They should do so whenever the verification flow depends on a mobile device, remote onboarding, account recovery, or step-up authentication. If the endpoint can be jailbroken, modified, or instrumented, the device itself becomes part of the trust decision and must be assessed before access is granted.
Why This Matters for Security Teams
When identity proofing depends on a device, compromise of that device becomes part of the trust decision, not just an endpoint hygiene issue. That matters because mobile onboarding, account recovery, and step-up flows are often the exact points where attackers bypass strong passwords and move into higher-value access. NHI Management Group’s Ultimate Guide to NHIs shows that 79% of organisations have experienced secrets leaks, which is a useful reminder that compromise frequently starts before an identity control ever fires.
The practical risk is that a jailbroken, instrumented, or remotely controlled device can expose recovery codes, push approvals, session tokens, or bearer secrets. Security teams often focus on the account while ignoring the trust anchor being used to verify it. Current guidance suggests treating the device as part of the identity evidence when the workflow cannot safely separate user intent from device integrity. The NIST Cybersecurity Framework 2.0 reinforces that identity assurance must be tied to risk, not assumed from the presence of a logged-in device. In practice, many security teams encounter device-assisted account takeover only after recovery abuse or step-up fraud has already occurred, rather than through intentional control design.
How It Works in Practice
Organisations should decide, at the policy level, which verification steps are allowed to rely on device state and which require independent evidence. For high-risk flows, the device should be assessed for compromise indicators before it contributes to the trust decision. That can include mobile device management posture, OS integrity signals, jailbreak or root detection, attestation, certificate freshness, and whether the session has been recently re-authenticated from a known-good environment.
In mature programs, the device does not replace identity proofing. It augments it. A secure recovery flow may require a combination of factors: a verified recovery channel, device attestation, step-up authentication, and short-lived approval windows. If the device is healthy, the session can continue with reduced friction. If compromise is suspected, the workflow should degrade gracefully by forcing stronger evidence, manual review, or delayed recovery.
For teams building these controls, the operational question is not only “is the user legitimate?” but also “can this device still be trusted to participate in the verification?” That distinction is especially important when mobile push approvals, QR-based onboarding, or remote support tools are used to bootstrap access. NHI Management Group’s 52 NHI Breaches Analysis and the Ultimate Guide to NHIs both point to the same pattern: credentials and trust paths are frequently exposed through weak control points, not only through direct theft.
- Treat device compromise as identity risk when the device can approve, store, or transmit recovery evidence.
- Use attestation and posture checks before granting step-up access or account recovery.
- Prefer short-lived sessions and replay-resistant verification over persistent device trust.
- Escalate to manual review when compromise indicators and identity assertions conflict.
These controls tend to break down in BYOD-heavy environments with limited telemetry, because the security team cannot reliably distinguish a healthy device from one that is silently instrumented.
Common Variations and Edge Cases
Tighter device-based verification often increases user friction and support load, requiring organisations to balance stronger assurance against recovery speed. That tradeoff becomes visible in environments where mobile devices are shared, frequently replaced, or managed outside corporate MDM, because the integrity signal is weaker and compromise assessment is less reliable.
There is no universal standard for this yet, but current guidance suggests a risk-tiered model. Low-risk actions may accept device presence as a supporting signal. High-risk actions such as password reset, MFA rebind, privileged session approval, or remote onboarding should require stronger evidence and a shorter trust window. If the device is suspected to be compromised, the safest path is to treat it as untrusted until it can be revalidated or removed from the flow.
Another edge case is “clean-looking” compromise. A device may pass basic checks while still being monitored through malicious profiles, adversary-in-the-middle tooling, or cloud-synced session theft. That is why device posture alone is not enough. Policy should combine identity proofing, transaction context, and step-up controls so that a compromised endpoint cannot silently vouch for a user.
Best practice is evolving toward context-aware verification rather than static trust in a device class. Where the environment cannot support attestation, short-lived credentials, or strong telemetry, organisations should assume the device may be part of the attack path and route the action to a higher-assurance process.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential exposure and misuse when device trust is weak. |
| NIST CSF 2.0 | PR.AA-02 | Identity proofing should account for device compromise as part of access risk. |
| NIST AI RMF | Risk-based decisioning is needed when devices participate in identity verification. |
Document device trust assumptions and apply risk-based controls wherever verification depends on endpoint integrity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
