Notifications
Clear all
Topic starter
12/06/2026 10:08 pm
TL;DR: Two weak points in modern identity programmes are highlighted by FIDO Alliance’s new working groups: account recovery after passwordless adoption and device authentication for non-person entities, which already represent over 30% of identities on Axiad ID Cloud, according to Axiad. The real issue is broader identity assurance, where user, machine, and transaction trust must be managed together.
NHIMG editorial — based on content published by Axiad: FIDO Alliance takes aim at two new cybersecurity challenges. Why should your enterprise care?
By the numbers:
- Today authentication for NPE (non-person entities) represents over 30% of the identities on Axiad ID Cloud, and this percentage is growing.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should teams handle account recovery in passwordless environments?
A: Treat account recovery as a high-assurance identity event, not a support shortcut.
Q: Why do non-person entities need separate IAM governance?
A: Because devices, applications, and systems authenticate differently from people and often exist at much larger scale.
Q: What do organisations get wrong about passwordless security?
A: They often assume that removing passwords solves the identity problem.
Practitioner guidance
- Reclassify account recovery as privileged access Subject recovery flows to stronger verification, tighter approval paths, and better audit logging than routine authentication.
- Separate machine identities from human identity governance Build a distinct inventory for devices, applications, and systems, then define onboarding, renewal, and retirement controls for each class.
- Add transaction-level assurance to sensitive workflows For high-risk actions, require controls that validate the interaction itself, such as step-up checks, signing, or approval binding.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The FIDO Alliance working group context and the specific account-recovery and IoT identity issues it is trying to address.
- Axiad's explanation of how its customer base is using device authentication across non-person entities.
- The article's full discussion of confidentiality, integrity, and availability as the three dimensions of transaction trust.
- The vendor's own framing of why these assurance issues now matter across the digital workplace.
👉 Read Axiad's analysis of FIDO Alliance account recovery and IoT identity priorities →
FIDO Alliance identity assurance: what changes for IAM teams?
Explore further
13/06/2026 12:42 am
Account recovery is now an identity assurance problem, not an edge case. The article correctly identifies recovery as the weakest link once passwords recede, because loss of the original factor creates a new trust decision. That issue is larger than help desk convenience: recovery becomes the moment when attackers try to impersonate the legitimate subject and the programme must re-derive confidence. Practitioners should treat recovery as a core assurance pathway, not a support exception.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: How can security teams tell whether transaction authentication is needed?
A: Use it when the action itself carries risk even after login has succeeded, such as approving payments, changing entitlements, or authorising sensitive transfers. If a valid session is not enough to trust the outcome, the workflow needs transaction-level assurance.
👉 Read our full editorial: FIDO Alliance’s focus on identity assurance beyond passwords
