Stolen credentials from earlier incidents allowed attackers to infiltrate systems holding nearly 2.9 billion people’s Social Security numbers, addresses, and phone numbers. The breach followed a familiar path: initial access via reused login material granted direct reach into central data repositories, after which attackers operated for months before discovery.

Verizon’s 2025 DBIR records that 54 percent of organizations facing credential-driven incidents already appeared in earlier credential dumps. IBM’s 2025 Cost of a Data Breach Report places the average time to identify and contain such events at 241 days. At this scale, that window enabled extensive data extraction and subsequent sale on dark-web markets.

Reusable Credentials as the Persistent Entry Point

Attackers obtained login material through previous breaches or straightforward brute-force attempts against common data-broker configurations. Once authenticated, those same credentials allowed lateral movement into storage systems holding raw personal records. No additional verification layer interrupted queries or data transfers because the authentication model treated the compromised account as fully trusted after the first successful login.

Centralized credential stores made the material reusable across environments. Any database containing passwords or shared secrets becomes a high-value target; once copied, the same values can be tested against other systems without further interaction with the original owner.

Why Added Second Factors Did Not Block Lateral Movement

Common second factors such as SMS codes, TOTP applications, and push notifications depend on secrets that either travel across networks or reside in databases. When the initial account was already controlled through stolen credentials, these factors offered no additional checkpoint. The attacker simply continued using the authenticated session or reused the harvested secrets elsewhere.

This approach leaves the root access vector unchanged. Adding a factor after the password does not remove the underlying secret that can be intercepted, harvested, or replayed.

Device-Bound Public-Key Cryptography Eliminates the Reusable Secret

Public-key cryptography keeps private keys inside the secure element of each enrolled device. The key never leaves the hardware and never crosses the network, so no central store of reusable material exists for attackers to target. Without a credential that can be stolen or sold, the entry method used against National Public Data disappears.

This protection applies from registration through device onboarding, authorization, authentication, and decommissioning. No phishable value is transmitted at any stage. MFA 2.0 implements exactly this model: phish-proof, passwordless authentication built on public-key cryptography, using device-bound credentials with no central credential database and same-device verification that requires no second device. The result is prevention rather than detection; the attack cannot occur because there are no credentials to compromise.

AuthN by IDEE applies this architecture on both corporate and personal endpoints while preserving identical security properties. In the National Public Data incident, the absence of any reusable or phishable secret would have removed the initial access step entirely.