Passwordless security: what identity teams still need to fix

TL;DR: Credential-based breaches keep succeeding because attackers hide behind compromised identities, not because passwords alone are inherently broken, according to 1Kosmos. The missing pieces are password reset, interoperability, and stronger identity assurance, and passwordless programmes fail when they treat authentication changes as a substitute for identity proofing.

NHIMG editorial — based on content published by 1Kosmos: Problems with Passwords

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams implement passwordless without weakening identity assurance?

A: Security teams should treat passwordless as one control in a broader identity programme.

Q: Why do passwordless programmes still need password reset capability?

A: Because most enterprises cannot remove every password at once.

Q: What do organisations get wrong about passwordless adoption?

A: They often focus on the login experience and ignore interoperability, lifecycle fit, and identity verification.

Practitioner guidance

• Maintain governed legacy password reset Keep a controlled reset mechanism for any accounts, applications, or remote access paths that still depend on passwords.
• Test interoperability before scaling passwordless Validate open APIs, SDKs, and standards support across workstations, cloud apps, remote access solutions, and identity platforms before broad rollout.
• Raise identity proofing assurance Use stronger verification for workers, citizens, and customers before issuing access that will be used for login or transaction approval.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step self-service password reset flow for legacy accounts in the 1Kosmos Workforce application
• Practical integration guidance for workstations, cloud apps, remote access solutions, and identity platforms
• Vendor-specific discussion of identity proofing using government, telco, and banking credentials
• The on-demand webinar with Edward Amoroso and Mike Engle on passwordless security and zero trust

👉 Read 1Kosmos's analysis of passwordless security and identity assurance →

Passwordless security: what identity teams still need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →