Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Post-quantum TLS for credentials: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Hybrid post-quantum key exchange has been deployed on a web application, using X25519MLKEM768 for compatible browsers to protect credential traffic against harvest-now, decrypt-later risk without user action or performance penalties, according to 1Password. The real shift is that long-term confidentiality now has to be treated as an identity and transport design requirement, not a future migration task.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

  • At the time of writing this post, I personally have 291 items in my vault, so the long-term confidentiality of this data is critical to myself and every 1Password user.

Questions worth separating out

Q: How should security teams plan for post-quantum protection in identity systems?

A: Security teams should start with identity data that must stay confidential for the longest period, including authentication channels, recovery flows, and privileged sessions.

Q: Why does harvest-now, decrypt-later matter for IAM and NHI programmes?

A: It matters because identity traffic often contains material that remains valuable long after the session ends, including credentials, tokens, and recovery information.

Q: How do you know if post-quantum rollout is actually working?

A: You know it is working when compatible clients consistently negotiate the intended hybrid key exchange and fallback rates are visible and understood.

Practitioner guidance

  • Inventory identity traffic with long confidentiality requirements Map which authentication, vault, recovery, and administrative channels carry data that must remain confidential for years, then rank them by exposure and retention value.
  • Verify negotiated cryptography in client populations Check which browsers, endpoints, and automated clients can negotiate hybrid post-quantum key exchange, and measure where fallback still occurs in production.
  • Update change management for cryptographic migration Treat PQC rollout as a distributed control change across clients, servers, and policy boundaries, with validation steps for every identity-critical pathway.

What's in the full announcement

1Password's full article covers the operational detail this post intentionally leaves for the source:

  • Browser-side verification steps for confirming X25519MLKEM768 in Chrome or Firefox
  • The specific TLS negotiation behaviour used by compatible clients
  • The staged roadmap for expanding PQC beyond the web application
  • Practical troubleshooting guidance for clients that do not negotiate PQC

👉 Read 1Password’s update on post-quantum protection for web app credentials →

Post-quantum TLS for credentials: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Long-term confidentiality is now an identity governance concern, not just a cryptography concern. Credentials, session metadata, and recovery pathways are part of the identity control plane, so their protection horizon has to match the lifetime of the information they carry. When the transport layer cannot guarantee future confidentiality, the identity programme inherits the risk. Practitioners should treat cryptographic duration as a governance issue, not a pure engineering detail.

A few things that frame the scale:

  • 60% of NHIs are being overused, with the same NHI utilised by more than one application, increasing the risk of widespread compromise if exposed, according to The 2025 State of NHIs and Secrets in Cybersecurity.
  • 91% of former employee tokens remain active after offboarding, which shows how long identity data can stay exposed when lifecycle governance lags behind operational reality.

A question worth separating out:

Q: What is the difference between crypto agility and simple encryption upgrades?

A: Crypto agility is the ability to change key exchange, algorithms, and negotiation policy without disrupting identity services. A simple encryption upgrade usually replaces one mechanism with another but leaves the operational model unchanged. For identity platforms, agility matters more because client compatibility, protocol negotiation, and rollout sequencing all affect whether protection actually reaches production.

👉 Read our full editorial: Post-quantum cryptography on web app traffic changes long-term identity risk



   
ReplyQuote
Share: