A single shared remote-access credential nearly allowed an attacker to release a massive chemical overdose into a municipal water supply on February 5, 2021. With nothing more than a reused TeamViewer password, the intruder reached the Oldsmar plant’s SCADA console and increased sodium hydroxide levels from 100 ppm to 11,100 ppm. An operator on site caught the change on the screen and reversed it before any treated water left the facility.

The incident required no vulnerability in the control software itself. The attacker simply needed an authenticated remote session, which the static password supplied without further resistance. Once inside, every dosing command was available through the same interface used by legitimate staff.

Shared Secrets in Operational Remote Access

Industrial environments routinely rely on one password or account for multiple operators across shifts and workstations. That design choice turns a single leaked secret into full administrative reach over chemical processes, pumps, and valves. In this case the credential had been distributed for convenience, so its compromise granted the attacker exactly the same view and control any on-site user possessed.

The password was probably obtained through phishing or credential stuffing, common entry points that require no interaction with the target network’s perimeter defenses. Because the secret lived outside any individual device or user context, it could be used from any location at any time. No additional verification tied the session back to a specific operator or hardware token.

This pattern repeats across water, energy, and manufacturing sites where rotating personnel need quick access to the same terminals. Each reuse multiplies the window during which a stolen value remains valid, converting operational simplicity into an open invitation for lateral movement once the first barrier falls.

Appended Factors Leave the Session Unprotected

Code-based and push-based second factors still depend on the initial credential succeeding first. After that point, the remote session is treated as legitimate, and the control interface grants unrestricted commands regardless of any separate device or one-time code. In the Oldsmar case the attacker never needed to bypass a second factor; the authenticated workstation already exposed every dosing function.

A stronger model replaces the reusable secret entirely. Authentication is instead anchored to a device-specific key pair generated on the operator’s hardware. The private key never leaves that device, and every session attempt requires both the key and a local user factor such as a biometric or PIN. Without both elements present on the enrolled hardware, the remote connection cannot be established.

This approach eliminates the value of any captured password or code. An attacker who obtains one-time material through phishing gains nothing usable, because the cryptographic binding travels with the specific device rather than floating as a shareable string.

Device-Bound Public-Key Cryptography as a Fixed Control

MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. It uses device-bound credentials with no central credential database and requires same-device authentication; no second device is needed. MFA 2.0 is prevention-focused: the attack cannot occur because there are no credentials to compromise. It applies across the entire identity lifecycle, including registration, device onboarding, authorization, authentication, and decommissioning. It is not continuous authentication, behavioral monitoring, anomaly detection, session analysis, or risk-based authentication.

AuthN by IDEE implements this model by creating key pairs directly on each operator’s hardware. The private key remains protected inside the device, and verification occurs locally before any remote session is permitted. Shared workstations are supported because each operator carries an individual credential validated against their registered identity, independent of the console being used.

If a device is lost or stolen, authentication still demands the matching biometric or PIN, so the key pair cannot be misused. Existing SCADA and remote-access configurations stay in place; the system operates as an overlay that enforces the new control without replacing current software. The result is that the original attack vector—a reusable password granting direct chemical-system access—ceases to exist.