Stolen credentials allowed Conti ransomware operators to encrypt systems and exfiltrate data across nearly thirty Costa Rican government institutions, halting tax collection, customs processing, and other core services.
The initial foothold came from compromised login material that granted entry to remote and administrative portals. Once inside, the operators mapped the environment, escalated privileges, and moved laterally through poorly segmented networks until they reached domain controllers. No zero-day exploit was required; valid credentials were sufficient to initiate the entire chain.
Reusable Credentials as the Persistent Attack Surface
Costa Rica's systems followed a common pattern: authentication rested on secrets that could be stolen once and reused indefinitely. The Verizon DBIR has tracked credentials as the leading initial access vector for five consecutive years precisely because these values travel between users, devices, and networks. When an attacker obtains a password or session token, every downstream control that assumes the session is legitimate becomes irrelevant.
Lateral movement succeeded because the same reusable material worked across ministries. Segmentation and monitoring could not compensate for the absence of a hard cryptographic boundary between the compromised account and the rest of the infrastructure. The attackers simply authenticated as legitimate operators from the moment they entered.
Separable Factors Create Relay and Interception Opportunities
Many of the affected systems already required a second factor. SMS codes, TOTP applications, and push notifications were all in use, yet none prevented the breach. Each of these factors exists separately from the user and device, allowing real-time interception or social engineering. An attacker who already holds the password can relay a TOTP value or approve a push notification without ever possessing the original phone.
This pattern repeats across documented incidents because the factors themselves are designed to travel. Once the session token is issued, the original authentication material is no longer consulted. The Conti operators exploited exactly this separation to maintain access while moving deeper into the network.
Device-Bound Public-Key Cryptography Eliminates the Vector
MFA 2.0 replaces phishable factors with public-key cryptography anchored directly to the user's device—the same foundation used by Apple Pay and Google Pay. Private keys never leave the secure hardware enclave. There is no central database of passwords or shared secrets for attackers to harvest. Because authentication is performed through a cryptographic challenge-response that cannot be forwarded or replayed, an attacker who obtains a username and password gains nothing usable.
This model extends protection across the entire identity lifecycle. Key pairs are generated locally during registration, device onboarding remains bound to hardware attestation, and revocation uses cryptographic proofs rather than deletion of a central record. The result is prevention rather than detection: the credentials attackers depend on simply do not exist in a form that can be compromised.
The architecture scales because credentials reside on endpoints or secure elements rather than in a shared repository. It integrates with existing IAM and SSO platforms by strengthening only the authentication layer. Device loss or replacement is handled through cryptographic attestation flows that avoid reintroducing knowledge-based or out-of-band factors.
Standard FIDO2 and WebAuthn implementations already deliver strong protection at login time. MFA 2.0 applies the same cryptographic principles consistently to registration, onboarding, privilege changes, and decommissioning. Behavioural analytics and continuous monitoring assume compromise will occur and attempt to spot misuse afterward. Device-bound public-key cryptography removes the prerequisite for those detection layers by eliminating the credentials that make initial compromise possible.
