Exposure of limited customer metadata from a major AI provider originated from a single smishing message sent to an employee at a third-party analytics firm. The attackers obtained names, email addresses, and usage details because the compromised organization relied on conventional username-and-password authentication that could be captured and replayed in real time. Core systems were never accessed, yet the incident still demonstrated how a supply-chain partner’s reusable credentials became the decisive control point.
Verizon’s 2024 DBIR recorded third-party involvement in 15 percent of breaches that year, representing a 68 percent increase over the prior period. The exposure followed this pattern exactly: the initial compromise occurred entirely outside the primary organization, and the only barrier that needed to be defeated was a standard credential flow.
Reusable Credentials as the Transferable Weakness
The attack succeeded because the authentication model required a human to transmit a secret that the attacker could immediately reuse. Once an employee entered a password or one-time code on the phishing page, the attacker inherited the same access rights the legitimate user possessed. No additional exploit against internal systems was required. The analytics platform simply returned the data it already held once the captured credentials were presented.
This pattern repeats across supply-chain incidents because conventional authentication creates a reusable value at every login. The secret exists in a form that can be solicited, intercepted, or phished, and the service has no independent way to verify that the request originates from the legitimate device.
Device-Bound Public-Key Credentials Eliminate the Transferable Secret
MFA 2.0 replaces reusable credentials with device-bound key pairs generated through public-key cryptography. During registration, a private key is created and stored exclusively on the user’s device while the corresponding public key is registered with the service. Authentication occurs when the service issues a cryptographic challenge that can be answered only by the private key resident on that specific device. No secret crosses the network, and no database of reusable values exists for an attacker to target.
In the Mixpanel scenario, a smishing attempt would have encountered nothing transferable. The employee could not provide a value that satisfied the login because no such value is ever presented or stored centrally. The result is prevention rather than detection: the attack cannot succeed because the factor the attacker needs to capture is never introduced.
Extending Cryptographic Controls Across the Identity Lifecycle
Standards such as FIDO2 and passkeys already protect the authentication ceremony. MFA 2.0 applies the same public-key model to registration, device onboarding, authorization decisions, and decommissioning. Because no phishable artifact appears at any stage, supply-chain incidents that begin with credential capture are structurally removed.
One implementation of this approach, AuthN by IDEE, generates keys on-device and never centralizes them. The private key remains within the secure enclave of the existing corporate laptop or phone, eliminating the need for a second device or hardware token. This architecture ensures that the same guarantee applied at login also governs every preceding and subsequent step in the identity chain.
