Verified identity and passwordless access: what IAM teams need to know

TL;DR: Verified digital identity, not just passwordless authentication, is the core gap 1Kosmos argues is still blocking stronger zero trust, especially as AI, deepfakes, and service desk attacks raise assurance demands. The article frames identity proofing as the missing control plane for human access and lifecycle governance.

NHIMG editorial — based on content published by 1Kosmos: verified digital identity, passwordless access, and decentralized identity

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should organisations use passwordless authentication without weakening identity assurance?

A: Organisations should use passwordless authentication to remove reliance on passwords, but they should not treat it as proof of identity by itself.

Q: When does biometric login improve security, and when does it create new risk?

A: Biometric login improves security when it is tied to a verified identity process and supported by strong recovery controls.

Q: What should IAM teams do with decentralized identity and verifiable credentials?

A: IAM teams should evaluate decentralized identity and verifiable credentials as governance problems first, not as branding changes.

Practitioner guidance

• Map identity assurance to access criticality Define which access paths require stronger identity proofing, then require step-up controls for service desk resets, onboarding, privileged actions, and sensitive data access.
• Review fallback and recovery paths first Audit password reset, enrolment, and exception workflows before expanding passwordless or biometric login.
• Separate authentication strength from identity proofing Document where the programme is proving possession of a device or factor and where it is proving the identity of the person using it.

What's in the full article

1Kosmos's full post covers the operational detail this post intentionally leaves for the source:

• The company’s product and platform framing for verified digital identity and passwordless access
• The decentralised identity model and how the vendor says it fits into its broader platform
• The security narrative around deepfake mitigation and identity assurance for human login flows
• The funding and company history context behind the 1Kosmos strategy shift

👉 Read 1Kosmos's analysis of verified digital identity and passwordless access →

Verified identity and passwordless access: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →