Michael Engle is Cofounder at 1Kosmos and was previously head of InfoSec at Lehman Brothers and Cofounder of Bastille Networks.
In many enterprise environments, it’s common for identity verification and authentication to be treated as separate functions. When these systems remain decoupled—across legacy directories, cloud identity providers (IdPs) and mobile platforms—going passwordless becomes an endless battle against the identity gap.
Think of a traditional identity stack as a box of puzzle pieces—each one representing a security control, identity provider or authentication mechanism. But none of them were designed to fit together. With applications built independently and around proprietary protocols, there’s no standard way to perform authentication. Making the journey to passwordless becomes a complicated mix of one-off integrations and hard-coded workarounds.
That’s because the typical large enterprise relies on a patchwork of identity solutions, many of which were designed for a different era. These include:
• Legacy Systems Like Active Directory (AD) And LDAP: These systems still manage enterprise authentication but struggle to adapt to cloud applications and passwordless authentication models.
• Cloud Identity Providers: Solutions like Okta, Azure AD and Google Identity offer modern authentication but only cover a fraction of user systems.
• Mobile And Device-Based Authentication: iOS and Android provide built-in authentication mechanisms such as biometrics and passkeys, but these function in isolation from enterprise-wide identity systems and are not linked back to a verified human identity.
A byproduct of these disparate systems is that user authentication is performed in different ways depending on the application or platform. The result: Tribal knowledge keeps the systems online, but at extraordinary cyber risk as each passwordless configuration can’t possibly be certified to industry standards for security and interoperability. Security loopholes in custom code will inevitably exist. Agility and flexibility are impaired due to this interoperability and result in vendor lock-in.
The path forward is to unify identity verification and authentication within a single, interoperable framework—eliminating fragmented protocols and enabling consistent, secure access across all systems.
Shortcomings Of Traditional Approaches
In an attempt to unify identity verification and authentication, many organizations use one of two approaches:
The first involves bolting on multi-factor authentication (MFA) without standardized identity proofing. While MFA strengthens authentication, it does not verify that the person using the credentials is the rightful owner. If an attacker gains access to an account via phishing, social engineering or credential stuffing, MFA alone won’t prevent compromise.
The second uses a patchwork of identity systems native to each platform. For example, enterprises frequently use different identity solutions for different environments—Active Directory for on-prem access, a cloud IdP for SaaS applications and separate authentication layers for mobile. This fragmentation prevents a unified view of identity and increases risk.
Filling The Gaps To Unify Identity
To achieve a seamless identity verification and authentication framework, enterprises need to fill the gaps in the jar of marbles. This requires three key components:
Strong Identity Proofing
Organizations must establish a trusted identity foundation before granting authentication privileges. This includes:
• Document Verification: Government-issued ID verification (e.g., passports, driver’s licenses) combined with liveness detection to prevent deepfake or synthetic identity fraud.
• Biometric Authentication: Binding authentication to biometric markers (e.g., fingerprint, facial recognition) instead of relying on a password plus two-factor authentication, which is prone to compromise.
By integrating identity proofing into the onboarding process, organizations ensure that only verified individuals gain access in the first place—eliminating reliance on easily compromised credentials.
Harmonizing Identity Across Legacy, Cloud And Mobile
The next step is breaking down silos between identity systems and authentication providers by:
• Bridging Legacy Directories With Cloud Identity Providers: Implementing federation and identity orchestration to ensure AD, LDAP and cloud IdPs work together seamlessly.
• Standardizing Authentication Across Devices: Ensuring desktop, mobile and app-based authentication methods are linked with real biometrics and incorporated into enterprise authentication workflows.
• Eliminating Password Reliance: Biometrics provide an opportunity to remove passwords and MFA from authentication flows, ensuring secure access across all environments that can be neglected by SSO platforms.
Unifying identity across platforms prevents authentication weaknesses that attackers exploit and provides a consistent user experience across on-prem, cloud and mobile environments. Accurately collect identity information from the outset to establish a “chain of custody” for the true identity of the applicant, beginning with interviews (talent acquisition). Integrations with Workday and IGA systems (i.e., Sailpoint and Saviynt) can further help optimize the process.
Continuous Authentication And Behavior Monitoring
Identity verification should not be a one-time event. Attackers frequently bypass authentication controls through session hijacking, stolen credentials and account takeovers. Organizations should implement continuous authentication using:
• Risk-Based Authentication (RBA): Dynamically adjusting authentication based on risk factors like IP changes, device posture, and abnormal login behaviors.
• Behavioral Biometrics: Analyzing typing speed, mouse movements and other forms of behavioral recognition to detect anomalous behavior indicative of compromised credentials.
• Device Integrity Checks: Ensuring authentication is performed on trusted devices—not rooted, jailbroken or compromised endpoints.
Treating authentication as an ongoing process eliminates security gaps, ensuring access remains secure even after initial identity verification. Conduct a thorough audit of current authentication methods and pinpoint high-risk areas where passwords are frequently used. It’s essential to involve stakeholders from security, IT and compliance teams to develop a phased strategy for phasing out passwords while also preparing for the transition to biometric authentication.
Aligning Verification And Authentication
The jar of marbles that many enterprises struggle with is not rooted in a lack of identity tools, but rather the fragmentation between legacy directories, cloud identity providers and mobile authentication mechanisms. This is not just an operational burden—it also is a direct security liability that leaves organizations exposed to credential-based attacks, session hijacking and account takeovers.
By aligning verification and authentication within a unified identity architecture, enterprises can close security gaps, reduce dependency on outdated authentication models and move toward a zero-trust identity framework.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
