Post-Quantum Cryptography Migration Must Start With Credentials, Experts Warn

The window for organizations to overhaul their cryptography before quantum computers break current encryption is narrowing, and security experts are urging a credentials-first approach to the migration. A growing consensus holds that the risk centers on long-lived secrets such as service accounts and API keys, which attackers can capture today and decrypt years from now. Federal deadlines compound the urgency.

The Global Risk Institute's 2025 Quantum Threat Timeline report found that 51% to 70% of security specialists surveyed believe a cryptographically relevant quantum computer is likely within 15 years. Given that full enterprise transitions can take 5 to 15 years, starting from a discovery phase that alone spans one to two years in large organizations, the time to act is now.

Credentials carry outsized risk in a post-quantum future

Not all encrypted data carries the same exposure. Session tokens have a confidentiality lifetime measured in months, but credentials such as machine identities can persist for years or as long as the associated systems remain in service. This makes them prime targets for the “Harvest Now, Decrypt Later” tactic, in which attackers snatch encrypted traffic now, store it, and decrypt it once quantum capabilities mature.

• Non-Human Identities, like service accounts and API keys, are frequently long-lived because no human rotates them, and they often lack cryptographic inventory.
• NSA’s Commercial National Security Algorithm Suite 2.0 mandates that new national security systems support quantum-resistant algorithms starting January 1, 2027, with full quantum resistance expected by 2035.
• NIST draft IR 8547 deprecates RSA-2048 and ECC P-256 after 2030 and disallows them entirely after 2035.
• Federal deadlines for PQC readiness from the executive order fall in 2030 and 2031, leaving CISOs with a multi-year transformation program most have not started.

Steps for a credentials-first quantum migration

To address the concentrated risk, organizations should begin their quantum migration with credentials. The first step is inventorying existing cryptography by finding systems that hold or broker secrets: password managers, secrets managers, and Privileged Access Management (PAM) platforms. This phase often uncovers forgotten service accounts, hardcoded secrets, or dormant integrations.

Next, prioritize risk over size. A small, long-lived secret that brokers access to critical systems outweighs a vast but short-lived dataset. This ensures the credentials most vulnerable to harvest-now attacks are secured first. Organizations should then adopt hybrid cryptography, combining a classical algorithm with a quantum-resistant one in the same key exchange. This protects against both today’s attackers and future quantum threats without betting on a single unproven algorithm.

Finally, build for crypto-agility. Algorithms will be deprecated and replaced. A flexible cryptographic infrastructure that allows swapping algorithms without rebuilding systems will reduce the burden of future migrations. With federal deadlines looming and attackers already harvesting data, starting now with credentials is the pragmatic path forward.