The idea of quantum computing breaking modern cryptography used to sound like science fiction: distant, dramatic, and hypothetical. Nevertheless, recent advancements in quantum research have made this threat more tangible. Therefore, the question is no longer whether it will happen, but when. And if you are responsible for managing digital identities, then it’s your problem.
This isn't just about futureproofing. It’s about trust. When quantum computers break current cryptographic algorithms like RSA and ECC, authentication mechanisms that rely on them will instantly become untrustworthy. When trust collapses, everything built on top of it collapses too. As a result, organizations must begin planning for crypto-agility and post-quantum cryptography (PQC) readiness. This is not just a technical hurdle. It is a strategic and business-critical challenge that requires long-term thinking and executive-level attention.
A Problem Wrapped in an Opportunity
The shift to quantum-resistant cryptography is not easy. It requires testing unfamiliar algorithms, updating identity infrastructures, retraining teams, and coordinating vendors. But it also presents a rare opportunity: to clean up what’s been duct-taped together over the past two decades.
Most organizations still rely on legacy mechanisms, including passwords, hardcoded secrets, and static keys. However, with the transition to PQC, there's an opportunity to adopt modern authentication techniques, such as passkeys, short-lived credentials, and stronger authentication mechanisms, alongside the cryptographic upgrade. Setting the direction for this shift is the National Institute of Standards and Technology (NIST).
What Is NIST and Why It Matters for PQC
NIST is an agency of the United States Department of Commerce. Since 2016, the organization has led a long-term initiative known as the PQC Standardization Project. The goal is straightforward but urgent: identify and standardize cryptographic algorithms that can withstand attacks from quantum computers. These algorithms must be strong enough to replace vulnerable systems like RSA and ECC, which quantum algorithms could break once quantum hardware becomes powerful enough.
NIST launched the PQC project with a global call for candidate algorithms. Over 80 proposals were submitted for evaluation. After several rounds of cryptographic review and community feedback, NIST selected a core group of finalists.
In August 2024, NIST finalized and published the first three post-quantum cryptographic standards:
- FIPS 203: Based on the ML-KEM algorithm, designed for general-purpose encryption.
- FIPS 204 and FIPS 205: Two digital signature schemes that serve as replacements for RSA and ECC-based authentication mechanisms.
And in March 2025, NIST chose a new algorithm for post-quantum encryption called HQC. It serves as a backup for ML-KEM, the main algorithm for general encryption. Unlike ML-KEM, which is built on structured lattices, HQC relies on error-correcting codes: a fundamentally different mathematical foundation. This distinction is intentional. If future cryptanalysis exposes a vulnerability in ML-KEM, HQC offers an independent safeguard. NIST plans to publish a draft standard for HQC within the next year, with formal standardization expected by 2027.
In the United States, the advice of NIST, though precise and valuable, remains advisory, a guide, not a command. In contrast, the European Union’s approach, while less explicit about PQC, is anchored in risk-based regulation. And as PQC becomes the new standard for cryptographic resilience, failure to adopt it may increasingly be interpreted as non-compliance.
Looking Ahead
Due to industry realities such as legacy systems, hybrid environments, compliance pressures, and limited crypto agility, a more pragmatic approach is emerging. One that provides a more realistic organizational approach which accounts for practical constraints that NIST’s guidance doesn’t fully address.
In theory, both paths include inventorying systems, running pilots, and transitioning to PQC over time. However, in practice, most organizations are still in early awareness stages, have deep entanglement with legacy systems, and face fragmented vendor ecosystems that aren’t yet fully PQC-ready.
A more realistic roadmap addresses these frictions. It calls for longer hybrid periods, phased integration, and early focus on crypto agility rather than full migration. By 2030, a complete transition to PQC may be achievable, but only for those who start today. Q Day won’t announce itself with a headline. But your IAM infrastructure should be able to withstand it without one.
Comments ( 0 )