Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passwordless MFA coverage gaps: what identity teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: The Stryker incident underscores how destructive attacks can escalate when passwords, standing privilege, and legacy authentication still exist somewhere in the enterprise, according to Secret Double Octopus and related CISA guidance. Comprehensive passwordless coverage matters because partial adoption leaves the same trusted pathways attackers can abuse.

NHIMG editorial — based on content published by Secret Double Octopus: The Stryker/Handala Wake-Up Call: Passwordless MFA Has to Cover the Entire Enterprise

By the numbers:

Questions worth separating out

Q: How should security teams close passwordless MFA coverage gaps in mixed environments?

A: Start by inventorying every access path that still accepts passwords, including VPN, legacy applications, remote admin tools, and on-prem workflows.

Q: Why do standing admin rights make identity-led attacks so much worse?

A: Because once an attacker compromises an identity that already has persistent privilege, they can act immediately inside trusted management planes.

Q: What breaks when legacy authentication remains in privileged workflows?

A: Legacy authentication creates a back door into the same systems that passwordless programmes are meant to protect.

Practitioner guidance

What's in the full article

Secret Double Octopus' full article covers the operational detail this post intentionally leaves for the source:

  • How passwordless MFA extends across desktop login, web apps, VPN, legacy applications, and privileged workflows.
  • Why backend ephemeral tokens matter for non-SAML and legacy environments that still need secure access.
  • The specific enterprise coverage gaps that leave modern authentication as only a partial control.
  • The vendor's implementation framing for replacing user-facing passwords without rebuilding the application stack.

👉 Read Secret Double Octopus' analysis of passwordless MFA coverage gaps in the enterprise →

Passwordless MFA coverage gaps: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Passwordless coverage gaps are a governance failure, not a point solution gap. The problem is not whether an organisation has deployed passwordless in some applications. The problem is whether any high-value access path still depends on passwords, fallback flows, or legacy authentication that can be abused to reach privileged systems. That is a programme-level governance issue, not a feature issue. Practitioners should treat residual password dependence as an attack surface that still needs closure.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still lack a complete view of machine access.

A question worth separating out:

Q: Who is accountable when a compromised identity is used to trigger destructive admin actions?

A: Accountability sits with the teams that own authentication coverage, privileged access governance, and the control plane that allowed the destructive action. In practice, that usually means IAM, PAM, infrastructure, and security operations must share responsibility for closing the gap.

👉 Read our full editorial: Passwordless MFA fails when legacy identity paths still remain



   
ReplyQuote
Share: