TL;DR: Credential governance must keep pace across certificate, smart card, and badge lifecycles, according to Versasec’s Summer Series 2025. The series frames vSEC:CMS as a way to manage PKI, FIDO2, and physical access credentials from one platform, while citing more than 500 customers and average retention of 95 months.
NHIMG editorial — based on content published by Versasec: vSEC:CMS Summer Series 2025, unifying PKI, FIDO2, and physical access
By the numbers:
- On average, they stay with us for 95 months.
- This platform has been managed since 2007, which is nearly two decades of development based on real world needs.
Questions worth separating out
Q: How should organisations govern multiple credential types in one identity programme?
A: Organisations should govern multiple credential types through a single lifecycle model, even if the underlying technologies differ.
Q: Why do strong authenticators still need identity governance?
A: Strong authenticators reduce one class of attack, but they do not manage registration, device replacement, help desk recovery, or exception handling.
Q: What breaks when certificate management is not part of lifecycle governance?
A: What breaks is revocation discipline.
Practitioner guidance
- Map credential lifecycles across all issuance paths Inventory certificate, FIDO2, RFID, NFC, and smart card issuance, then document who owns enrollment, renewal, suspension, and revocation for each path.
- Unify revocation and recovery policy Create one policy layer for credential revocation, replacement, and emergency recovery so help desk exceptions, lost devices, and expired certificates follow the same approval logic.
- Measure certificate and authenticator ownership clarity Track which teams can approve issuance, which teams can revoke access, and where accountability breaks between physical access and logical authentication.
What's in the full article
Versasec's full article covers the operational detail this post intentionally leaves for the source:
- Detailed examples of how vSEC:CMS handles PKI, FIDO2, and physical access credential administration in one workflow.
- Specific release detail on smart card batch issuance for FIDO in vSEC:CMS 7.1.
- Operational notes on PIN unblock options, including offline, online, and air-gapped use cases.
- Examples of enterprise credential management scenarios across government, finance, healthcare, and manufacturing.
👉 Read Versasec's summer series post on unifying PKI, FIDO2, and physical access →
PKI, FIDO2, and physical access credentials: what changes for IAM teams?
Explore further
Unified credential governance is the real problem, not credential diversity. PKI, FIDO2, RFID, smart cards, and NFC all create different enforcement surfaces, but they converge on the same governance question: can the organisation issue, track, and revoke credentials consistently across systems? When those paths diverge, administrative ownership fragments and stale access becomes harder to spot. Practitioners should read this as a lifecycle coordination problem, not a feature integration story.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do physical access credentials change offboarding requirements?
A: Physical access credentials extend offboarding beyond applications and VPNs to buildings and facilities. If badge revocation is not tied to the same leaver process as digital access removal, a former user can lose account access but still retain entry to physical locations. The control must be unified, not parallel.
👉 Read our full editorial: Unifying PKI, FIDO2, and physical access credentials