Notifications
Clear all
Topic starter
08/06/2026 4:07 pm
TL;DR: Mobile credentials improve convenience and security for many enterprise users, but Gartner cited in Axiad’s article says 5% to 15% of employees in half of enterprises still need stronger assurance than phones can provide. The practical issue is not adoption alone, but whether identity programmes can support multiple credential types, offline access, and lifecycle governance without fragmenting control.
NHIMG editorial — based on content published by Axiad: Blog / Authentication Moving to mobile credentials? Read this first
By the numbers:
- According to Gartner, 5% to 15% of employees in 50% of enterprises require something more.
Questions worth separating out
Q: How should security teams roll out mobile credentials without weakening access assurance?
A: Start by segmenting users and environments by assurance need.
Q: Why do mobile credentials still require other identity controls?
A: Because authentication convenience does not solve every access condition.
Q: What do organisations get wrong about replacing cards with phones?
A: They often assume that a single mobile factor can serve every user and every access path.
Practitioner guidance
- Map credential requirements by role and environment Classify users by assurance need, not by convenience.
- Consolidate issuance and revocation workflows Put mobile credentials, smart cards, YubiKeys, and PKI-based access under a single governance view so help desk, IAM, and security teams can track credential state consistently across platforms.
- Design alternate paths for disconnected use cases Document how users authenticate when internet access is unstable or unavailable, and make sure those paths preserve assurance rather than relying on ad hoc exceptions after access fails.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific examples of mobile credential deployment patterns for different workforce groups
- Discussion of PKI integration details for workstation and offline access use cases
- Practical guidance on combining mobile credentials with YubiKey and smart card workflows
- Axiad's view on simplifying credential administration across users, applications, and devices
👉 Read Axiad's analysis of mobile credentials and identity assurance gaps →
Mobile credentials and identity lifecycle gaps: are controls keeping up?
Explore further
08/06/2026 5:33 pm
Mobile credentials reduce friction, but they do not collapse the need for differentiated assurance. The article makes clear that some users and environments still require physical or higher-assurance credentials. That means the real governance problem is tiering access by risk, not standardising everyone onto a single factor. Practitioners should expect credential diversity to persist, especially for high-privilege roles and restricted facilities.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity control breaks down before remediation can begin.
A question worth separating out:
Q: How should teams handle offline access for mobile credential programmes?
A: They should design and test a separate authentication path before rollout, not after outages expose the gap. The fallback path should preserve identity assurance, align with workstation and application needs, and be governed as part of the same credential lifecycle so recovery does not become an unmanaged exception.
👉 Read our full editorial: Mobile credentials improve authentication, but they do not fit all
