Password-only authentication: why IAM teams still need stronger controls

TL;DR: Passwords remain the dominant authentication factor even though they are easy to steal, reuse, and phish, and the article argues that secure authentication now requires stronger multi-factor and passwordless patterns, according to 1Kosmos. The core issue is that authentication controls fail when organisations continue to treat passwords as a durable trust signal instead of a compromise-prone entry point.

NHIMG editorial — based on content published by 1Kosmos: What is Secure Authentication and Why is It Important?

By the numbers:

• A study shows that up to 45% of users use the same password across at least 2 or more accounts.
• 20% of users say that most of their accounts use the same password.
• 6% of users say they use the same password for all accounts.

Questions worth separating out

Q: How should security teams reduce password risk without creating more login friction?

A: Start by moving the highest-risk access paths to phishing-resistant MFA or passwordless methods, then leave passwords only where stronger controls are not yet practical.

Q: Why do reused passwords remain such a major identity risk?

A: Because a stolen password is rarely confined to one account.

Q: What do organisations get wrong about MFA?

A: They often count MFA as a single checkbox instead of evaluating how the factor behaves under phishing, interception, or help desk abuse.

Practitioner guidance

• Reduce password dependence for privileged and sensitive access Move high-risk applications and administrator workflows toward phishing-resistant MFA or passwordless methods, then reserve passwords only where no stronger option is yet feasible.
• Separate authentication strength from authorization scope Review whether a strong login is incorrectly granting broad access by default.
• Harden recovery and reset paths Treat account recovery, password reset, and MFA re-enrolment as privileged workflows.

What's in the full article

1Kosmos' full article covers the authentication methods and product details this post intentionally leaves for the source:

• Detailed comparisons of password, biometric, mobile, app-based, and physical authentication methods.
• The vendor's explanation of how its passwordless flow uses biometrics, liveness checks, and immutable logs.
• Implementation context for enterprise passwordless entry that is outside this post's governance focus.
• Product positioning around remote identity verification and passwordless multi-factor authentication.

👉 Read 1Kosmos' article on secure authentication and passwordless access →

Password-only authentication: why IAM teams still need stronger controls?

Explore further

View Full Forum →  |  NHI Foundation Course →