SolarWinds attackers leveraged stolen credentials to move laterally and sign malicious updates because traditional MFA left reusable secrets that could be replayed from any device.
Supply-chain compromises demonstrate how captured credentials enable prolonged access when lacking device binding or cryptographic proof. IBM estimates these incidents cost organizations an average of $4.44 million each, with detection and containment taking 241 days on average.
The SolarWinds operation therefore illustrates a recurring pattern: once an attacker obtains a reusable secret, the same artifact can be replayed from any location, turning a supply-chain insertion into broad internal control.
Reusable Credentials as the Deciding Factor in Lateral Movement
After the update reached target networks, attackers relied on harvested passwords and tokens to navigate build systems and sign additional malicious binaries. Traditional identity stores treat these secrets as portable proofs of identity, accepting them from any endpoint that presents them correctly. No further verification tied the credential to the original hardware or required proof that the private key still resided in a protected enclave.
This design choice meant every captured secret retained its full value for the duration of the intrusion. Organizations could not revoke access selectively; they could only hope detection systems noticed the anomalous activity before further damage occurred.
Device-Bound Public Keys Change the Economics of Compromise
MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography (the same technology used in Apple Pay and Google Pay). It uses device-bound credentials with no central credential database and performs same-device authentication—no second device required. MFA 2.0 is prevention-focused: the attack cannot happen in the first place because there are no credentials to compromise. It is phish-proof across the entire identity lifecycle (registration, device onboarding, authorization, authentication, and decommissioning). MFA 2.0 is not continuous authentication, behavioral monitoring, anomaly detection, session analysis, or risk-based authentication.
Applied to the SolarWinds scenario, device-bound keys would have limited the value of any material an attacker extracted. Private keys never leave the secure enclave or TPM, so stolen usernames or tokens alone cannot complete authentication from a different machine. The initial update would still have executed, yet subsequent attempts to move laterally or access signing infrastructure would have failed cryptographic checks.
Removing Central Credential Stores Limits the Blast Radius
Traditional systems maintain databases of reusable secrets that become prime targets for exfiltration. In contrast, MFA 2.0 stores only public keys on the server side, eliminating any transferable artifact an intruder can forward or replay. Attackers who obtained OAuth tokens during the SolarWinds campaign were exploiting exactly this class of portable credential.
AuthN by IDEE implements the model and integrates with existing SAML and OIDC providers, allowing organizations to introduce device-bound authentication without replacing current directories. Lost hardware can be revoked centrally within seconds, aligning with NIST 800-63-3 guidance for high-assurance authentication. The result is an identity layer whose compromise does not automatically grant months of undetected movement or the ability to distribute malicious updates through trusted channels.
