TL;DR: The Stryker incident underscores how destructive attacks can escalate when passwords, standing privilege, and legacy authentication still exist somewhere in the enterprise, according to Secret Double Octopus and related CISA guidance. Comprehensive passwordless coverage matters because partial adoption leaves the same trusted pathways attackers can abuse.
NHIMG editorial — based on content published by Secret Double Octopus: The Stryker/Handala Wake-Up Call: Passwordless MFA Has to Cover the Entire Enterprise
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams close passwordless MFA coverage gaps in mixed environments?
A: Start by inventorying every access path that still accepts passwords, including VPN, legacy applications, remote admin tools, and on-prem workflows.
Q: Why do standing admin rights make identity-led attacks so much worse?
A: Because once an attacker compromises an identity that already has persistent privilege, they can act immediately inside trusted management planes.
Q: What breaks when legacy authentication remains in privileged workflows?
A: Legacy authentication creates a back door into the same systems that passwordless programmes are meant to protect.
Practitioner guidance
- Audit every password fallback path Map desktop login, VPN, SaaS, legacy apps, and admin consoles to identify where passwords still remain in the access chain.
- Convert privileged workflows to task-scoped elevation Replace standing administrative access with just-in-time approval and time-bound elevation for device control, remote administration, and mass-change actions.
- Harden remote management and control planes Separate administrative control paths from routine user access, require phishing-resistant authentication, and add automated lockouts for mass-change or wipe-like behaviour.
What's in the full article
Secret Double Octopus' full article covers the operational detail this post intentionally leaves for the source:
- How passwordless MFA extends across desktop login, web apps, VPN, legacy applications, and privileged workflows.
- Why backend ephemeral tokens matter for non-SAML and legacy environments that still need secure access.
- The specific enterprise coverage gaps that leave modern authentication as only a partial control.
- The vendor's implementation framing for replacing user-facing passwords without rebuilding the application stack.
👉 Read Secret Double Octopus' analysis of passwordless MFA coverage gaps in the enterprise →
Passwordless MFA coverage gaps: what identity teams are missing?
Explore further
Passwordless coverage gaps are a governance failure, not a point solution gap. The problem is not whether an organisation has deployed passwordless in some applications. The problem is whether any high-value access path still depends on passwords, fallback flows, or legacy authentication that can be abused to reach privileged systems. That is a programme-level governance issue, not a feature issue. Practitioners should treat residual password dependence as an attack surface that still needs closure.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still lack a complete view of machine access.
A question worth separating out:
Q: Who is accountable when a compromised identity is used to trigger destructive admin actions?
A: Accountability sits with the teams that own authentication coverage, privileged access governance, and the control plane that allowed the destructive action. In practice, that usually means IAM, PAM, infrastructure, and security operations must share responsibility for closing the gap.
👉 Read our full editorial: Passwordless MFA fails when legacy identity paths still remain