TL;DR: The Stryker incident underscores how destructive attacks can escalate when passwords, standing privilege, and legacy authentication still exist somewhere in the enterprise, according to Secret Double Octopus and related CISA guidance. Comprehensive passwordless coverage matters because partial adoption leaves the same trusted pathways attackers can abuse.
At a glance
What this is: This is an analysis of how identity-led attacks become destructive when passwordless MFA is incomplete and legacy access paths remain.
Why it matters: It matters because IAM teams must close every password-backed and standing-privilege path, or a single compromised identity can still become enterprise-wide disruption.
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
👉 Read Secret Double Octopus' analysis of passwordless MFA coverage gaps in the enterprise
Context
Passwordless MFA only reduces risk if it covers every meaningful access path, not just the easiest ones to modernize. In many enterprises, the real weakness is not the absence of MFA everywhere, but the persistence of passwords, standing privilege, and legacy authentication in a few high-value workflows that attackers know how to target.
The Stryker reporting is a reminder that identity-led attacks often become destructive after entry, when admin control planes and remote management tools are still trusted by design. For IAM and PAM programmes, the question is no longer whether passwordless exists in the environment, but whether the old authentication model still survives in the places that matter most.
Key questions
Q: How should security teams close passwordless MFA coverage gaps in mixed environments?
A: Start by inventorying every access path that still accepts passwords, including VPN, legacy applications, remote admin tools, and on-prem workflows. Then phase out fallback credentials where the business impact is highest. Passwordless only reduces risk when it covers the full identity path, not just the newest applications.
Q: Why do standing admin rights make identity-led attacks so much worse?
A: Because once an attacker compromises an identity that already has persistent privilege, they can act immediately inside trusted management planes. That turns authentication failure into operational abuse. JIT and Zero Standing Privilege reduce the time and scope available for destructive actions.
Q: What breaks when legacy authentication remains in privileged workflows?
A: Legacy authentication creates a back door into the same systems that passwordless programmes are meant to protect. If admin workflows, remote support, or device management still depend on brittle credential flows, attackers only need one weak path to reach high-impact actions.
Q: Who is accountable when a compromised identity is used to trigger destructive admin actions?
A: Accountability sits with the teams that own authentication coverage, privileged access governance, and the control plane that allowed the destructive action. In practice, that usually means IAM, PAM, infrastructure, and security operations must share responsibility for closing the gap.
Technical breakdown
Why partial passwordless coverage still leaves exploitable identity paths
Passwordless MFA only removes risk where it fully replaces user-managed secrets. If a VPN, privileged workflow, legacy application, or on-prem administrative path still accepts a password fallback, attackers can pivot into the same identity plane through the weakest remaining route. The core failure is not MFA itself, but inconsistent policy enforcement across heterogeneous systems. In mixed estates, the result is a modern access layer sitting above legacy authentication logic that still trusts what can be phished, guessed, or reused.
Practical implication: inventory every password-backed path and treat any fallback as an attack path, not a temporary exception.
How standing privilege turns authenticated access into destructive reach
Standing privilege gives a compromised identity immediate operational power. Once an attacker inherits a trusted administrative pathway, remote tools, device management consoles, and automation hooks can be repurposed for wiping, disabling, or exfiltrating at scale. In IAM terms, the issue is not only authentication but the duration and scope of the resulting authority. Zero Standing Privilege and JIT access matter here because they shorten the time window in which a stolen identity can perform irreversible actions.
Practical implication: remove persistent admin rights from workflows that can trigger destructive actions and require task-scoped elevation instead.
Why legacy and remote management workflows amplify blast radius
Legacy and remote administration channels often bypass the strongest authentication controls because they were designed for continuity, not hostile conditions. Once an attacker lands in a trusted admin plane, the blast radius expands quickly because the tooling is already positioned to affect many endpoints or services at once. This is where passwordless strategy meets operational reality: if the high-impact workflows are still tied to brittle credential-based access, the organisation has not eliminated the attack surface, only moved it.
Practical implication: prioritise the identity controls around remote administration and management tooling before you call the environment passwordless.
Threat narrative
Attacker objective: The attacker’s objective is to convert initial identity compromise into enterprise-wide disruption by abusing trusted administrative access.
- Entry occurs through a compromised identity path that still allows password-backed or weakly protected access into a trusted environment. Escalation follows when the attacker reaches administrative control planes or remote management tools that were intended for legitimate operations. Impact occurs when those trusted pathways are turned into destructive actions such as wiping systems, disabling services, or stealing data at scale.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Passwordless coverage gaps are a governance failure, not a point solution gap. The problem is not whether an organisation has deployed passwordless in some applications. The problem is whether any high-value access path still depends on passwords, fallback flows, or legacy authentication that can be abused to reach privileged systems. That is a programme-level governance issue, not a feature issue. Practitioners should treat residual password dependence as an attack surface that still needs closure.
