: They should treat passwordless as an identity governance programme, not a login project.
Q: Why does passwordless authentication still need PAM and access reviews?
A: Because authentication proves who or what is presenting the credential, not what that identity is allowed to do.
Q: What breaks when certificate revocation is slow or incomplete?
A: Expired business need does not equal expired access if revocation lags behind reality.
Practitioner guidance
- Map passwordless controls to lifecycle ownership Assign explicit ownership for issuance, renewal, revocation, and exception handling across certificates, keys, and device trust so that authentication is not left detached from governance.
- Review revocation paths before expanding certificate use Test whether certificates and keys are actually invalidated when users leave, devices are retired, or workloads change purpose, especially where multiple admin tools touch the same trust fabric.
- Separate authentication assurance from privilege decisions Keep access reviews, role design, and privileged access workflows in scope even when passwordless is in place, because strong login does not prevent excessive authorisation.
What's in the full article
Versasec's full article covers the strategic perspective this post intentionally leaves to the source:
- The founder and board-member backstory behind the company’s 25-year identity focus
- The “inside-outside” board perspective on balancing growth, cash flow, and operational risk
- The verticalisation strategy discussion, including why industry-specific messaging matters
- The company’s own framing of its passwordless and PKI direction
👉 Read Versasec's perspective on 25 years of trust and the future of passwordless identity →
Passwordless identity governance: what IAM teams are missing?
Explore further
Passwordless success depends on identity governance maturity, not authentication branding. The article’s core message is that removing passwords only improves security if issuance, trust, and revocation are managed with discipline. PKI, certificates, and device trust still create lifecycle obligations that many organisations underweight when they treat passwordless as a user-experience project. The practitioner conclusion is simple: modern authentication does not simplify governance, it raises the cost of getting governance wrong.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably prove who or what still has access.
A question worth separating out:
Q: How do human IAM teams and NHI teams align on passwordless governance?
A: They should align on shared lifecycle controls while accepting that the identities differ. Human certificates, service credentials, and workload identities all need issuance rules, revocation paths, and review cadences, even if the tooling is different. The goal is one governance model with different execution patterns.
👉 Read our full editorial: Passwordless identity governance needs lifecycle discipline