Kaseya VSA became the target of REvil’s supply chain ransomware attack when a malicious software update reached 1,500 organizations through their trusted remote-monitoring platform. The attackers did not stop at the initial zero-day execution. They harvested administrative accounts and reused them across MSP consoles and downstream customer networks, encrypting systems during a holiday weekend.
The average cost of comparable incidents now sits at $4.44 million according to IBM’s 2025 Cost of a Data Breach Report. Yet the larger damage came from what happened after the first foothold: stolen credentials allowed lateral movement without further exploits because authentication remained portable and reusable.
Why Harvested Credentials Enabled Rapid Lateral Movement
Once inside Kaseya VSA consoles, operators enumerated administrative accounts that relied on SMS codes, TOTP apps, or push notifications. These methods produced secrets or tokens that worked from any location. Because the platform connected managed service providers to hundreds of client environments, one set of extracted credentials granted reach into multiple networks. Centralized stores of hashes and session tokens became high-value targets; extracting them once delivered persistent access across tenants.
The 241-day average detection window reported by IBM shows how reusable credentials extend dwell time. Attackers cleared the initial authentication step and then operated with legitimate-looking sessions, pushing ransomware before defenders could isolate the intrusion.
Device-Bound Public-Key Credentials Change the Outcome
MFA 2.0 replaces shared secrets with public-key cryptography. Each registered device holds a private key that never leaves hardware; the corresponding public key resides with the identity provider. When an account attempts administrative actions, the server issues a cryptographic challenge that only the legitimate device can answer. No password or one-time code travels over the network, so there is nothing to phish, intercept, or replay.
In the Kaseya incident, this approach would have blocked lateral movement after the zero-day delivered code execution. Attackers would have lacked the hardware-bound private keys required to authenticate to MSP consoles or pivot into client environments. Authentication becomes inseparable from the specific device rather than a portable secret.
MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. It uses device-bound credentials with no central credential database and requires same-device authentication rather than a second device. It is prevention-focused: the attack cannot succeed because there are no credentials to compromise. This protection spans the entire identity lifecycle, from registration and device onboarding through authorization, authentication, and decommissioning. It is not continuous authentication, behavioral monitoring, anomaly detection, session analysis, or risk-based authentication.
How Prevention at the Identity Layer Limits Supply-Chain Blast Radius
MSP environments link many organizations through shared tooling. When authentication depends on reusable credentials, a single vulnerability anywhere in the chain produces widespread encryption. Device-bound cryptographic checks close that path at the first verification step. They integrate with existing directories through standard SAML and OIDC protocols and operate on the laptops or workstations already in use.
Even after initial code execution, every subsequent authentication attempt fails without the matching private key. Unauthorized requests are rejected immediately rather than flagged later through behavioral signals. This model shrinks the window for lateral movement by design and layers onto current identity and VPN infrastructure without replacing directories or re-architecting workflows.
