Great article. All of your internal authentication should be using certificates. Web auth, Wifi, VPN, SSH

In the late 90s we came close to having this for the public internet as well but it never caught on. We paid the price with endless breaches and unmanageable credentials.