TL;DR: State-backed intrusion campaigns and identity abuse are exposing the limits of passwordless-only thinking, with the article arguing that organisations still need stronger identity verification at every login for customers, workers and citizens. The governance gap is that authentication modernisation fails when it is treated as a feature rather than an identity discipline.
NHIMG editorial — based on content published by 1Kosmos: strengthening cybersecurity in the face of rising threats
Questions worth separating out
Q: How should organisations handle passwordless authentication when not every system supports it?
A: Treat passwordless as the preferred path, not the only path.
Q: Why do identity verification and passwordless access need to be linked?
A: Passwordless reduces secret-based attacks, but it does not prove who received the credential in the first place.
Q: What do teams get wrong about passwordless rollouts?
A: They often focus on removing passwords from the primary login flow while leaving legacy systems, exceptions and recovery paths untouched.
Practitioner guidance
- Map all authentication fallback paths Inventory every route that bypasses the preferred passwordless journey, including legacy systems, VPNs, shared devices and exception-based access flows.
- Move identity proofing earlier in the lifecycle Apply stronger identity verification, including liveness where appropriate, at account issuance, recovery and first access.
- Treat authentication exceptions as risk decisions Require explicit approval for environments that cannot support the standard passwordless flow, and attach a compensating control to each exception.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's view of passwordless MFA as a practical feature for mixed enterprise environments.
- Examples of app-less authentication, browser-based identity verification and biometric security key workflows.
- The article's own explanation of how identity-centric authentication is meant to reduce technical debt.
- Additional context on the FBI warnings and the vendor's interpretation of current espionage activity.
👉 Read 1Kosmos's analysis of passwordless identity verification and cyber espionage risk →
Passwordless identity verification: are your controls covering all use cases?
Explore further
Passwordless authentication is not a governance endpoint. The article is right to separate passwordless as a feature from identity as a business challenge. Passwordless reduces one class of credential abuse, but it does not solve assurance design across every platform, recovery path or exception flow. The implication is that IAM programmes must judge authentication by coverage and assurance consistency, not by whether passwords have disappeared from the primary login experience.
A few things that frame the scale:
- From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when authentication exceptions become permanent?
A: Accountability should sit with the identity, security and application owners who approved the exception, because they own the residual risk. If the exception remains in place, it needs a named business justification, a compensating control and a review date. Without that, the exception becomes an unmanaged access path.
👉 Read our full editorial: Passwordless identity verification is not enough on its own