Support-account compromises reveal how traditional MFA fails once an attacker clears the initial login barrier. In the Lapsus$ Okta incident, a single engineer credential granted unrestricted visibility into customer tenant configurations, support tickets, and authentication policies across hundreds of organizations. No malware or technical exploits were required; the attackers simply obtained the engineer’s password and second factor, then maintained an active administrative session for several days.

The credentials originated from social engineering or an earlier breach, allowing the group to operate with the same privileges as the legitimate engineer. IBM’s 2025 Cost of a Data Breach Report lists the average incident at $4.88 million, with third-party identity compromises consistently ranking among the costliest. Verizon’s 2023 DBIR has identified stolen credentials as the leading initial access vector for five straight years.

Why Credential Reuse Enabled Prolonged Access

The support role demanded ongoing administrative reach into customer environments. Once the attackers satisfied the login, they inherited an active session that traditional second factors could not revoke mid-use. Reusable elements such as SMS codes, TOTP applications, or push notifications offered no further defense after the initial authentication succeeded.

This exposure extended beyond the login event itself. Registration, device enrollment, privilege assignment, and account decommissioning remained tied to the same reusable credentials, creating multiple points where compromise could occur.

Why Monitoring Could Not Block the Abuse

Detection systems that flag unusual login patterns or anomalous support activity only activate after access is granted. In this case the operators remained inside the console for days before any alert triggered. A prevention model instead examines whether a usable credential can be obtained in the first place.

MFA 2.0 achieves this through phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. Credentials are device-bound with no central database of secrets. Authentication happens on the same device, eliminating the need for a second device or shared secret. Because the private key never leaves the secure enclave and attestation confirms both device and context, an attacker cannot replay the credential from another machine.

This approach covers the entire identity lifecycle: registration, device onboarding, authorization, authentication, and decommissioning. When no reusable secret exists, phishing, session replay, and credential-stuffing attacks lose their entry point.

Architectural Changes That Close the Vector

AuthN by IDEE implements MFA 2.0 by issuing per-device key pairs during onboarding. Only the public key and attestation data are stored, removing any central vault of secrets. Revocation becomes immediate: the public key is simply deleted from the directory. Replacement devices register fresh keys without leaving exploitable material behind.

The model integrates with existing identity providers and privileged-access platforms by replacing only the authentication layer. It works alongside directory services and session controls without requiring infrastructure replacement. Traditional MFA layers additional phishable factors on top of one another; device-bound public-key authentication removes phishable factors entirely.

FIDO2/WebAuthn alone would have hardened the final login step, yet the compromised support account most likely relied on weaker factors for routine administrative tasks. Hardening a single stage leaves the rest of the chain exposed. Device-bound public-key authentication addresses every stage simultaneously.