Notifications
Clear all
Topic starter
12/06/2026 10:06 pm
TL;DR: One enterprise security architect is using cloud identity management for MFA, PKI smart cards, YubiKey authentication, self-service authenticator issuance, and device lifecycle management, while aiming to improve compliance and reduce help desk dependency, according to Axiad. The real lesson is that passwordless programmes still succeed or fail on lifecycle control, not convenience.
NHIMG editorial — based on content published by Axiad: Achieving Cohesive Identity Security for an Entire Organization
Questions worth separating out
Q: How should security teams govern passwordless authentication at scale?
A: They should treat passwordless as an identity lifecycle programme, not just an authentication upgrade.
Q: Why do authenticator replacement flows create governance risk?
A: Replacement flows become risky when they allow a user to regain access without enough assurance that the request is legitimate.
Q: What breaks when device lifecycle management is disconnected from IAM?
A: Dormant authenticators, stale certificates, and forgotten recovery paths remain valid after a user changes role or leaves.
Practitioner guidance
- Map every authenticator lifecycle step Document issue, bind, replace, recover, renew, and retire flows for smart cards, hardware keys, and certificate-backed access.
- Define assurance thresholds for self-service recovery Set different recovery rules for routine replacement, lost-device events, and locked-out users.
- Tie authenticator state to offboarding and recertification When a user changes role or leaves, revoke active authenticators and verify that certificates, keys, and recovery channels are also retired.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Customer-specific rollout context for MFA, smart cards, and YubiKey issuance
- Named integration examples with PingFederate and Venafi
- PeerSpot review excerpts on usability, support, and deployment experience
- Product-specific discussion of Airlock and MyCircle workflows
👉 Read Axiad's customer story on passwordless authentication and device lifecycle management →
Passwordless authentication and device lifecycle management: what changes?
Explore further
13/06/2026 12:38 am
Passwordless programmes fail when lifecycle governance is treated as an afterthought. The article shows that the practical challenge is not whether passwordless works, but whether issuance, replacement, and trusted recovery are controlled across the full identity journey. When organisations treat authenticators as one-time setup items, they create a governance gap that survives the password itself. Practitioners should view passwordless as a lifecycle discipline, not a single authentication decision.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes still cannot see their machine-side exposure clearly.
A question worth separating out:
Q: How can organisations reduce help desk dependency without weakening assurance?
A: By separating low-risk self-service tasks from high-risk recovery events. Routine issuance can be automated, but lost-device recovery, trusted-colleague verification, and re-binding should require stronger controls and clear logs. The goal is to preserve user speed while keeping assurance intact where it matters most.
👉 Read our full editorial: Passwordless authentication and device lifecycle management in practice
