Login credentials and MFA gaps: what identity teams should do

TL;DR: Static login credentials remain vulnerable to phishing, brute force, keylogging, and database theft, while transient credentials such as one-time passwords and session tokens reduce exposure by expiring quickly, according to 1Kosmos. The real governance issue is that authentication still depends on secrets and user behaviour that IAM teams must continuously harden, not assume away.

NHIMG editorial — based on content published by 1Kosmos: What Are Login Credentials?

By the numbers:

• 1Kosmos states that its identity proofing verifies identity with over 99% accuracy.

Questions worth separating out

Q: How should security teams reduce risk from static login credentials?

A: Security teams should reduce static credential risk by limiting where long-lived secrets exist, enforcing strong MFA, and tightening reset and recovery flows.

Q: Why do transient credentials improve authentication security?

A: Transient credentials improve security because they expire quickly, which reduces the time an attacker can reuse a stolen secret.

Q: What do organisations get wrong about multi-factor authentication?

A: Organisations often treat MFA as a checkbox instead of a design choice.

Practitioner guidance

• Harden password recovery workflows Review reset flows, help desk scripts, and fallback factors as high-risk access paths.
• Prioritise phishing-resistant MFA Move high-value users and privileged access to factors that resist interception and replay, such as hardware-backed authenticators or device-bound credentials.
• Shorten the useful life of credentials Use transient credentials where possible and limit session duration for sensitive applications.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Factor-by-factor discussion of passwords, biometrics, tokens, and certificates for day-to-day authentication design
• Detailed explanation of passwordless authentication and identity proofing in the vendor's implementation
• Practical feature set information such as SIM binding, privacy by design, and interoperability that matters at rollout stage
• More context on how the vendor frames its cloud-native architecture and integration options

👉 Read 1Kosmos's overview of login credentials and authentication methods →

Login credentials and MFA gaps: what identity teams should do?

Explore further

View Full Forum →  |  NHI Foundation Course →