Most organizations assume having certificates means having strong device identity, but this is a dangerous misconception. The UK NCSC Zero Trust guidance requires unique, verifiable identity for every user, service, and device. Common beliefs—that MDM, ZTNA, or existing certificates cover device identity—are often false. Portable credentials (long-lived, software-stored, manually managed) allow attackers to replay stolen certs undetected, making lateral movement invisible in logs. Strong device identity requires credentials that are unique per device, cryptographically verifiable via X.509, hardware-bound (TPM/secure enclave), short-lived, automatically managed, and fully auditable. Five diagnostic questions help assess posture gaps around certificate lifetime, key binding, automation, coverage, and visibility.
Table of contents
Your Device Identity Is Probably a LiabilityThe Uncomfortable Truth About Device IdentityWhy This Keeps HappeningWhat Breaks When Device Identity Is PortableVisualizing the Architecture GapWhat Strong Device Identity Actually RequiresHow Smallstep Closes the GapEvaluate Your Device Identity PostureNext StepsSort: