Start with Identity
Subscribe
Industry vertical

Identity for Automotive

Primary requirements
  • Workforce and dealer/partner identity at scale
  • Connected-vehicle and device identity (PKI at fleet scale)
  • Customer identity for owner apps and in-car services
  • Secure over-the-air update authorization
Regulatory floor
UNECE WP.29 R155ISO/SAE 21434GDPRCCPA
Vendors to consider
Microsoft Entra IDKeyfactorOkta

The job identity does in automotive

Automotive identity spans three very different populations at once: employees and a sprawling dealer and supplier network, the connected vehicles and devices themselves, and the consumers who use owner apps and in-car services. The distinctive and fastest-growing part is machine identity: every connected car, ECU, and backend service needs cryptographic identity and certificate lifecycle at fleet scale, often across a vehicle lifetime measured in decades.

The regulatory and compliance floor

UNECE WP.29 R155 requires a certified cybersecurity management system for vehicle type approval, and ISO/SAE 21434 sets the engineering practices behind it. Owner and telematics data falls under GDPR and CCPA. The practical effect is that vehicle PKI, secure over-the-air updates, and auditable access to manufacturing and telematics systems are mandatory, not optional.

The threat landscape here

Connected vehicles expand the attack surface dramatically: compromised telematics backends, forged firmware updates, and stolen credentials into manufacturing and dealer systems. Long-lived vehicle certificates that are never rotated, and over-permissioned dealer access, are recurring weak points.

What good looks like

  • Strong workforce IAM with federated, time-bound access for dealers and suppliers.
  • A scalable PKI and certificate lifecycle program for vehicles, ECUs, and services, with automated rotation and revocation.
  • CIAM for owner apps with privacy and consent built in.
  • PAM for plant-floor and telematics backends.

Vendors and fit

Workforce and dealer identity fit Microsoft Entra or Okta; vehicle and device PKI fits Keyfactor and peers in PKI.

Common pitfalls

  • Treating vehicle PKI as one-time issuance rather than a decades-long lifecycle.
  • Letting the dealer and supplier network accumulate standing access with no governance.
  • Bolting consumer identity on late, after privacy obligations are already in scope.

Where it is heading

Software-defined vehicles will make machine identity and certificate automation central, and regulatory pressure from WP.29 will keep raising the bar on auditable access across the supply chain.

Independent, community-driven analysis. Vendor mentions are for identification and commentary only. See the disclaimer.