TL;DR: Static login credentials remain vulnerable to phishing, brute force, keylogging, and database theft, while transient credentials such as one-time passwords and session tokens reduce exposure by expiring quickly, according to 1Kosmos. The real governance issue is that authentication still depends on secrets and user behaviour that IAM teams must continuously harden, not assume away.
NHIMG editorial — based on content published by 1Kosmos: What Are Login Credentials?
By the numbers:
- 1Kosmos states that its identity proofing verifies identity with over 99% accuracy.
Questions worth separating out
Q: How should security teams reduce risk from static login credentials?
A: Security teams should reduce static credential risk by limiting where long-lived secrets exist, enforcing strong MFA, and tightening reset and recovery flows.
Q: Why do transient credentials improve authentication security?
A: Transient credentials improve security because they expire quickly, which reduces the time an attacker can reuse a stolen secret.
Q: What do organisations get wrong about multi-factor authentication?
A: Organisations often treat MFA as a checkbox instead of a design choice.
Practitioner guidance
- Harden password recovery workflows Review reset flows, help desk scripts, and fallback factors as high-risk access paths.
- Prioritise phishing-resistant MFA Move high-value users and privileged access to factors that resist interception and replay, such as hardware-backed authenticators or device-bound credentials.
- Shorten the useful life of credentials Use transient credentials where possible and limit session duration for sensitive applications.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- Factor-by-factor discussion of passwords, biometrics, tokens, and certificates for day-to-day authentication design
- Detailed explanation of passwordless authentication and identity proofing in the vendor's implementation
- Practical feature set information such as SIM binding, privacy by design, and interoperability that matters at rollout stage
- More context on how the vendor frames its cloud-native architecture and integration options
👉 Read 1Kosmos's overview of login credentials and authentication methods →
Login credentials and MFA gaps: what identity teams should do?
Explore further
Static login credentials create standing trust debt. A password or fixed secret is convenient because it persists, but that persistence is exactly what attackers exploit once it leaks. The governance issue is not only weak passwords, it is the assumption that a credential can remain valid long enough to be safely managed through human behaviour alone. That model breaks when secrets move through email, browsers, endpoint caches, help desks, and recovery channels. Practitioners should treat long-lived credentials as accumulated exposure, not merely as a login mechanism.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How can teams tell whether passwordless authentication is actually safer?
A: Passwordless authentication is safer when it reduces phishing, replay, and help desk abuse without creating a weaker recovery path. Teams should measure adoption alongside enrollment integrity, fallback controls, and account recovery strength. If recovery can still be socially engineered, passwordless has only shifted the problem rather than solved it.
👉 Read our full editorial: Login credentials are still the weak link in identity security