Biometric authentication: why possession alone is not enough

TL;DR: Biometrics and passkeys can reduce password-driven account takeover, but they still often prove device possession or prior enrolment rather than the person behind the session, according to 1Kosmos. Identity-backed authentication only closes that gap when liveness, verification, and assurance are bound together.

NHIMG editorial — based on content published by 1Kosmos: biometric authentication and identity-backed IAM architecture

By the numbers:

• Biometric-based user authentication in the 1Kosmos architecture claims 99.6% accuracy when combined with digitally verified identity.

Questions worth separating out

Q: How should security teams use biometrics without overtrusting them?

A: Security teams should treat biometrics as one authentication factor, not as proof of identity.

Q: Why do passkeys and device biometrics still leave identity risk behind?

A: Passkeys and device biometrics reduce password reuse and phishing exposure, but they often confirm possession of a device or prior enrolment rather than the true claimant.

Q: What do IAM teams get wrong about passwordless authentication?

A: Teams often assume passwordless means identity has been solved, when it usually means one class of credential risk has been reduced.

Practitioner guidance

• Separate factor assurance from identity proofing Map which login journeys rely on possession, which rely on biometrics, and which require verified identity before access is granted.
• Require liveness checks for high-risk enrolment Use liveness detection and documented proofing steps for accounts that can reach sensitive systems, financial workflows, or privileged administrative functions.
• Review recovery and re-enrolment paths Test how users recover access after device loss, factor reset, or identity compromise, because those paths often carry the weakest assurance.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Certification references for FIDO2, NIST 800-63-3, and UKDIATF alignment
• Detailed explanation of LiveID enrolment, liveness testing, and biometric capture flow
• Biometric encryption mechanics for user-controlled identity storage and key protection
• Examples of acceptable assurance levels for KYC, KYB, and other identity use cases

👉 Read 1Kosmos's analysis of identity-backed biometric authentication →

Biometric authentication: why possession alone is not enough?

Explore further

View Full Forum →  |  NHI Foundation Course →