TL;DR: SSO implementations often still rely on layered signals that answer the wrong question, according to 1Kosmos, while biometric proofing, identity wallets, and verifiable credentials aim to raise assurance across login flows. The bigger issue is that authentication strength must be tied to identity proof, not just more factors, if IAM teams want durable trust.
NHIMG editorial — based on content published by 1Kosmos: inserting identity into SSO implementations
Questions worth separating out
A: Security teams should insert identity proofing at the points where trust is established, then let SSO carry the authenticated session.
Q: Why do layered SSO signals often fail to answer the real authentication question?
A: Layered signals can improve confidence, but they do not always prove that the claimant is the enrolled identity.
Q: When should organisations prioritise identity proofing over more MFA factors?
A: Organisations should prioritise identity proofing when access decisions involve sensitive systems, regulated transactions, or repeated login friction that encourages workarounds.
Practitioner guidance
- Define where proofing occurs in the SSO journey Map which applications need strong identity proof at enrolment, which can rely on reusable credentials, and which still need step-up verification for high-risk access.
- Separate assurance decisions from convenience signals Document which signals improve confidence, which signals prove identity, and which only support fraud or anomaly detection so teams do not overstate what SSO telemetry can guarantee.
- Build fallback paths for biometric failure Support passkeys, QR-based flows, and device alternatives so authentication resilience does not depend on a single modality that may be unavailable on some endpoints.
What's in the full article
1Kosmos's full vlog covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how identity proofing is inserted into SSO and endpoint login flows.
- Specific authentication patterns using QR codes, webcams, passkeys, and biometric presentation.
- The practical experience of deploying identity-based authentication alongside existing SSO platforms.
- How verifiable credentials and wallet-based presentation fit into the longer-term roadmap.
👉 Read 1Kosmos's discussion on inserting identity into SSO →
Single sign-on assurance gaps: what IAM teams should change?
Explore further
SSO is an access layer, not an assurance layer. Centralising login does not solve the underlying question of whether the claimant has been strongly proven. The more organisations add risk scoring around SSO, the more they risk mistaking signal aggregation for identity certainty. That matters because the control objective is not a successful session, it is a defensible trust decision at the point of entry.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who is accountable when SSO access depends on reusable identity credentials?
A: Accountability sits with the teams that issue, trust, and govern the credential lifecycle, not only the team operating the login screen. Identity proofing, recovery, revocation, and wallet protection all need explicit ownership. Without that, reusable credentials become convenient access artefacts with unclear governance boundaries.
👉 Read our full editorial: Identity into SSO: what stronger assurance changes for IAM