The NCSC requires unique, verifiable device identity for Zero Trust. Most organizations think certificates cover it. Here's why that assumption is a liability.

Smallstep's resource offers insights, tutorials, and resources for developers and security professionals interested in authentication and authorization technologies, such as OAuth, OpenID Connect, and Zero Trust security. Readers can learn about secure authentication practices, identity management, and secure communication protocols. With articles, tutorials, and documentation, Smallstep provides  guidance and expertise for implementing robust and secure authentication solutions.

Smallstep

Most organizations assume having certificates means having strong device identity, but this is a dangerous misconception. The UK NCSC Zero Trust guidance requires unique, verifiable identity for every user, service, and device. Common beliefs—that MDM, ZTNA, or existing certificates cover device identity—are often false. Portable credentials (long-lived, software-stored, manually managed) allow attackers to replay stolen certs undetected, making lateral movement invisible in logs. Strong device identity requires credentials that are unique per device, cryptographically verifiable via X.509, hardware-bound (TPM/secure enclave), short-lived, automatically managed, and fully auditable. Five diagnostic questions help assess posture gaps around certificate lifetime, key binding, automation, coverage, and visibility.

Device Identity and NCSC Zero Trust Guidance | Smallstep

Your Device Identity Is Probably a Liability

The Uncomfortable Truth About Device Identity

What Breaks When Device Identity Is Portable

What Strong Device Identity Actually Requires