Notifications
Clear all
Topic starter
08/06/2026 4:00 pm
TL;DR: Certificate-based authentication lets organizations verify users, BYOD devices, and machines through device-resident certificates instead of passwords, according to Axiad. For IAM teams, the real issue is not the mechanism itself but the lifecycle burden: issuance, trust, revocation, and management determine whether certificates reduce risk or simply relocate it.
NHIMG editorial — based on content published by Axiad: 3 Key Use Cases for Certificate-Based Authentication
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams govern certificate-based authentication for machines and devices?
A: Security teams should govern certificates as identities with owners, lifecycles, and revocation triggers, not as static configuration files.
Q: Why do certificates matter for non-human identities?
A: Certificates matter because they give service-connected machines, kiosks, and devices a verifiable identity that is harder to guess or reuse than a password.
Q: What breaks when certificate revocation is slow or incomplete?
A: When revocation is slow or incomplete, identities continue to authenticate after they should have been removed from trust.
Practitioner guidance
- Map certificate ownership to every identity type Assign a business owner and technical owner to each user, device, and machine certificate so revocation decisions are unambiguous when roles change or devices are retired.
- Tie certificate revocation to offboarding events Link certificate revocation to JML, device retirement, and vendor offboarding workflows so trust is removed when the identity is no longer active.
- Track trust store drift continuously Scan applications and endpoints for stale trust stores, expired roots, and unmanaged certificate chains that still validate access.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of certificate-based sign-in for Azure AD users and managed devices
- Deployment detail for private certificates in BYOD and mobile device authentication
- Practical machine-authentication scenarios for connected kiosks and IoT endpoints
- Implementation considerations for certificate distribution, replacement, and revocation
👉 Read Axiad's guide to certificate-based authentication for users, devices, and machines →
Certificate-based authentication: what identity teams need to know?
Explore further
08/06/2026 5:22 pm
Certificate-based authentication is only as mature as the identity lifecycle behind it. The mechanism can reduce password dependence, but it does not remove the need to know who or what owns each certificate, where it is deployed, and when it should be revoked. In practice, certificate trust becomes another form of identity sprawl if inventory and ownership are weak. Practitioners should treat certificates as governed identities, not just technical artifacts.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- Visibility gaps remain structural, not exceptional, and 97% of NHIs carry excessive privileges that widen the attack surface.
A question worth separating out:
Q: How do organisations know if certificate-based authentication is actually reducing risk?
A: Organisations should measure certificate inventory accuracy, revocation latency, and the percentage of endpoints using current trust stores. If they cannot prove which certificates are active and who owns them, the control is only partially effective. Risk reduction shows up when expired or orphaned certificates are removed quickly and consistently.
👉 Read our full editorial: Certificate-based authentication for users, devices, and machines
