2020 showed identity security gaps widening under remote work

At a glance

What this is: This is Axiad’s year-end security bulletin on the major cybersecurity themes of 2020, with remote work, MFA, ransomware, and supply chain compromise as the main identity security takeaways.

Why it matters: It matters because the article shows how human identity controls, privileged access patterns, and NHI exposure all became more fragile as organisations moved faster into cloud and remote operating models.

By the numbers:

• At the beginning of 2020, more than half of CIOs expected an increase in remote workers.
• By last fall, only 57% of businesses were utilizing MFA.
• 91% of people understand that repurposing passwords is a security risk, 66% still do so.

👉 Read Axiad’s analysis of the major cybersecurity themes of 2020

Context

The central identity security problem in this article is simple: remote work expanded access faster than identity programmes could adapt. In practice, that means organisations were still depending on passwords, temporary passwords, and trust assumptions that were already weak before 2020 and became much harder to defend once users moved off managed office networks.

Axiad frames 2020 as a year in which identity controls were stress-tested across human access, privileged access, and broader cyber resilience. The article links MFA adoption, zero trust thinking, ransomware pressure, and the SolarWinds and FireEye compromise into one message: access governance has to work when conditions are chaotic, not only when the environment is stable.

Key questions

Q: What breaks when organisations rely on passwords and temporary passwords in remote work environments?

A: Password-centric access breaks down because remote work expands the number of channels attackers can exploit, from phishing to helpdesk abuse to interception of temporary credentials. The main failure is not the password alone. It is the surrounding recovery and verification process, which often assumes a controlled internal network and trusted support path that no longer exists.

Q: Why do organisations need zero trust for both human and non-human identities?

A: Human and non-human identities both become trust shortcuts once a credential is issued. Zero trust matters because valid access does not equal safe access, especially when service accounts, tokens, and privileged workflows can be reused, over-scoped, or abused without continuous verification.

Q: How do teams know whether MFA is actually reducing access risk?

A: MFA is working only if it blocks meaningful bypass paths and reduces the success rate of stolen credentials, not just if users see an extra prompt. Teams should look for helpdesk bypasses, legacy protocol exceptions, and repeated authentication failures that indicate attackers are still finding alternate routes.

Q: Who is accountable when third-party trust relationships are exploited in a supply chain compromise?

A: Accountability sits with the organisation that allowed inherited trust to persist without enough verification, as well as with the third party whose access or software path became the attack vector. Governance should define ownership for vendor access, delegated credentials, and offboarding so that trust changes are tracked and revoked.

Technical breakdown

Why remote work broke password-based access models

Remote work changed the trust model around endpoint, network, and user behaviour at the same time. Passwords and temporary passwords became weaker because they were often delivered through channels that attackers could intercept or socially engineer, especially when users were outside controlled office environments. Even when the credential itself was valid, the surrounding context was less trustworthy: personal devices, home networks, and rushed helpdesk workflows all increased exposure. The core issue is not simply that passwords are weak. It is that remote work made legacy authentication workflows easier to exploit and harder to monitor consistently.

Practical implication: remove password recovery paths and temporary credential workflows that assume a controlled internal network.

How MFA helps, and where it is still not enough

MFA reduces the value of stolen passwords, but it does not eliminate identity risk on its own. The article’s point is that organisations often stop at initial MFA adoption and then treat authentication as if it solved broader access problems. It does not. If users can still bypass controls, reuse credentials, or be tricked into approving malicious access, the control only narrows the window of attack. In identity terms, MFA is one layer inside a larger access governance model that also needs verification discipline, conditional policy enforcement, and monitoring of abnormal access paths.

Practical implication: pair MFA with access policy enforcement and monitoring for bypass behaviour, not just login success rates.

Why zero trust matters for human and machine access alike

The article uses zero trust as a response to the fact that organisations can no longer assume users behave correctly every time they authenticate. That principle applies beyond people. Service accounts, API keys, and other non-human identities also operate in environments where access is often over-trusted once issued. Zero trust in this context means continuous verification of identity, context, and entitlement rather than assuming that a valid credential equals safe activity. For practitioners, the architectural lesson is that remote work exposed a broader access problem, not just an authentication problem.

Practical implication: extend zero trust controls to non-human identities and privileged workflows, not only to employee logins.

Threat narrative

Attacker objective: The attacker aims to turn weak identity controls into broad operational access, then use that access for theft, disruption, or long-dwell compromise.

