Identity proofing for onboarding: what passwordless is still missing

TL;DR: Passwordless authentication reduces friction, but it does not prove that the person at login time is the same person who was onboarded, according to 1Kosmos. For IAM teams, the real gap is continuous identity assurance, not just simpler sign-in.

NHIMG editorial — based on content published by 1Kosmos: identity-based authentication for secure onboarding and passwordless access

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations use passwordless authentication without weakening onboarding assurance?

A: Use passwordless as an authentication method after identity proofing, not as a replacement for proofing.

Q: Why does passwordless login still leave identity risk in place?

A: Passwordless removes a secret, but it does not prove that the person at login time is the same verified subject who was onboarded.

Q: When should organisations require continuous verification instead of one-time onboarding checks?

A: Continuous verification is appropriate when access is sensitive, PII is involved, or the user can trigger high-impact transactions after login.

Practitioner guidance

• Separate passwordless from proofing requirements Define which user populations can use passwordless only after identity proofing, and which must pass stronger verification before any access is granted.
• Add transactional authorization to high-risk journeys Require real-time checks before sensitive actions such as privileged application access, PII release, password reset, or account recovery.
• Limit the PII held in onboarding systems Store only the minimum identity data needed for business use and move verification evidence into controlled workflows with restricted release rules.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• How the vendor frames live biometrics for identity verification in employee and customer onboarding
• Why the article links passwordless sign-on to reduced help desk cost and password reset overhead
• How continuous transactional authorization is positioned for Day 1 access and legacy application access
• The article's explanation of identity-based authentication as a way to support stronger proofing workflows

👉 Read 1Kosmos' analysis of identity-based onboarding and passwordless assurance →

Identity proofing for onboarding: what passwordless is still missing?

Explore further

View Full Forum →  |  NHI Foundation Course →