Stolen credentials from earlier leaks proved enough to compromise internal systems at a major gaming publisher in late 2022. No zero-day exploit or advanced intrusion was required. Once the attackers presented valid login details, they moved laterally across internal resources and extracted employee and user records. The company disclosed the incident in February 2023, noting that the stolen data could immediately fuel further credential-stuffing attacks against other services.
IBM's 2024 Cost of a Data Breach Report recorded an average of 258 days to identify and contain incidents involving stolen credentials, illustrating how long such access can remain undetected when authentication relies on reusable secrets.
Credential Reuse as the Entry Point
The breach succeeded because authentication systems accepted transferable proof of identity. Passwords and one-time codes, whether delivered via SMS or authenticator applications, can be captured once and replayed indefinitely. When attackers already possess these values from earlier leaks, the authentication layer performs exactly as designed: it grants access to any party that supplies the correct combination.
This design assumes that possession of a secret demonstrates legitimate control. In practice, the same secret can reside in multiple locations outside the intended user's device, collapsing the assumption without any additional technical barrier.
Device-Bound Credentials Change the Equation
MFA 2.0 replaces transferable secrets with public-key cryptography. During registration, the user's device generates a key pair and transmits only the public key to the service. Each subsequent authorization request presents a fresh cryptographic challenge that the private key, retained exclusively on that device, must sign. The private key never leaves the hardware or secure enclave, and no central database stores reusable material that attackers can target.
Because verification occurs on the same device where the key was created, the model requires no second device or out-of-band transmission. Revocation is achieved simply by removing the registered public key.
Protection Across the Identity Lifecycle
MFA 2.0 applies this cryptographic approach from initial registration through device onboarding, authorization, authentication, and decommissioning. Each step uses the device-held private key to respond to a unique challenge rather than presenting a static or short-lived secret. This eliminates the window in which captured credentials can be reused.
In the Activision case, device-bound credentials would have rendered the stolen employee details worthless at the first authentication request. No password or one-time code would exist to present, and social-engineering attempts would find nothing transferable to obtain. Lateral movement would stop where the cryptographic challenge begins.
The same principle applies to every stage of account management. Registration occurs entirely on the user's device, so the service never receives a secret that could later be phished. Decommissioning requires only deletion of the corresponding public key. No credential ever travels the network in a form that can be intercepted and replayed.
This prevention model differs from standards that secure only the login event. It extends cryptographic guarantees to the full lifecycle, ensuring that the conditions enabling credential reuse cannot arise.