Standing privilege is the real multiplier in identity-led destructive attacks. Authentication gets the attacker through the door, but persistent administrative authority determines how far the incident spreads. When remote management and privileged workflows remain permanently available, the environment is already assuming the next user is trusted. That assumption is brittle in hostile conditions, and it is why JIT and ZSP remain central to identity resilience.
Legacy administrative tooling creates a hidden trust hierarchy inside modern identity programmes. Organisations often modernise the user login experience while leaving device management, VPN access, and on-prem admin paths untouched. Those older channels become the preferred route for attackers because they are both powerful and under-governed. The implication is clear: passwordless strategy must be measured by the weakest remaining workflow, not the newest one.
Coverage across human IAM, PAM, and NHI controls is what closes the destructive path. This kind of incident rarely respects programme boundaries. Human authentication, privileged access, service account handling, and remote automation all sit in the same blast radius once attackers inherit trusted control planes. Teams that manage these domains separately will miss the compound risk that turns an intrusion into a wipe event.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still lack a complete view of machine access.
- That visibility gap is one reason to review 52 NHI Breaches Analysis alongside passwordless coverage and privileged access controls.
What this signals
Passwordless coverage will increasingly be judged by exception handling. Teams will need to show that legacy systems, remote administration, and privileged workflows are not exempted from the modern authentication model. The practical test is whether the weakest access path has been removed, not whether the newest one has been modernized.
Standing privilege is becoming the clearest indicator of residual destructive risk. If admin authority remains always-on, identity-led compromise can still become a wipe event or a data-theft event with very little friction. The next maturity step is less about adding more MFA and more about eliminating persistent authority where it matters most.
For practitioners
- Audit every password fallback path Map desktop login, VPN, SaaS, legacy apps, and admin consoles to identify where passwords still remain in the access chain. Treat each fallback as a live compromise path, not a transitional convenience.
- Convert privileged workflows to task-scoped elevation Replace standing administrative access with just-in-time approval and time-bound elevation for device control, remote administration, and mass-change actions. Prioritise workflows that can trigger destructive operations.
- Harden remote management and control planes Separate administrative control paths from routine user access, require phishing-resistant authentication, and add automated lockouts for mass-change or wipe-like behaviour. The aim is to reduce the chance that trusted tooling becomes an attacker force multiplier.
Key takeaways
- The core lesson is that partial passwordless adoption leaves the same identity risks in place wherever passwords and fallback flows still exist.
- The evidence from identity research shows that compromised machine identities and poor visibility remain widespread, which compounds the impact of privileged-access failures.
- Teams should measure success by the disappearance of standing privilege and password-backed admin paths, not by the number of apps that support modern login.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Authentication gaps and fallback paths sit squarely in access control governance. |
| NIST Zero Trust (SP 800-207) | 3.1 | The article centres on continuous verification and removing implicit trust in admin paths. |
| NIST SP 800-53 Rev 5 | IA-2 | IA-2 governs identification and authentication for users, including privileged access entry points. |
| CIS Controls v8 | CIS-6 , Access Control Management | Access control management is directly challenged by standing privilege and legacy access paths. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0004 , Privilege Escalation; TA0040 , Impact | The article describes identity compromise leading to destructive abuse and impact. |
Require phishing-resistant authentication on all administrative entry points and eliminate password fallbacks.
Key terms
- Passwordless MFA: An authentication approach that removes user-entered passwords and relies on stronger factors or cryptographic methods. In practice, it only reduces risk when every meaningful access path uses the same standard, including VPN, legacy apps, privileged workflows, and remote administration channels.
- Standing Privilege: Persistent elevated access that remains available beyond the exact moment it is needed. In identity programmes, it expands the blast radius of a compromise because an attacker who obtains the account can act immediately without waiting for approval or time-bound elevation.
- Legacy Authentication Fallback: Any older sign-in or access method that remains available after an organisation adopts a modern authentication model. These fallbacks often survive in remote access, on-prem systems, and admin tooling, creating weak points that attackers can target even when newer apps are protected.
- Remote Management Plane: The control layer used to administer devices, systems, or fleets from a distance. It is high value because it can affect many assets quickly, which makes it a common escalation target when attackers inherit trusted administrative access.
What's in the full article
Secret Double Octopus' full article covers the operational detail this post intentionally leaves for the source:
- How passwordless MFA extends across desktop login, web apps, VPN, legacy applications, and privileged workflows.
- Why backend ephemeral tokens matter for non-SAML and legacy environments that still need secure access.
- The specific enterprise coverage gaps that leave modern authentication as only a partial control.
- The vendor's implementation framing for replacing user-facing passwords without rebuilding the application stack.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org