1. Entry begins with phishing, credential theft, or supply chain compromise that gives attackers a foothold in a remote-access-heavy environment.
2. Escalation follows when stolen credentials, weak temporary passwords, or over-trusted access paths let attackers move into higher-value systems and accounts.
3. Impact occurs when attackers exfiltrate data, disrupt operations through ransomware, or expand a compromise across partner and government environments.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Remote work turned identity into the primary control plane for security. Once users, devices, and support workflows moved outside the office, the old assumption that access could be safely mediated by network location stopped holding. That is an identity governance problem, not just a remote work problem. Practitioners should treat this as a structural shift in how access is validated and governed.

Passwords remained a behavioural failure point, not just a technical one. The article’s own data on password reuse shows that people knowingly continue unsafe practices even when they understand the risk. That means identity programmes cannot rely on awareness alone. The practical conclusion is that controls must be designed around predictable human workarounds, not ideal user behaviour.

Zero trust only works when it is applied across human and non-human access paths. Axiad’s framing around MFA and access verification applies just as much to service accounts and tokens as it does to employees. The discipline here is not simply stronger login security. It is recognising that all identities, human or machine, can become trust shortcuts if the programme does not continuously re-evaluate them.

Supply chain compromise made identity trust relationships visible. SolarWinds showed that a trusted software relationship can become an attack path with strategic reach. That matters for identity governance because third-party access, vendor credentials, and delegated trust are part of the same control problem as user authentication. Practitioners should re-evaluate where trust is inherited rather than explicitly enforced.

Identity resilience is now a board-level cyber resilience issue. The article connects remote work, regulatory pressure, ransomware, and major breaches into one operational picture. That is a reminder that identity control failures do not stay inside IAM teams. They become business continuity, compliance, and incident response problems very quickly.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot confidently inventory the identities that remote work and cloud operations now depend on.
• For a broader threat view, see 52 NHI Breaches Analysis for the recurring patterns that turn identity exposure into real incidents.

What this signals

Identity visibility will matter more than perimeter recovery. Remote work and cloud adoption have left many programmes with a larger identity footprint than they can actually govern. Teams that still rely on point-in-time reviews are likely to miss the day-to-day drift that creates real exposure, especially where service accounts and shared access paths are involved.

Secrets sprawl is now a programme design issue, not a tooling issue. When credentials live in code, configuration files, and CI/CD tooling, the identity programme has to own the storage model as well as the access model. That is why lifecycle control, inventory discipline, and offboarding have to be treated as operational controls, not periodic hygiene tasks.

Security teams should prepare for more policy pressure around identity assurance. The combination of remote work, MFA expectations, and supply chain risk is pushing identity governance closer to board and audit oversight. For teams modernising their stack, the practical next step is to align controls with the NIST Cybersecurity Framework 2.0 and make identity assurance measurable.

For practitioners

• Eliminate password recovery shortcuts Remove email-based temporary passwords and other recovery paths that assume users are inside a controlled office environment. Replace them with stronger verification steps that do not depend on the same channel being recovered.
• Treat MFA as a baseline, not an endpoint Review where MFA is present but bypassable through legacy protocols, helpdesk resets, or weak exception handling. Measure whether the control actually blocks unauthorised access or only adds friction at login.
• Extend zero trust to non-human identities Apply the same continuous verification discipline to service accounts, API keys, and tokens that you apply to employee identities. That includes reviewing entitlement scope, monitoring usage, and limiting standing access.
• Audit third-party trust chains Map where vendor access, software update trust, and delegated administrative rights can become lateral movement paths. If the relationship changes, the access model should change with it.

Key takeaways

• 2020 showed that identity controls fail fastest when organisations extend access faster than they extend governance.
• The scale of password reuse, limited MFA adoption, and supply chain compromise made identity a frontline security issue rather than a supporting control.
• Practitioners should focus on continuous verification, stronger recovery workflows, and broader visibility into both human and non-human access paths.

Key terms

• Zero Trust Architecture: A security model that assumes no identity or device should be trusted by default. Access decisions are made continuously using context, policy, and verification rather than a one-time login event. In identity programmes, this shifts control away from static trust and toward ongoing evaluation of who or what is acting.
• Multi-Factor Authentication: An authentication method that requires more than one proof of identity before access is granted. It reduces the value of stolen passwords, but it does not solve weak recovery processes, bypassable workflows, or over-trusted access paths. Its effectiveness depends on enforcement and on the strength of the surrounding identity controls.
• Non-Human Identity: A digital identity used by software, services, workloads, or other non-person entities to authenticate and access systems. These identities often rely on secrets, tokens, certificates, or keys, and they can become high-risk when they are over-privileged, poorly inventoried, or left in place after the business need changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: The Major Cybersecurity Themes of 2020. Read the original.