Passwordless identity verification: are your controls covering all use cases?

TL;DR: State-backed intrusion campaigns and identity abuse are exposing the limits of passwordless-only thinking, with the article arguing that organisations still need stronger identity verification at every login for customers, workers and citizens. The governance gap is that authentication modernisation fails when it is treated as a feature rather than an identity discipline.

NHIMG editorial — based on content published by 1Kosmos: strengthening cybersecurity in the face of rising threats

Questions worth separating out

Q: How should organisations handle passwordless authentication when not every system supports it?

A: Treat passwordless as the preferred path, not the only path.

Q: Why do identity verification and passwordless access need to be linked?

A: Passwordless reduces secret-based attacks, but it does not prove who received the credential in the first place.

Q: What do teams get wrong about passwordless rollouts?

A: They often focus on removing passwords from the primary login flow while leaving legacy systems, exceptions and recovery paths untouched.

Practitioner guidance

• Map all authentication fallback paths Inventory every route that bypasses the preferred passwordless journey, including legacy systems, VPNs, shared devices and exception-based access flows.
• Move identity proofing earlier in the lifecycle Apply stronger identity verification, including liveness where appropriate, at account issuance, recovery and first access.
• Treat authentication exceptions as risk decisions Require explicit approval for environments that cannot support the standard passwordless flow, and attach a compensating control to each exception.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The vendor's view of passwordless MFA as a practical feature for mixed enterprise environments.
• Examples of app-less authentication, browser-based identity verification and biometric security key workflows.
• The article's own explanation of how identity-centric authentication is meant to reduce technical debt.
• Additional context on the FBI warnings and the vendor's interpretation of current espionage activity.

👉 Read 1Kosmos's analysis of passwordless identity verification and cyber espionage risk →

Passwordless identity verification: are your controls covering all use cases?

Explore further

View Full Forum →  |  NHI Foundation Course →