TL;DR: Passwordless authentication reduces friction, but it does not prove that the person at login time is the same person who was onboarded, according to 1Kosmos. For IAM teams, the real gap is continuous identity assurance, not just simpler sign-in.
At a glance
What this is: This is an identity onboarding analysis arguing that passwordless login alone does not solve spoofing, proofing, or continuous assurance.
Why it matters: It matters because IAM, NHI, and human identity programmes all depend on knowing whether access is tied to a verified subject at the moment of use, not just at enrollment.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read 1Kosmos' analysis of identity-based onboarding and passwordless assurance
Context
Passwordless authentication removes a credential type, but it does not by itself prove who is behind the session or whether that person is still the same identity that was initially proofed. In practice, that means onboarding and access approval still depend on trust signals that can be weak, stale, or easy to spoof.
The identity governance problem is broader than login friction. For IAM teams, the real question is how to establish continuous identity assurance for employees, contractors, and customers when access decisions affect both privacy exposure and business risk.
That gap is not theoretical. Organisations are trying to simplify onboarding, reduce help desk load, and strengthen security at the same time, which makes identity proofing and transactional authorisation central to any serious access model.
Key questions
Q: How should organisations use passwordless authentication without weakening onboarding assurance?
A: Use passwordless as an authentication method after identity proofing, not as a replacement for proofing. The onboarding flow should establish who the subject is, what assurance level they have, and which transactions they may perform. For higher-risk access, add continuous verification or step-up checks before sensitive actions.
Q: Why does passwordless login still leave identity risk in place?
A: Passwordless removes a secret, but it does not prove that the person at login time is the same verified subject who was onboarded. If identity proofing is weak, a spoofed or compromised identity can still reach enterprise applications. The risk shifts from password theft to assurance failure.
Q: When should organisations require continuous verification instead of one-time onboarding checks?
A: Continuous verification is appropriate when access is sensitive, PII is involved, or the user can trigger high-impact transactions after login. One-time checks are not enough when the business needs to know the actor is still the same trusted person throughout the session or lifecycle.
Q: Who is accountable when onboarding uses passwordless but the identity was never strongly proofed?
A: The accountable owners are the identity, security, and business leaders who approved the onboarding design and its assurance level. If the control model relies on passwordless alone, the programme has accepted a weaker trust boundary than the risk usually requires.
Technical breakdown
Why passwordless login does not equal identity proofing
Passwordless removes the need to present a reusable secret, but it does not prove the subject's real-world identity or stop account takeover by a person who has already compromised a device, recovery path, or registration flow. Identity proofing is the process of binding a person to a trusted identity before access is granted. In onboarding contexts, that binding has to survive beyond the first login and remain valid when the user returns to sensitive applications later. Without that, passwordless simply shifts the control point rather than eliminating the trust problem.
Practical implication: treat passwordless as an authentication method, not as a substitute for identity proofing or continuous assurance.
Continuous authentication and transactional authorization in onboarding
Continuous authentication means the system keeps reassessing identity confidence during a session instead of only at the start. Transactional authorization adds a second check before each sensitive action, such as access to payroll, customer data, or administrative functions. Together, they reduce the chance that a one-time onboarding event grants indefinite trust. This matters most when new hires, contractors, or customers receive Day 1 access to multiple systems and the organisation needs to verify both who they are and whether the requested action still fits the current risk policy.
Practical implication: require step-up identity checks before high-risk transactions, not only at initial sign-in.
Identity-based authentication and the limits of detached credentials
Identity-based authentication ties access to a verified person rather than to a password, token, or device alone. That distinction matters because detached credentials can be stolen, replayed, or shared without proving presence or continuity of the approved subject. Stronger onboarding designs use pre-proofed identity, live verification signals, and policy checks to confirm the person behind the request. In IAM terms, the architecture shifts from 'knowing a factor' to 'knowing the actor', which is far more relevant when access must remain safe across employee, contractor, and customer journeys.
Practical implication: design onboarding around verified identity signals, not around one-time credential issuance.
NHI Mgmt Group analysis
Passwordless onboarding is not a governance control if identity proofing is missing. The article's central weakness is that it treats reduced friction as improved assurance, which is not the same thing. Identity proofing is the control that establishes who the subject is, while passwordless only changes how the subject authenticates. For IAM and onboarding programmes, the practical conclusion is that trust cannot start and end with the login method.
Continuous identity assurance is the real control boundary in onboarding risk. A Day 1 access model assumes the person who enrolled is still the person acting later in the session and on later days. That assumption fails when identity spoofing, recovery abuse, or delegated access can separate enrollment from actual use. The implication is that lifecycle governance must extend beyond provisioning and into ongoing verification across employee and customer journeys.
Identity-detached passwordless creates a security theatre problem. Organisations can remove passwords, reduce help desk load, and still leave the core risk untouched if the underlying identity was never strongly established. That is especially true where onboarding spans internal staff, contractors, and customers with different assurance needs. Practitioners should treat the assurance gap as the primary design flaw, not the login UX.
NIST 800-63 style assurance thinking is more relevant here than passwordless branding. The article aligns with the principle that authentication strength depends on proofing quality, not on the absence of a password alone. For programmes that span human identity and customer onboarding, the right question is whether the assurance level is sufficient for the transaction, not whether the login feels easier. Practitioners should map onboarding policy to assurance level, not convenience.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For lifecycle and credential exposure context, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how provisioning, rotation, and offboarding should be tied together.
What this signals
Identity assurance has to become a policy object, not a product feature. Teams that treat passwordless as the end state will miss the real operational question: which users, transactions, and populations require proofing before access is considered trustworthy? The gap is particularly visible in onboarding for employees and external workers, where assurance strength often varies without a clear policy rationale. For background on the broader machine identity problem, the Ultimate Guide to NHIs is useful context.
With 97% of NHIs carrying excessive privileges, the same weak-assurance thinking that hurts human onboarding also shows up in machine access governance. When organisations separate identity establishment from runtime access control, they tend to overtrust both people and non-human identities. That is why the boundary between onboarding, proofing, and authorisation now matters across IAM, NHI, and lifecycle programmes. For the access-control baseline, align the programme with the NIST Cybersecurity Framework 2.0.
Continuous verification is becoming the practical line between usable IAM and fragile IAM. The organisations that do this well will not simply remove passwords. They will define assurance tiers, bind them to transaction risk, and revisit them as user populations and access paths change. That is the direction identity governance is moving: from static enrollment decisions to ongoing trust decisions.
For practitioners
- Separate passwordless from proofing requirements Define which user populations can use passwordless only after identity proofing, and which must pass stronger verification before any access is granted. Use assurance tiers for employees, contractors, and customers instead of one onboarding rule for all.
- Add transactional authorization to high-risk journeys Require real-time checks before sensitive actions such as privileged application access, PII release, password reset, or account recovery. A successful initial login should not authorize every downstream transaction by default.
- Limit the PII held in onboarding systems Store only the minimum identity data needed for business use and move verification evidence into controlled workflows with restricted release rules. That reduces the blast radius if the onboarding repository is exposed.
- Review onboarding for contractor and subcontractor variance Document where background checks, proofing strength, and approval paths differ for external workers, because vendor and subcontractor onboarding often carries weaker verification than employee onboarding.
Key takeaways
- Passwordless authentication reduces friction, but it does not solve identity proofing or guarantee that the user behind a session is the same trusted subject.
- Onboarding risk is really an assurance problem, which is why continuous verification and transactional authorization matter more than login convenience alone.
- IAM teams should separate authentication method from identity confidence and make proofing strength explicit for each user population and access level.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | The article centres on assurance levels and identity proofing before access. | |
| NIST CSF 2.0 | PR.AC-1 | Access control depends on verified identity and appropriate authentication strength. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Continuous verification and transactional authorization align with zero trust access decisions. |
Tie access decisions to verified identity assurance and document the required controls by user type.
Key terms
- Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before access is granted. In practice, it uses documents, evidence, or verification signals to bind a real-world subject to an account, with stronger proofing required when the access risk is higher.
- Continuous Authentication: Continuous authentication is repeated verification of identity confidence during a session, not just at login. It reduces reliance on a one-time check by reassessing whether the person or device behind the request still matches the trusted subject throughout the access journey.
- Transactional Authorization: Transactional authorization is a decision to permit or deny a specific action after the user has already authenticated. It matters when a login alone is not enough to justify access to sensitive data, administrative functions, or high-risk workflows.
- Assurance Level: An assurance level is the confidence an organisation has that an identity proofing and authentication process is strong enough for the risk involved. It is not a product label. It is a governance decision that should vary by population, transaction, and business impact.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by 1Kosmos: identity-based authentication for secure onboarding and passwordless access. Read the original.
Published by the NHIMG editorial team on 2023-01-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
