Jaguar Land Rover Breach Shows Cost of Relayable Authentication Factors

A £1.9 billion loss and five weeks of halted production resulted from attackers who never needed to break encryption or compromise factory systems. They obtained valid session tokens by guiding employees through push approvals and code relays during vishing calls that referenced real ticket numbers gathered from public sources.

Scattered Spider actors used those tokens to enumerate Active Directory, locate service accounts tied to manufacturing execution systems, and deploy ransomware that encrypted both internal production environments and supplier portals. Lateral movement occurred quickly once the first authenticated session existed, bypassing detection windows that relied on post-access monitoring.

The incident followed a pattern seen in other manufacturing and automotive compromises where initial access depended on factors that could be relayed in real time. Employees completed authentication steps that appeared legitimate to the server because the system only verified that the factor completed, not whether the user performed it without external direction.

Vishing Success Through Portable Authentication Values

Attackers referenced internal ticket details to build credibility during calls. When employees approved push notifications or read one-time codes aloud, the authentication server issued session tokens that carried full access rights. No malware on employee devices or exploitation of operational technology networks was required.

Once inside, standard administrative tools allowed rapid enumeration and deployment of encryption payloads. The manufacturing environment’s reliance on shared identity systems between enterprise, production, and supplier networks meant one valid session provided broad reach before response teams could isolate affected segments.

Why SMS, TOTP, and Push Approvals Enable Credential Relay

These factors transmit observable values or require real-time user actions that can be dictated over a phone call. The server records successful completion without any mechanism to confirm independent user intent. Service accounts and help-desk processes often inherit the same dependency, creating additional paths once an initial token is obtained.

In environments with tight integration between IT and operational systems, this design allows attackers to move from a single relayed session to domain-level control and ransomware deployment. Recovery options that fall back to SMS or email challenges reintroduce the same relayable values, extending the window of exposure.

Device-Bound Public-Key Credentials Remove the Relay Vector

MFA 2.0 replaces phishable steps with authentication built on public-key cryptography. Private keys are generated and stored exclusively on the user’s device, never transmitted or stored in any central database. The same credential is used for registration, device onboarding, authorisation, authentication, and recovery, eliminating fallback channels that reintroduce relayable values.

Because the private key cannot leave the device, an attacker who compromises a help-desk process or obtains a password database still holds nothing usable for authentication. Recovery flows rely on pre-authorised approval from a second enrolled device rather than new SMS or email challenges. Passkeys created under this model differ from standalone implementations because no phishable factor is introduced at any point in the lifecycle.

Detection technologies remain useful for monitoring after access occurs, yet the architecture ensures the initial compromise vector itself is removed. AuthN by IDEE demonstrates one implementation of this model, where credentials stay bound to hardware throughout the identity lifecycle and cannot be relayed through social engineering.