TL;DR: Passwordless authentication using a secure card and mobile device removes exposed passwords from the login path, reducing account takeover and shared-secret risk, according to 1Kosmos. The broader lesson is that identity programmes should treat phishing-resistant, card-present verification as a control pattern, not just a user experience improvement.
NHIMG editorial — based on content published by 1Kosmos: a discussion of passwordless card-based authentication and fraud reduction
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should IAM teams reduce account takeover risk without relying on passwords?
A: Use passwordless methods that bind authentication to a secure device, cryptographic proof, or a physical approval action, then apply them first to the highest-risk journeys.
Q: Why do passwordless authentication programmes still need strong enrollment controls?
A: Because passwordless only protects the login ceremony, not the identity proofing that happened before it.
Q: When does a physical authentication factor add real security value?
A: It adds the most value when an attacker can otherwise replay stolen credentials or complete a session remotely without the user present.
Practitioner guidance
- Reassess password reliance for high-risk journeys Identify login and approval flows where password replay, phishing, or credential stuffing would cause material harm, then prioritise those journeys for stronger authentication.
- Tie enrollment assurance to transaction risk Set different proofing requirements for low-risk access, customer onboarding, and high-value approvals so the identity assurance level matches the business impact.
- Require physical presence for sensitive approvals Use a card-present or device-bound action for transactions that need stronger non-replayable verification, especially where remote compromise is the main concern.
What's in the full article
1Kosmos' full post covers the implementation detail this post intentionally leaves for the source:
- The enrollment and card-tap workflow used to bind identity proofing to authentication.
- The practical user experience of approval with a physical card and mobile device.
- The product-specific integration path between the identity proofing step and the authentication factor.
- The team’s own description of why password elimination changes the account takeover model.
👉 Read 1Kosmos' analysis of passwordless card-based authentication and account takeover risk →
Passwordless card-based authentication: what it means for IAM teams?
Explore further
Passwordless authentication reduces one class of compromise, but it does not remove identity risk. The article correctly frames passwords as a weak point because they are easy to steal, reuse, and weaponise in account takeover. But the deeper governance point is that removing a password only shifts the control burden to enrollment quality, device trust, and transaction approval. Practitioners should read this as a control rebalancing exercise, not a complete risk reset.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity assurance problems rarely stay confined to human login flows.
A question worth separating out:
Q: What should teams check before rolling out passwordless access at scale?
A: Check enrollment assurance, account recovery, device replacement, help-desk bypass paths, and transaction-level step-up rules. If any of those are weaker than the new login method, the programme can still be defeated through recovery abuse or identity re-proofing failures.
👉 Read our full editorial: Passwordless card-based authentication reduces account takeover risk