Credential Maturity Ladder

The Credential Maturity Ladder framework outlines nine stages of access security maturity, from fully phishable, user-managed passwords without MFA (Level 1) to fully encrypted, segmented, and governed infrastructures with IP/device restrictions (Level 9). It helps organizations benchmark their current state and chart a path towards unphishable, zero-trust credential architecture—essential for compliance, resilience, and cyber-insurance alignment.

Level 9 Full Ecosystem Segmentation + IP/Device Restrictions + Governance + 2FA = Maximum Security
Adds device and IP restrictions. Access only allowed from approved devices or locations. Maximum lockdown.
Level 8 Full Ecosystem Segmentation + Governance + 2FA for critical systems
All critical systems require 2FA on top of access segmentation and encryption. Even stronger defence if someone tries to log in.
Level 7 Full Ecosystem Segmentation + Governance
Adds governance layer. All access is logged and auditable. See who accessed what, when, and from where.
Level 6 Full Ecosystem Segmentation
All credentials are encrypted for employees, third parties, and machines. Internal systems like servers and APIs are isolated too. Breach containment is enforced across the full ecosystem.
Level 5 Encrypted + Segmented + Third Party Protection
Employees and third parties use encrypted, unphishable credentials. Third parties access systems securely via MyCena® app or encrypted APIs. No one sees passwords.
Level 4 Encrypted + Segmented for Employees
Credentials are encrypted, auto-filled and unphishable, and each app/system access is isolated for employees. A breach in one app doesn’t affect the others.
Level 3 Unphishable: Encrypted for Employees (No Segmentation)
Employees can’t see the passwords anymore—they’re encrypted, auto-filled and unphishable—but all apps are grouped together behind SSO, IAM, PAM, so a breach in one can spread.
Level 2 Phishable, With MFA
Passwords visible to everyone, but MFA is enabled on important systems. Still phishable; only slightly better.
Level 1 Phishable, No MFA
All passwords are visible to employees and suppliers. No multi-factor authentication (MFA). Easy for attackers to steal, sell, reuse.
MyCena<sup>®</sup>
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.