Passwordless identity verification is not enough on its own

At a glance

What this is: A vendor-authored analysis argues that rising espionage and credential abuse show why passwordless authentication must be paired with identity verification and broader IAM governance.

Why it matters: It matters because IAM teams need to design for real-world authentication diversity, not assume one passwordless path will cover human, machine and remote access needs.

👉 Read 1Kosmos's analysis of passwordless identity verification and cyber espionage risk

Context

Identity security breaks down when organisations treat passwordless authentication as a complete strategy rather than one control within a broader identity programme. The underlying problem is not just weak passwords, but the many authentication use cases that still rely on fallback paths, inconsistent assurance levels and unmanaged exceptions across enterprise environments.

The article frames current espionage activity and account abuse as evidence that identity verification still has to happen at the point of access. That challenge spans human IAM first, but it also matters to NHI governance wherever credentials, service access or remote login paths become the open door attackers use.

The practical issue for practitioners is coverage. A modern IAM programme has to account for platforms, devices and workflows that do not all support the same authentication method, while preserving assurance and reducing technical debt.

Key questions

Q: How should organisations handle passwordless authentication when not every system supports it?

A: Treat passwordless as the preferred path, not the only path. Map every application, device class and remote-access flow that still needs an exception, then assign an assurance level and compensating control to each one. The goal is to prevent fallback methods from becoming permanent weak points in the identity programme.

Q: Why do identity verification and passwordless access need to be linked?

A: Passwordless reduces secret-based attacks, but it does not prove who received the credential in the first place. Identity verification links the credential to a verified person before authentication begins, which strengthens onboarding, recovery and high-risk access. Without that linkage, attackers can still exploit enrolment and reset weaknesses.

Q: What do teams get wrong about passwordless rollouts?

A: They often focus on removing passwords from the primary login flow while leaving legacy systems, exceptions and recovery paths untouched. That creates a split model where strong authentication exists in some places and weaker trust assumptions persist elsewhere. A successful rollout measures assurance consistency, not just adoption numbers.

Q: Who is accountable when authentication exceptions become permanent?

A: Accountability should sit with the identity, security and application owners who approved the exception, because they own the residual risk. If the exception remains in place, it needs a named business justification, a compensating control and a review date. Without that, the exception becomes an unmanaged access path.

Technical breakdown

Why passwordless MFA still leaves authentication gaps

Passwordless MFA removes password reuse and phishing exposure, but it does not remove every trust problem in authentication. Enterprises still have to support legacy systems, VPNs, domain controllers, mixed operating systems and environments where device enrollment or mobile use is not practical. When passwordless is implemented as a partial overlay instead of a full access architecture, the result is fragmented assurance and fallback credentials that attackers can still target.

Practical implication: map every authentication path, including fallback and exception flows, before declaring passwordless coverage complete.

Identity verification as the control that precedes authentication

Identity verification establishes who the user or operator is before the credential is issued or used, which is different from simply checking a secret at login time. In the article's framing, identity proofing plus liveness creates a stronger starting point for passwordless access because the credential is bound to a verified identity event. That matters in high-risk onboarding, recovery and first-login scenarios where possession alone is not enough to establish trust.

Practical implication: place stronger proofing and liveness checks at issuance, recovery and first access, not only at routine sign-in.

Why authentication diversity is a governance problem, not a UX problem

The article points to a broad enterprise reality: one authentication method rarely fits every application, device or workforce segment. That diversity is not just a usability issue, it is a governance issue because each exception creates a different assurance level and a different attack surface. If the identity stack cannot accommodate macOS, Linux, browser-only users and restricted endpoints in a controlled way, then the programme will accumulate technical debt and inconsistent policy enforcement.

Practical implication: catalogue authentication exceptions as governance assets and risk decisions, not as ad hoc support tickets.

Threat narrative

Attacker objective: The attacker seeks trusted access that can be reused for espionage, data theft or broader lateral movement without triggering strong identity controls.

1. Entry occurs through identity compromise, phishing or credential abuse rather than a purely technical exploit, with attackers targeting login paths that still depend on weak or fallback authentication.
2. Escalation follows when the attacker reaches accounts, systems or services protected by inconsistent assurance, allowing them to operate inside trusted workflows as if they were legitimate users.
3. Impact is realised through espionage, data exposure or persistence in enterprise environments where the open door was not closed at the identity layer.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless authentication is not a governance endpoint. The article is right to separate passwordless as a feature from identity as a business challenge. Passwordless reduces one class of credential abuse, but it does not solve assurance design across every platform, recovery path or exception flow. The implication is that IAM programmes must judge authentication by coverage and assurance consistency, not by whether passwords have disappeared from the primary login experience.

