Eliminating passwords does not solve ransomware trust gaps

At a glance

What this is: This is a blog post arguing that passwordless authentication reduces ransomware entry points by removing the most common credential failure in remote access flows.

Why it matters: It matters because IAM and NHI teams still have to govern remote access, service credentials, and fallback authentication paths even when passwords disappear.

By the numbers:

• Ransomware victims paid hackers at least $350 million in cryptocurrency payments in 2020, a fourfold increase from the previous year.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read Beyond Identity's analysis of passwordless authentication and ransomware risk

Context

Ransomware is not usually a single-step intrusion. It often starts with credential abuse against remote access and ends with encrypted systems, operational disruption, and extortion pressure. For IAM and NHI practitioners, the important question is not whether passwords are weak, but which access paths still allow stolen secrets, reused credentials, or weak secondary factors to become entry points.

The article uses the Colonial Pipeline incident to argue that passwordless authentication can reduce the likelihood of password-driven compromise. That framing is directionally sound, but it is incomplete for modern environments where service accounts, API keys, and machine-to-machine access create parallel trust paths. Typical enterprise starting points still depend on layered credentials rather than identity-bound controls.

Key questions

Q: How should security teams reduce ransomware risk from remote access credentials?

A: Security teams should remove passwords from high-risk remote access paths first, then require phishing-resistant authentication, strict device binding, and privileged access controls. The goal is to make stolen credentials unusable for administrative entry. This is most effective when paired with monitoring for unusual login locations, failed attempts, and rapid privilege escalation.

Q: What is the difference between passwordless authentication and full ransomware resistance?

A: Passwordless authentication removes a major initial access path, but it does not eliminate ransomware risk by itself. Attackers can still abuse weak recovery processes, compromised devices, overprivileged service accounts, and exposed API keys. Full resistance requires identity governance across both human and non-human identities, plus segmentation and fast containment.

Q: Why do non-human identities make ransomware defence harder?

A: Non-human identities create persistent access paths that are often less visible than user accounts and are frequently overprivileged or poorly rotated. If attackers steal a token, API key, or service account credential, they may bypass the user login controls entirely. That is why machine identity governance is part of ransomware defence.

Q: What should organisations prioritise after adopting passwordless login?

A: Organisations should next review recovery workflows, privilege boundaries, and secrets management. Passwordless login reduces one class of credential abuse, but attackers will shift to weaker links if those controls remain unchanged. The best next step is to align authentication changes with secrets rotation and least-privilege access.

Technical breakdown

How ransomware uses remote access credentials

The attack pattern described here is a credential-led intrusion chain. Attackers scan for exposed remote access services such as RDP or other administrative entry points, then try password spraying or brute force until one account works. Once they have access, they move into the environment, stage malware, and begin encrypting systems or exfiltrating data for extortion. The key architectural point is that the initial control failure is often authentication, not malware detection. In an environment where one valid credential can open a remote management path, the attacker does not need to exploit a software bug to get started.

Practical implication: reduce the number of externally reachable credentialed entry points and require phishing-resistant authentication on every remote access path.

Why passwordless MFA changes the threat model

Passwordless MFA removes the shared secret from the authentication transaction, which means there is no password to brute force, spray, or phish in the normal sense. That does not eliminate identity risk, because the device, registration, recovery, and session layers still need to be trusted. The point is to shift the attacker’s work from stealing or guessing a reusable secret to defeating a stronger binding between the user, device, and authenticator. For ransomware, that is a material change because large-scale credential harvesting becomes less effective against exposed administrative interfaces.

Practical implication: treat passwordless adoption as an authentication redesign, not as a complete ransomware control.

Why non-human identities still matter after passwords disappear

Passwords are only one part of the access problem. Many ransomware and extortion campaigns rely on non-human identities such as API keys, service accounts, tokens, and cloud credentials that persist outside the human login flow. Those secrets often sit in code, CI/CD systems, scripts, or shared vaults, which means a passwordless user journey can coexist with very fragile machine identity governance. If these credentials are long-lived or overprivileged, an attacker can still reach the same outcome through a different doorway. That is why NHI governance must be part of ransomware preparedness, not a separate program.

Practical implication: inventory and rotate machine credentials with the same urgency as user authentication changes.

Threat narrative

Attacker objective: The attacker wants to gain reliable access with minimal effort, then encrypt systems or steal data to force payment.

1. Entry via exposed remote access services protected by weak or reused passwords, which attackers can discover through automated scanning and brute force.
2. Escalation after valid credentials are obtained, allowing the adversary to enter the network and deploy ransomware tooling or sell access onward.
3. Impact through encryption and extortion, often paired with data theft to increase pressure on the victim to pay.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• 230M AWS environment compromise — 230M AWS environments compromised via exposed .env files with cloud credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwords are the easiest ransomware control to explain and the least complete one to rely on. Removing passwords reduces one of the oldest intrusion paths, but ransomware teams now chain access across remote access services, recovery flows, and machine credentials. The discipline problem is that many organisations still treat authentication as a user issue instead of a cross-identity governance problem. Practitioners should treat password removal as necessary, not sufficient.

