TL;DR: Hybrid workplaces are pushing authentication decisions beyond passwords toward MFA, biometrics, possession factors, and passwordless controls, with trade-offs around phishing resistance, usability, cost, and compliance according to 1Kosmos. The core security question is no longer whether to authenticate, but which mix of controls matches the risk, because weak first factors still shape the attack surface.
NHIMG editorial — based on content published by 1Kosmos: choosing the right authentication strategy for hybrid workplace access
By the numbers:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams choose between passwords, MFA, and passwordless login?
A: Choose based on the sensitivity of the system, the likelihood of phishing or credential theft, and the user population.
Q: When does MFA still leave too much risk in place?
A: MFA still leaves too much risk when the fallback path is weak, when users can be socially engineered into approving prompts, or when the account recovery process is easier to abuse than the primary login.
Q: What should organisations do before adopting biometric authentication?
A: Assess privacy obligations, spoofing risk, device compatibility, and how biometric recovery will work if a user cannot present the factor.
Practitioner guidance
- Classify access by assurance requirement Separate low-risk access, regulated transactions, and high-sensitivity systems before assigning authentication methods, so the control matches the consequence of compromise.
- Remove passwords from high-risk primary flows Use passwordless or MFA for sensitive access paths where phishing and credential replay would create outsized impact, and keep password-only access for low-value use cases only.
- Treat devices as identity assets Track enrolment, replacement, lost-device handling, and revocation for possession-based authentication so device compromise does not become a permanent back door.
What's in the full article
1Kosmos's full article covers the practical control trade-offs this post intentionally leaves at a higher level:
- Detailed comparison of knowledge-based, possession-based, biometric, MFA, and passwordless options for specific deployment scenarios.
- Use-case guidance for balancing user experience, cost, and security in remote work, e-commerce, and regulated access flows.
- Discussion of how risk assessment and compliance requirements should shape authentication selection.
- Context on where passwordless fits into a broader access strategy for organisations modernising identity controls.
👉 Read 1Kosmos's analysis of authentication method selection for hybrid access →
Authentication methods in hybrid access environments: what matters most?
Explore further
Password-first authentication remains a liability because the attacker still only needs the first factor. KBA is convenient, but it leaves organisations exposed to phishing, replay, and weak-secret reuse wherever the password remains the access anchor. That makes the real governance issue not password policy tuning, but whether the programme still relies on a factor family that is trivially transferable across people, devices, and sessions. Practitioners should stop treating passwords as a default baseline for anything beyond the lowest-risk access.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, showing that identity assurance problems often begin with basic handling failures.
A question worth separating out:
Q: How do teams decide whether possession-based authentication is strong enough?
A: Check whether the device or token is truly bound to the user, whether loss or theft can be revoked quickly, and whether shared or unmanaged devices are excluded. If the possession factor cannot be reliably enrolled and revoked, the assurance gain is far weaker than it appears.
👉 Read our full editorial: Authentication control selection for hybrid access needs