Because FIDO is not designed to cover every identity context. Certificate-based authentication still matters for device identity, workload authentication, and environments that depend on PKI and certificate lifecycle control. In practice, CBA fills gaps where user-centric passwordless methods do not reach, especially across managed endpoints and integrated enterprise platforms.
Why This Matters for Security Teams
FIDO solved a major human-authentication problem, but it did not replace the need for cryptographic identity outside the user login flow. Certificate-based authentication still anchors device trust, workload trust, and many enterprise integrations where a browser prompt is irrelevant. That distinction matters because certificate lifecycle failures remain operationally expensive: NHIMG reports that certificate expiry is the leading cause of outages for 45% of organisations in its machine identity management research.
Security teams often over-extend FIDO as a universal answer to authentication, then discover that service-to-service calls, VPNs, managed endpoints, and internal automation still need strong machine identity controls. NIST’s NIST SP 800-63 Digital Identity Guidelines focus on digital identity assurance for people, not as a substitute for PKI-based trust in non-human contexts. In practice, certificate-based authentication is the mechanism that lets an organisation prove what a device or workload is, not just who clicked the login button.
In practice, many security teams only discover this gap after a certificate outage or service disruption has already broken access paths that FIDO was never meant to cover.
How It Works in Practice
Certificate-based authentication works by binding a private key to a device, service, or workload and having a relying party validate the corresponding certificate chain during connection or transaction time. That makes it useful wherever the identity subject is not a person, including managed laptops, remote access gateways, internal APIs, and automation platforms. For NHIs, this aligns with the broader lifecycle discipline described in the Ultimate Guide to NHIs.
In mature environments, CBA is not “set and forget.” It depends on certificate issuance, short validity periods, renewal automation, revocation handling, and ownership mapping. Operationally, teams usually pair CBA with:
- device identity for managed endpoints and MDM-enrolled assets
- workload identity for services, containers, and automation runners
- PKI policy for issuance, subject naming, and key protection
- rotation and revocation workflows that are tied to inventory and ownership
For human users, FIDO reduces phishing risk by removing shared secrets and replayable credentials. For machines, the equivalent control objective is different: establish cryptographic proof of identity, issue it for a defined scope, and revoke it quickly when the asset changes state. That is why current guidance increasingly treats workload identity and certificate lifecycle management as core infrastructure security, not optional hygiene. The same control logic supports zero trust because trust is evaluated at the connection boundary rather than assumed from network location or device presence.
These controls tend to break down when certificate ownership is unclear across many ephemeral services because renewal failures and orphaned certificates are hard to detect before they trigger outages.
Common Variations and Edge Cases
Tighter certificate control often increases operational overhead, so organisations must balance stronger cryptographic assurance against automation cost and legacy compatibility. There is no universal standard for every deployment model yet, and best practice is evolving across browser login, device trust, and workload-to-workload authentication.
One common edge case is hybrid identity estates where FIDO is used for workforce sign-in but certificates are still required for VPNs, admin consoles, Wi-Fi, code signing, and service mesh traffic. Another is regulated or highly integrated environments where PKI already underpins trust chains, making replacement impractical in the near term. In those cases, the right question is not whether FIDO is superior, but whether it covers the actual trust boundary in scope.
NHIMG’s research also shows why CBA remains relevant: machine identity sprawl is now a material risk, and organisations still struggle with certificate lifecycle management at scale. The operational lesson is that passwordless user auth and certificate-based machine auth solve different problems. FIDO reduces user phishing exposure; CBA preserves trust for devices and automated workloads that have no interactive login step. Current guidance suggests using both where each is strongest, rather than forcing one mechanism to do both jobs.
Edge cases become most problematic when short-lived cloud workloads, unmanaged devices, or third-party integrations must authenticate at high frequency because manual certificate operations cannot keep pace.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers certificate lifecycle risk for non-human identities and workloads. |
| CSA MAESTRO | IAM-02 | Addresses machine identity and workload authentication in agentic systems. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are central to certificate-based authentication. |
Track machine certificate issuance, rotation, and revocation as a managed NHI lifecycle control.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