Ephemeral authentication only works when identity binding is durable. Passwordless MFA can shrink the attack surface, but if device enrolment, account recovery, or service credential sprawl remain weak, attackers will pivot to the softer layer. That is the core trust gap in modern identity programmes: the front door gets stronger while the side doors stay open. Practitioners should examine whether their strongest auth path is undermined by weaker recovery and machine access paths.

Identity blast radius is the real ransomware metric. The question is no longer whether a password was stolen, but how far that credential can travel once it is used. Remote access, lateral movement, and cloud privilege all determine whether a single foothold becomes a full-environment event. Practitioners should prioritise controls that limit reach after compromise, not just controls that make initial compromise harder.

Passwordless is a control pattern, not a ransomware strategy. Organisations that adopt it without revisiting privileged access, secrets rotation, and service account governance will still carry material exposure. The market often frames authentication as the solution, but the operational reality is that credentialless user login and weak NHI controls can coexist. Practitioners should align passwordless programmes with broader identity lifecycle governance.

Ransomware resilience now depends on both human and non-human identity governance. The article focuses on user authentication, but the same attacker logic applies to API keys, automation tokens, and service accounts. If those identities remain overprivileged or unrotated, they become the next compromise path. Practitioners should manage identity as a portfolio of trust relationships, not as separate human and machine silos.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That is why the 52 NHI Breaches Analysis matters for readers who need breach patterns, not theory.

What this signals

Passwordless authentication should be treated as one control in a broader identity risk reduction programme, not as the endpoint. The structural issue is that ransomware operators increasingly succeed by moving laterally through identity pathways that were never designed for autonomous or machine-mediated access. When remote access is hardened, the next pressure point is usually the exposed service credential.

Identity blast radius: the maximum amount of access a compromised credential can unlock before containment. That concept is becoming more important than whether an organisation uses MFA or passwordless login, because ransomware impact depends on reach as much as entry. Teams should measure blast radius across user, service, and automation identities, then reduce it with segmentation and just-in-time privilege.

NHI governance now belongs in ransomware preparedness playbooks because machine credentials remain a parallel attack surface. Our research shows that 80% of identity breaches involve compromised non-human identities, which means password-centric defence strategies leave a large part of the environment exposed. Practitioners should align authentication, secrets governance, and access reviews so the control set matches the threat model.

For practitioners

• Replace password-based remote access with phishing-resistant auth Prioritise remote administration paths first, then enforce strong device-bound authentication for VPN, RDP, and cloud consoles. Remove SMS and other weak fallback factors from any path that can reach production systems.
• Map every recovery and fallback path Review enrollment, reset, and help-desk procedures because attackers often target the weakest recovery route after passwordless rollout. Ensure recovery requires stronger proof than the primary login path.
• Inventory machine credentials alongside user access Track service accounts, API keys, tokens, and certificates as first-class identities. Rotate long-lived secrets and eliminate hardcoded credentials in code, CI/CD pipelines, and automation scripts.
• Limit blast radius with privileged access controls Use least privilege, just-in-time elevation, and segmenting controls so a single valid credential cannot traverse broad administrative paths. Pair access reviews with alerts on unusual authentication patterns.

Key takeaways

• Passwordless authentication reduces one of ransomware's most common entry paths, but it does not eliminate identity-driven intrusion risk.
• Machine credentials remain a major exposure because service accounts, API keys, and tokens can bypass user-focused controls.
• Ransomware resilience improves when authentication hardening is paired with privileged access control, secrets rotation, and blast-radius reduction.

Key terms

• Passwordless Authentication: An authentication approach that removes the password from the login process and relies on stronger factors such as device binding and cryptographic proof. In practice, it reduces phishing and brute-force exposure, but only if recovery, enrollment, and session controls are also hardened.
• Ransomware-as-a-Service: A criminal operating model where ransomware developers provide tooling, infrastructure, and support to affiliates who carry out attacks. This model lowers the barrier to entry for attackers and increases scale, making identity-based entry points more attractive and more frequently targeted.
• Non-Human Identity: A digital identity used by software rather than a person, including service accounts, API keys, tokens, certificates, bots, and AI agents. These identities often hold persistent permissions and can become high-value ransomware targets when they are overprivileged or poorly rotated.

Deepen your knowledge

Passwordless authentication and NHI governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising remote access and machine identity controls at the same time, it is worth exploring.

This post draws on content published by Beyond Identity: How Can Eliminating Passwords Help Prevent Ransomware? Read the original.