1Kosmos funding signals rising demand for verified digital identity

At a glance

What this is: 1Kosmos frames its $57M Series B as evidence that verified digital identity and passwordless authentication are gaining market traction.

Why it matters: IAM teams should read this as another signal that identity proofing, authentication, and lifecycle controls are becoming core security design choices across human, NHI, and autonomous programmes.

By the numbers:

• 1Kosmos announced $57M in Series B funding, bringing total funding to $72M.
• $194.5M.

👉 Read 1Kosmos' funding update on verified digital identity and passwordless authentication

Context

Verified digital identity sits at the junction of authentication, identity proofing, and fraud resistance. As passwords, shared credentials, and fragmented checks become easier to abuse, programmes that rely on static trust assumptions lose effectiveness across human identity, machine identity, and emerging autonomous workflows.

This funding round matters because it reflects where practitioners are being forced to invest: stronger identity assurance, better user binding, and more usable access controls. The article also points to a broader market shift in which zero trust and identity verification are no longer separate conversations, but linked design decisions.

Key questions

Q: How should security teams evaluate passwordless authentication in high-risk environments?

A: They should evaluate passwordless on the strength of the identity proofing, device binding, recovery, and step-up controls around it. A passwordless flow that is easy to reset or rebind can still be abused. The key test is whether the programme reduces impersonation risk without creating weaker fallback paths that attackers can exploit.

Q: Why do identity proofing and authentication need to be governed together?

A: Because authentication only confirms a claimed identity that was created earlier in the lifecycle. If proofing is weak, the login process can faithfully authenticate the wrong subject. Security teams need one governance model that covers enrollment, verification, credential issuance, and ongoing trust rather than treating those as separate problems.

Q: When should organisations prioritise stronger identity verification over simpler login friction reduction?

A: They should prioritise stronger verification when account takeover, fraud, or regulated access are material risks. Reducing friction is valuable, but not if it weakens the assurance needed to trust the subject. The right balance depends on whether the identity controls are protecting low-risk user convenience or high-trust access.

Q: What is the difference between passwordless authentication and identity proofing?

A: Passwordless authentication changes how a user proves possession at sign-in, while identity proofing establishes who that user is before credentials are issued. One is an access ceremony, the other is a trust foundation. Organisations need both, because removing passwords does not compensate for weak enrollment or recovery processes.

Technical breakdown

Why passwordless identity verification is becoming a control layer

Passwordless authentication reduces dependence on reusable secrets, but it only works as a control layer when identity proofing is strong enough to bind the user to the credential. In practice, that means the authentication ceremony, device trust, and fraud resistance all have to line up. If the proofing step is weak, passwordless simply moves the attack surface rather than shrinking it.

Practical implication: review whether passwordless deployments are backed by durable proofing and step-up checks, not just a different login method.

How FedRAMP and NIST 800-63-3 shape identity assurance

FedRAMP High and NIST 800-63-3 point to a stricter model of identity assurance, where authentication strength, proofing, and lifecycle governance all matter. For security teams, the real issue is not certificate-style compliance on its own, but whether the identity process can withstand account takeover, replay, and impersonation pressure in regulated environments.

Practical implication: align regulated identity programmes to assurance outcomes, not to isolated control checklists.

Why fraud pressure is pushing identity to the perimeter

The article reflects a common industry pattern: identity has become the place where fraud, access, and trust converge. That shift matters because account takeover is no longer just an authentication problem. It is a governance problem that spans who can be enrolled, how they are verified, and how access remains bound to the right subject over time.

Practical implication: treat identity proofing and access governance as one operating model, not separate teams with disconnected controls.

NHI Mgmt Group analysis

Verified identity is becoming a core security control, not just an access experience. The funding round signals that buyers now see identity proofing and passwordless authentication as part of security architecture, not a user convenience layer. That matters because fraud resistance and access control are converging in the same control plane. Practitioners should treat identity assurance as a design requirement for both human access and machine-mediated workflows.

