2020 cybersecurity trends exposed identity gaps in remote work

At a glance

What this is: Axiad’s 2020 review argues that remote work, MFA, cyberattacks and compliance demands exposed enduring identity and access weaknesses across enterprises.

Why it matters: It matters because IAM teams must treat authentication, device trust and lifecycle controls as a single governance problem across human, NHI and autonomous identity programmes.

By the numbers:

• In the beginning of 2020, more than half of CIOs expected an increase in remote workers.
• By last fall, only 57% of businesses were utilizing MFA.
• 91% of people understand that repurposing passwords is a security risk, but 66% still do so.

👉 Read Axiad’s analysis of the major cybersecurity themes of 2020

Context

The core problem is identity governance, not just incident response: when remote work expands quickly, authentication controls, device verification and access policies have to move together. In 2020, that balance broke in many organisations because users, endpoints and temporary access paths changed faster than governance processes could keep up.

The article uses the year’s most visible themes to show how older IAM assumptions were stressed by new operating conditions. That matters across human identity, NHI and autonomous systems because the same programme gaps show up whenever access is issued faster than it can be reviewed, constrained or retired.

In practical terms, the post argues that MFA is necessary but not sufficient. Zero trust, lifecycle discipline and tighter scrutiny of remote access paths become the real control set when phishing, credential theft and compliance pressure all rise at once.

Key questions

Q: Why do remote work models increase identity risk for IAM teams?

A: Remote work expands the identity trust boundary beyond managed office networks, so IAM teams must account for home networks, personal devices and inconsistent access conditions. That increases the risk of weak recovery flows, credential misuse and bypassed controls. Strong authentication helps, but device verification and continuous policy enforcement are what make the access model durable.

Q: When should organisations treat MFA as necessary but not sufficient?

A: Organisations should treat MFA as necessary but not sufficient whenever users can still recover access through weaker routes, reuse credentials or operate on unmanaged devices. MFA blocks many common attacks, but it does not fix bad exception handling or weak access governance. The right standard is whether every access path is held to the same assurance level.

Q: How do security teams know whether zero trust is actually improving access control?

A: Security teams know zero trust is improving access control when access decisions are continuously evaluated, exceptions are rare and recovery paths do not bypass policy. If users can still regain access through temporary passwords, unmanaged devices or inconsistent MFA enforcement, the programme is not yet operating as zero trust in practice.

Q: What should IAM leaders prioritise after a year of remote work expansion?

A: IAM leaders should prioritise reducing authentication shortcuts, tightening device trust and documenting access exceptions. Remote work makes access control a moving target, so the programme needs stronger governance over how users recover, how sessions are verified and how quickly risky access is removed.

Technical breakdown

Remote work changed the identity trust boundary

Remote work expands the trust boundary from a managed office network to home networks, personal devices and diverse access paths. That change alters how authentication, endpoint posture and session trust have to work together. If the organisation only verifies the user at login, but not the device or the surrounding access conditions, the identity layer becomes the weak point. This is why remote access programmes often fail when they are built as convenience layers rather than governed identity controls.

Practical implication: enforce device verification and access policy consistently across remote entry points, not just user authentication.

MFA reduces password risk but does not close the access model

MFA adds a second verification step, but it does not solve inherited problems such as weak passwords, session reuse, temporary password handling or users bypassing controls when processes are inconvenient. In identity terms, MFA protects the front door, not the entire path of access. If governance still allows unsafe fallback methods, the control stack remains brittle. Zero trust becomes relevant because it assumes every request and every session must be continuously evaluated, not merely authenticated once.

Practical implication: remove fallback authentication paths that undermine MFA and pair MFA with continuous access verification.

Regulatory pressure makes identity assurance measurable

CMMC and PSD2 show how regulation pushes identity controls from best practice into measurable requirements. Once compliance demands multi-factor authentication and stronger assurance, security teams need evidence that the control is actually enforced, not just deployed. That shifts the conversation from tool adoption to control integrity, policy enforcement and auditability. For IAM leaders, regulatory readiness becomes a test of whether access decisions are reproducible, documented and tied to the right assurance level.

Practical implication: map identity controls to compliance evidence so MFA, access policy and exception handling can be audited cleanly.

Threat narrative

Attacker objective: The attacker seeks durable access to accounts and systems that can be used for espionage, disruption or large-scale data exposure.

