Who’s ready for the identity challenge arising from quantum computing, asks Suman Sharma, Head of PAM Engineering at Ping Identity.
Breakthroughs that once lived in research papers now appear on corporate roadmaps, and with every gain in qubit count and error correction, we edge closer to a world where encryption can no longer keep secrets safe. Thatโs why the UKโs National Cyber Security Centre (NCSC) has set 2035 as the target date for moving to post-quantum cryptography (PQC), a new class of encryption designed to resist quantum attack. A decade to prepare defences and protect data and digital identities might sound manageable, until you consider whatโs needed: rebuilding how organisations issue digital certificates, replacing hardware that canโt run new algorithms, renewing millions of keys and upskilling entire teams.
If organisations miss a couple of planning cycles, theyโll meet the future running uphill. Attackers know this. Their tactic is blunt but effective: steal encrypted data now and store it until quantum machines can break it. Personally identifiable information like health records, intellectual property and long-term financial transactions will retain value for decades, which is exactly why attackers are stealing them today, even if they canโt decrypt them yet. This approach, known as โharvest now, decrypt later,โ assumes that future quantum systems will be able to break todayโs encryption with ease. So, a breach that seems dormant in 2025 could suddenly expose sensitive data in 2030, or sooner.
The question is no longer if current identity infrastructures will be broken, but when. Patience, not skill, is now the attackerโs greatest asset. Every data still protected by outdated encryption is a ticking clock, therefore itโs critical organisations design infrastructure with quantum resilience baked in.
Identityโs Achillesโ heel
Digital identity systems are especially vulnerable to quantum threats. Thatโs because most authentication systems, from online banking apps to hospital smartcards, rely on public-key cryptography. This approach uses two mathematically linked keys: one public, one private. The security relies on solving problems so difficult they would take classical computers millions of years. A quantum computer could do it in hours.
If attackers extract a private key, they can impersonate legitimate users or systems. They could forge digital signatures to authorise fraudulent transactions, push malware through fake software updates, or pose as trusted certificate authorities, all without triggering password checks or multi-factor alerts.
The consequences ripple fast. In finance, a forged signature could green-light a million-pound transfer. In healthcare, a fake clinicianโs ID might unlock confidential patient records. In government, spoofed credentials could allow malware to pass unnoticed through software supply chains. Because trust radiates from a handful of โrootโ keys, compromising just one can silently undermine everything downstream, but how is this risk being handled by institutions and how effectively?
On paper, we already have replacement tools. The US National Institute of Standards and Technology (NIST) has selected algorithms like Kyber and Dilithium, specifically designed to resist quantum attacks. But adoption is slow.
Senior leaders often see quantum risk as distant, underestimating the time required to upgrade systems once budgets, vendor contracts and staff training are taken into account. With limited awareness and urgency, security funds tend to flow towards more immediate threats like ransomware and quantum projects slip down the roadmap.
Technical hurdles add more friction. Legacy hardware security modules canโt handle larger key sizes, mobile devices have limited memory and many cloud platforms lock in which cipher suites they support. Even locating all the cryptographic keys across an organisation is tough; some are embedded in build pipelines, others in dusty admin portals or devices running decades-old firmware.
Until organisations surface these blind spots and modernise their infrastructure, the window of vulnerability remains wide open. The longer migration is delayed, the more data is exposed to โharvest now, decrypt laterโ tactics, and the harder it becomes to mount a coordinated response. Whatโs needed is a practical roadmap for quantum resilience: not just theory, but architecture, culture and planning that can survive the transition.
From principles to progress: building quantum resilience
Designing for quantum resilience means baking in flexibility before systems are stress-tested by real-world attacks. That starts with rethinking how encryption is applied, where trust resides and how upgrades are deployed.
1. First, build crypto-agility in by design: Treat cryptography modules like a plug-in, not hard-wired logic. Store clear labels with each key, the algorithm used, expiry date, usage context, so mass updates can be scripted, not rolled out by hand.
2. Second, layer your defences: Pair strong symmetric ciphers like AES-256 with quantum-safe asymmetric algorithms (e.g. ML-KEM), and use protocols that support hybrid handshakes. If one layer fails, another keeps data secure.
3. Third, decentralise trust: Emerging models such as decentralised identifiers, soon to be formalised under the EUโs eIDAS 2.0 regulation, reduce dependence on a single certificate authority. Each party in a transaction can upgrade at its own pace, allowing the ecosystem to evolve without bottlenecks.
4. Fourth, make it cultural: Security champions should embed quantum topics into developer onboarding. Product teams should treat post-quantum readiness like performance or accessibility, a non-negotiable. Procurement should press vendors for public plans and timelines for quantum-safe cryptography support.
Then, you should turn theory into practice. Every programme must start with visibility. Security teams need to audit the estate, physical and virtual, to identify every certificate authority, signing key and cryptographic library. Capturing this in a live registry transforms an abstract risk into concrete tasks.
Finally, once a year, run a โcrypto rotation dayโ, regenerating and redeploying all identity keys. It tests which systems fail, how recovery scripts behave and whether alerts fire as intended, giving you the evidence to shape resourcing and timelines.
The clock is ticking
Quantum computing is a long-fuse, high-impact risk, but the fuse is already burning. For identity systems built on public-key cryptography, the danger is no longer theoretical. The maths that once secured our logins, signatures and digital certificates is now on borrowed time.
Whatโs needed is not panic, but preparation. By redesigning identity infrastructure to be crypto-agile, layering protections and decentralising trust, organisations can reduce exposure before the threat arrives. The quantum problem may be complex, but the response doesnโt have to be, provided it starts now. Finally, once a year, run a โcrypto rotation dayโ, regenerating and redeploying all identity keys. It tests which systems fail, how recovery scripts behave and whether alerts fire as intended, giving you the evidence to shape resourcing and timelines.