The market is rewarding identity vendors that can connect assurance, usability, and governance. The article links funding to FedRAMP High, NIST 800-63-3, Microsoft integration, and government procurement. That combination tells us the category is moving beyond point solutions toward programmes that can survive regulated deployment, enterprise scale, and cross-environment trust requirements. Security teams should re-evaluate whether their own identity stack can support that same breadth.

AI-driven fraud is turning identity proofing into a continuous trust problem. The article’s fraud-crisis framing is directionally correct because deepfake-enabled impersonation weakens one-time verification models. Identity programmes that assume the subject is stable after enrollment are increasingly brittle. The implication is that verification, re-checking, and behavioural signals need to be treated as ongoing governance decisions rather than one-off onboarding steps.

Digital identity now sits on the same strategic map as NHI and autonomous access. When organisations improve human identity assurance, they also reduce the gap attackers exploit to pivot into service accounts, delegated workflows, and AI-assisted operations. That cross-domain view is where identity programmes gain leverage. Practitioners should stop separating human IAM, NHI governance, and emerging agent identity into disconnected workstreams.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• That is why the 52 NHI Breaches Analysis is the right next resource for understanding how identity failures cascade into real incidents.

What this signals

Verified identity will increasingly be judged by whether it holds up across the full lifecycle, not just at login. Teams that focus only on authentication events will miss the practical question: can a subject be reverified, recovered, and governed without opening a weaker path? That is the real programme test as identity becomes a frontline control for fraud, regulated access, and machine-mediated use cases.

With 79% of organisations reporting secrets leaks in our research, the broader lesson is that trust failures rarely stay isolated to one identity layer. Human identity, NHI governance, and emerging agent access all depend on the same assurance assumptions, so a weak recovery path or over-permissive binding model can quickly spread risk across programmes.

Identity assurance debt: this is the growing gap between how confidently organisations think they know a subject and how much evidence they actually retain over time. The term matters because it captures why static verification models fail when fraud tactics evolve and why lifecycle controls and verification need to be designed together. Security leaders should treat this as a programme-level risk, not a feature request.

For practitioners

• Reassess identity proofing strength Validate whether enrollment, recovery, and step-up checks can resist impersonation, replay, and social engineering. Focus on the points where a trusted identity is created or re-established, not only on day-to-day login flows.
• Map passwordless to assurance outcomes Do not treat passwordless as a standalone programme. Tie it to device binding, fraud detection, and lifecycle controls so that weaker recovery paths do not undo the benefit of stronger sign-in.
• Review regulated identity dependencies If your programme operates in regulated or public-sector contexts, test whether FedRAMP High and NIST 800-63-3 requirements are reflected in operational design, not just in audit documentation.
• Align human and machine trust models Use this kind of identity investment news as a cue to examine where human identity assurance, service account governance, and emerging agent access are still managed as separate control domains.

Key takeaways

• The round signals that identity proofing and passwordless authentication are now treated as security infrastructure, not just user experience.
• The evidence points to a market where regulated assurance, fraud resistance, and enterprise usability must be designed together.
• Security teams should use this trend to re-check enrollment, recovery, and lifecycle governance across human and non-human identity programmes.

Key terms

• Identity Proofing: Identity proofing is the process of establishing that a person or subject is who they claim to be before credentials are issued or trust is granted. In practice, it combines evidence collection, verification, and risk checks so that later authentication is tied to a credible subject, not just a successful login event.
• Passwordless Authentication: Passwordless authentication is a sign-in method that removes reusable passwords and replaces them with stronger factors such as device binding, cryptographic keys, or biometrics. It improves resistance to phishing and credential theft, but only if recovery, enrollment, and step-up verification are equally strong.
• Identity Assurance: Identity assurance is the confidence an organisation has that a subject was correctly identified, verified, and bound to the right credentials over time. It is not a single control. It is the combined outcome of proofing, authentication, recovery, and lifecycle governance working together.
• Verified Digital Identity: Verified digital identity is a digitally represented identity that has been checked against evidence and bound to an access credential with a defined assurance level. It matters because access decisions depend on whether the organisation can trust the subject behind the credential, especially when fraud and impersonation are increasing.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: $57M Series B funding and the company's digital identity outlook. Read the original.