Notifications
Clear all
Topic starter
12/06/2026 10:11 pm
TL;DR: Mobile credentials improve convenience and raise the bar for everyday authentication, but they do not cover every user, device, or access scenario, according to Axiad. High-assurance roles, offline access, and environments that prohibit phones still require layered identity issuance and lifecycle governance.
NHIMG editorial — based on content published by Axiad: Authentication moving to mobile credentials? Read this first
By the numbers:
- According to Gartner, 5% to 15% of employees in 50% of enterprises require something more.
Questions worth separating out
Q: How should organisations decide where mobile credentials are appropriate?
A: Use mobile credentials for routine authentication where users have compatible devices, stable operating conditions, and low to moderate assurance needs.
Q: Why do mobile credentials not eliminate the need for other identity factors?
A: They do not cover every use case, especially privileged access, restricted rooms, or disconnected operations.
Q: How do teams know if a mobile credential programme is working well?
A: Look for fewer lost-credential events, lower help desk burden, and successful authentication across normal and degraded conditions.
Practitioner guidance
- Map credential requirements by role and environment Separate routine users, privileged users, and restricted-site users into different assurance bands.
- Preserve non-mobile fallback credentials Keep hardware tokens, smart cards, or PKI-backed options for high-assurance roles and disconnected environments.
- Align issuance and revocation workflows Treat mobile credentials, physical cards, and workstation access as one governed lifecycle.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific deployment considerations for mobile credentials in mixed physical and digital access environments
- Practical discussion of where phones are unsuitable because of policy, privacy, or security restrictions
- Additional detail on how credential issuance and lifecycle management can be consolidated across user types
- Axiad's product-oriented explanation of how its credential management stack fits into existing IAM infrastructure
👉 Read Axiad's blog post on mobile credentials and authentication trade-offs →
Mobile credentials: where they help and where controls still fail?
Explore further
13/06/2026 12:48 am
Mobile credentials improve the user experience, but they do not erase assurance stratification. The article correctly recognises that 5% to 15% of employees in half of enterprises still need something more than a phone-based factor. That is the real governance lesson. Identity programmes fail when they assume one authentication form can satisfy every role, room, or regulatory constraint. Practitioners should design for differentiated assurance by user population.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means credential sprawl is still being managed with incomplete control, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should keep a non-mobile authentication option available?
A: Any organisation with high-assurance users, restricted physical spaces, regulated workflows, or unreliable connectivity should keep one. Leadership roles and sensitive environments often need stronger proof, and resilience depends on having an alternate path when phones cannot be used.
👉 Read our full editorial: Mobile credentials do not replace broader identity assurance
