TL;DR: Verified digital identity, not just passwordless authentication, is the core gap 1Kosmos argues is still blocking stronger zero trust, especially as AI, deepfakes, and service desk attacks raise assurance demands. The article frames identity proofing as the missing control plane for human access and lifecycle governance.
NHIMG editorial — based on content published by 1Kosmos: verified digital identity, passwordless access, and decentralized identity
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should organisations use passwordless authentication without weakening identity assurance?
A: Organisations should use passwordless authentication to remove reliance on passwords, but they should not treat it as proof of identity by itself.
Q: When does biometric login improve security, and when does it create new risk?
A: Biometric login improves security when it is tied to a verified identity process and supported by strong recovery controls.
Q: What should IAM teams do with decentralized identity and verifiable credentials?
A: IAM teams should evaluate decentralized identity and verifiable credentials as governance problems first, not as branding changes.
Practitioner guidance
- Map identity assurance to access criticality Define which access paths require stronger identity proofing, then require step-up controls for service desk resets, onboarding, privileged actions, and sensitive data access.
- Review fallback and recovery paths first Audit password reset, enrolment, and exception workflows before expanding passwordless or biometric login.
- Separate authentication strength from identity proofing Document where the programme is proving possession of a device or factor and where it is proving the identity of the person using it.
What's in the full article
1Kosmos's full post covers the operational detail this post intentionally leaves for the source:
- The company’s product and platform framing for verified digital identity and passwordless access
- The decentralised identity model and how the vendor says it fits into its broader platform
- The security narrative around deepfake mitigation and identity assurance for human login flows
- The funding and company history context behind the 1Kosmos strategy shift
👉 Read 1Kosmos's analysis of verified digital identity and passwordless access →
Verified identity and passwordless access: what IAM teams need to know?
Explore further
Verified identity is now a governance control, not just an authentication feature. Once organisations tie access to stronger proof of personhood, identity proofing becomes part of the control stack that governs fraud resistance, help desk risk, and onboarding integrity. That is especially relevant where account recovery or service desk processes create the easiest path for attackers. Practitioners should treat identity assurance as an operational control with lifecycle impact, not a login enhancement.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, which shows how identity trust breaks down when lifecycle controls are weak.
A question worth separating out:
Q: Why do service desk and onboarding processes matter so much in identity security?
A: Service desk and onboarding processes matter because they are frequent targets for impersonation and account takeover, especially when they can override stronger login controls. If an attacker can reset access, re-enrol identity, or approve exceptions through a weak support path, the strongest authentication method in the stack becomes less relevant. Governance must cover the full lifecycle.
👉 Read our full editorial: Verified digital identity is the missing layer in passwordless IAM