1. Entry occurred through phishing, credential theft or exposed remote access paths that gave attackers an initial foothold in identity-controlled systems.
2. Escalation followed when users reused passwords, temporary passwords were mishandled, or MFA and zero trust were not enforced consistently across all access attempts.
3. Impact came from broad compromise across enterprise accounts, cloud services and, in the SolarWinds and FireEye case, multiple agencies and organisations.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

MFA without lifecycle and policy discipline is an incomplete identity control. The article shows that organisations can deploy MFA and still leave risky fallback paths in place, especially for remote users who need temporary access fixes. That means the control is being treated as a login feature rather than a governance layer. Practitioner conclusion: identity assurance has to cover authentication, exception handling and access retirement together.

Remote work turns device trust into an identity governance issue. When employees connect from unmanaged or mixed-use endpoints, the identity boundary shifts outside the corporate perimeter. That creates a programme problem for IAM, PAM and endpoint teams because access decisions now depend on device state as much as user state. Practitioner conclusion: remote access policies need joint ownership across identity and endpoint governance.

Standing access assumptions fail when every session becomes a potential breach path. The article’s emphasis on user behaviour, temporary passwords and bypasses shows that access often persists longer than teams assume. That assumption was designed for slower, more predictable access models. It fails when users operate across networks, devices and recovery flows that can be abused in minutes. Practitioner conclusion: review processes must account for the speed of modern identity compromise, not just the existence of controls.

Identity attack surface is now shaped by operational convenience, not just authentication strength. The article repeatedly shows that convenience-driven workarounds such as temporary passwords, password reuse and inconsistent MFA adoption widen exposure. That pattern is central to OWASP-NHI and zero trust thinking because access risk grows when trust is distributed across multiple weak checkpoints. Practitioner conclusion: reduce convenience exceptions before they become permanent governance debt.

2020 validated zero trust as an identity operating model, not a slogan. The article’s core argument is that trusts based on location, habit or one-time verification broke under remote work and credential abuse. Zero trust matters here because it forces continuous evaluation of access rather than assuming that initial authentication is enough. Practitioner conclusion: treat zero trust as the policy model that connects identity, device and access assurance.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance starts from incomplete inventory data.
• The 52 NHI Breaches Analysis shows how exposed credentials and over-privilege combine into real compromise paths.

What this signals

Identity programmes that focused only on login assurance in 2020 were already behind the operating model. Remote work made access decisions depend on device trust, recovery flow design and exception handling, not just MFA deployment. The organisations that will be better prepared now are the ones that can prove every access path is governed, not merely authenticated.

Credential hygiene is becoming an operating metric, not a one-time hardening task. When users still reuse passwords and administrators still rely on temporary password workarounds, identity risk accumulates quietly. That is why the practical programme question is whether access is being continuously tightened, reviewed and retired across every channel where users recover or re-enter the environment.

For practitioners

• Eliminate fallback password recovery paths that bypass MFA Audit temporary password issuance, email-based resets and help-desk exception flows. Any recovery path that lets a user regain access without equivalent assurance should be removed or tightened to the same standard as primary login.
• Tie remote access to verified device and session conditions Require device checks, session policy and conditional access enforcement for remote users instead of relying on authentication alone. Separate personal, unmanaged and corporate devices in policy so the trust boundary is explicit.
• Map MFA controls to audit evidence and exception handling Document where MFA is mandatory, where exemptions exist and how those exemptions are approved and reviewed. This gives compliance teams clear proof for CMMC, PSD2 and similar frameworks.
• Reduce password reuse through stronger authentication policy Use policy and user education together to reduce repurposed passwords, especially for remote workers. Pair the policy with controls that make reuse unnecessary, such as passwordless or token-based access where appropriate.

Key takeaways

• Axiad’s 2020 review shows that remote work exposed identity governance weaknesses that MFA alone could not fix.
• The article’s examples point to a recurring pattern: credential abuse, weak recovery flows and inconsistent enforcement create enterprise-wide exposure.
• IAM teams should treat remote access, authentication policy and exception handling as one control plane rather than separate problems.

Key terms

• Remote Access Trust Boundary: The remote access trust boundary is the set of devices, networks and session conditions that must be considered before identity is trusted. In practice, it expands the control problem beyond the login screen and forces teams to verify the user, the device and the context of each session.
• Mfa Fallback Path: An MFA fallback path is any alternate route that lets a user regain access without the same assurance level as the primary authentication flow. Help-desk resets, temporary passwords and weak recovery channels are common examples, and they often become the easiest way to bypass stronger identity controls.
• Identity Attack Surface: Identity attack surface is the total set of identity-related entry points, recovery paths and access decisions that an attacker can exploit. It includes passwords, MFA, temporary credentials, session reuse and device trust. The broader the surface, the more control layers must be governed together.

Deepen your knowledge

Remote access governance, MFA enforcement and identity assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme that has to handle both human access and machine trust at scale, it is worth exploring.

This post draws on content published by Axiad: The Major Cybersecurity Themes of 2020. Read the original.