Notifications
Clear all
Topic starter
12/06/2026 10:12 pm
TL;DR: Phishing-resistant authentication only becomes operational at scale when issuance, renewal, revocation, and recovery are managed as a single identity lifecycle across hybrid environments, supported by IDEMIA smart cards and hardware tokens, according to Axiad. The real issue is not authentication strength alone, but whether organisations can sustain consistent credential governance across thousands of users and systems.
NHIMG editorial — based on content published by Axiad: Partner Spotlight on streamlining authentication at scale with IDEMIA
By the numbers:
- 91% of organizations experienced identity-based attacks.
- IDEMIA had produced and shipped 60 million smart cards to North America as of April 2023.
Questions worth separating out
Q: How should security teams scale phishing-resistant authentication across hybrid environments?
A: They should standardise enrollment, renewal, recovery, and revocation across every platform that touches identity.
Q: Why do hardware tokens still fail in large IAM programmes?
A: Hardware tokens usually fail operationally, not cryptographically.
Q: What do teams get wrong about converged physical and logical access?
A: They often treat convergence as a convenience feature instead of a governance dependency.
Practitioner guidance
- Map authenticator lifecycle ownership Assign one accountable team for issuance, renewal, account recovery, and revocation so hardware authentication does not become a shared-responsibility gap.
- Standardise recovery workflows across platforms Document how certificate recovery works for Windows, Mac, Linux, cloud, and hybrid identities, then remove any platform-specific exception paths that bypass policy.
- Synchronise physical and logical offboarding Tie badge revocation, token invalidation, and system access removal to the same leaver process so one credential cannot outlive the other.
What's in the full article
Axiad's full partner spotlight covers the operational detail this post intentionally leaves for the source:
- Specific provisioning and renewal workflows for smart cards and hardware tokens across large user populations
- The operational case for self-service certificate management and how it reduces support overhead
- Detailed product positioning for mixed physical and logical access use cases in hybrid environments
- The vendor's comparison points on credential formats, deployment flexibility, and federal compliance context
👉 Read Axiad's partner spotlight on scaling phishing-resistant authentication with IDEMIA →
Hardware tokens and smart cards: what IAM teams need to know?
Explore further
13/06/2026 12:49 am
Phishing-resistant authentication does not fail first at the cryptography layer. It fails at lifecycle control. The article is strongest when it shows that the real problem is not whether smart cards and hardware tokens can resist phishing, but whether organisations can issue, renew, recover, and revoke them consistently at scale. That is an identity governance problem, not a hardware problem. For practitioners, the decisive question is whether the credential lifecycle is as controlled as the authenticator itself.
A few things that frame the scale:
- From our research: 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when phishing-resistant authentication is inconsistent across systems?
A: Accountability should sit with the identity or access governance function that owns the lifecycle, not with individual platform teams. If authentication assurance varies by system, the root cause is usually policy fragmentation, not token failure. Governance must define the standard, and operations must keep every system aligned to it.
👉 Read our full editorial: Phishing-resistant authentication at scale needs better lifecycle control