Identity verification at issuance is where trust is created, not merely checked. The strongest part of the argument is that passwordless credentials are only as strong as the identity event that produces them. If proofing, liveness and recovery controls are weak, then the authentication layer inherits bad trust assumptions from the start. Practitioners should treat issuance and re-enrolment as high-risk control points, because that is where attacker leverage is converted into durable access.

Authentication sprawl is a hidden governance debt. Mixed platform support, browser-only journeys and restricted devices create a long tail of exceptions that many organisations never model explicitly. That long tail becomes a governance blind spot when policy is written for the ideal path but enforcement happens across many real paths. Security teams should read that as a sign that identity architecture, not just login tooling, determines whether access control is actually enforceable.

Human IAM and NHI governance now fail in the same way when trust is assumed instead of proven. The article is about human login use cases, but the lesson extends to all identity programmes: when access is granted because a flow exists rather than because identity was verified to the required assurance level, attackers exploit the gap. For practitioners, that means the boundary between human authentication governance and broader identity security is thinner than many programmes assume.

From our research:

• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• If access visibility is incomplete, Ultimate Guide to NHIs , Key Challenges and Risks is the right next step for understanding how discovery gaps turn into governance failures.

What this signals

Authentication sprawl: The real programme risk is not whether passwordless exists, but whether every user, device and application path can be governed to the same assurance standard. Teams that cannot model exceptions will keep inheriting hidden access debt, especially where legacy infrastructure and remote access remain in play.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, according to The State of Non-Human Identity Security, identity teams should expect the boundary between human authentication and machine access governance to keep narrowing.

That makes lifecycle ownership more important, not less. Access issuance, recovery and exception approval need explicit control ownership, otherwise passwordless programmes can look mature while quietly leaving the hardest identities outside policy coverage.

For practitioners

• Map all authentication fallback paths Inventory every route that bypasses the preferred passwordless journey, including legacy systems, VPNs, shared devices and exception-based access flows. Classify each path by assurance level, owner and business criticality so that high-risk exceptions can be removed or re-engineered.
• Move identity proofing earlier in the lifecycle Apply stronger identity verification, including liveness where appropriate, at account issuance, recovery and first access. This reduces the chance that a weak enrolment or reset process becomes the easiest route into otherwise well-protected services.
• Treat authentication exceptions as risk decisions Require explicit approval for environments that cannot support the standard passwordless flow, and attach a compensating control to each exception. Review those decisions on a fixed cadence so that temporary workarounds do not become permanent trust gaps.
• Align access assurance to the sensitivity of the transaction Use stronger authentication and re-verification for sensitive actions, not just initial sign-in. Tie assurance thresholds to data sensitivity, administrative privilege and the likelihood of account takeover so that the control strength matches the risk.

Key takeaways

• Passwordless authentication reduces one attack path, but it does not replace identity governance across every login, recovery and exception flow.
• The core control failure is not technology choice alone. It is inconsistent assurance across the full authentication estate, which attackers can still exploit.
• Practitioners should measure coverage, fallback risk and proofing strength together, or passwordless rollouts will leave hidden gaps in access control.

Key terms

• Passwordless Authentication: An authentication method that replaces passwords with stronger factors such as cryptographic keys, device-bound credentials or biometrics. The security value depends on how the credential is issued, recovered and re-verified, because removing the password does not remove identity risk by itself.
• Identity Verification: The process of establishing that a person or operator is who they claim to be before granting a credential or access path. In mature programmes, verification is part of the trust chain, not a one-time enrolment checkbox, and it becomes critical during recovery and high-risk access.
• Authentication Assurance: The level of confidence that an access event is genuine and appropriate for the action being requested. Assurance is shaped by proofing strength, credential binding, device context and recovery controls, and it must be matched to the sensitivity of the transaction.
• Fallback Authentication Path: A secondary way to access a system when the preferred authentication method is unavailable. These paths often carry lower assurance than the primary flow, which makes them a common source of hidden risk if they are not inventoried, governed and periodically removed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: strengthening cybersecurity in the face of rising threats. Read the original.