Passwordless card-based authentication: what it means for IAM teams

TL;DR: Passwordless authentication using a secure card and mobile device removes exposed passwords from the login path, reducing account takeover and shared-secret risk, according to 1Kosmos. The broader lesson is that identity programmes should treat phishing-resistant, card-present verification as a control pattern, not just a user experience improvement.

NHIMG editorial — based on content published by 1Kosmos: a discussion of passwordless card-based authentication and fraud reduction

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should IAM teams reduce account takeover risk without relying on passwords?

A: Use passwordless methods that bind authentication to a secure device, cryptographic proof, or a physical approval action, then apply them first to the highest-risk journeys.

Q: Why do passwordless authentication programmes still need strong enrollment controls?

A: Because passwordless only protects the login ceremony, not the identity proofing that happened before it.

Q: When does a physical authentication factor add real security value?

A: It adds the most value when an attacker can otherwise replay stolen credentials or complete a session remotely without the user present.

Practitioner guidance

• Reassess password reliance for high-risk journeys Identify login and approval flows where password replay, phishing, or credential stuffing would cause material harm, then prioritise those journeys for stronger authentication.
• Tie enrollment assurance to transaction risk Set different proofing requirements for low-risk access, customer onboarding, and high-value approvals so the identity assurance level matches the business impact.
• Require physical presence for sensitive approvals Use a card-present or device-bound action for transactions that need stronger non-replayable verification, especially where remote compromise is the main concern.

What's in the full article

1Kosmos' full post covers the implementation detail this post intentionally leaves for the source:

• The enrollment and card-tap workflow used to bind identity proofing to authentication.
• The practical user experience of approval with a physical card and mobile device.
• The product-specific integration path between the identity proofing step and the authentication factor.
• The team’s own description of why password elimination changes the account takeover model.

👉 Read 1Kosmos' analysis of passwordless card-based authentication and account takeover risk →

Passwordless card-based authentication: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →