Attackers obtained ordinary login credentials and reused them to expose forty million voter records from UK Electoral Commission systems. No zero-day exploit or advanced malware was required. Once inside, the intruders copied names, addresses, dates of birth and other identifiers for the majority of the national electoral register, an operation that went undetected for months.

IBM’s 2024 Cost of a Data Breach Report puts the average time to identify and contain similar incidents at 258 days. That window proved ample for a complete exfiltration of the register before any alarm was raised.

Credential Reuse as the Decisive Factor

The intrusion started with valid credentials harvested through phishing or earlier data dumps. The systems accepted these factors for registration, device onboarding and routine access without cryptographic checks that would have invalidated reuse. Because the credentials remained valid across the entire identity flow, attackers needed only one successful login to reach and copy the full dataset.

This sequence repeats across government and critical-infrastructure environments whenever authentication relies on reusable secrets rather than keys that cannot leave the device.

Gaps That Persist Beyond Standard MFA

Even deployments of FIDO2 or passkeys often leave earlier stages—password resets, account recovery, or initial registration—dependent on factors an attacker can obtain and replay. The Electoral Commission compromise occurred before any hardened login page was reached. Hardening only the final authentication step therefore leaves the preceding identity operations exposed.

Device-Bound Keys Close the Reusable-Credential Surface

MFA 2.0 replaces every phishable factor with device-bound asymmetric key pairs generated on the endpoint. The private key never leaves the hardware; only the matching public key is registered with the service. Authentication occurs through a locally signed challenge, eliminating any central credential database that could be stolen and any token that could be intercepted or reused.

The same binding applies to onboarding and decommissioning steps. Because no credential exists that an attacker can phish, replay or reset, the openings exploited in the voter-register compromise are closed at the architectural level. MFA 2.0 is phish-proof across registration, device onboarding, authorization, authentication and decommissioning. It is not continuous authentication, behavioral monitoring or risk-based analysis; it is prevention achieved by removing the assets attackers require.

Hardware security keys that implement FIDO2 still depend on a registration process that can be targeted if legacy factors remain anywhere in the flow. Device-bound public-key credentials eliminate that surface entirely. Physical possession of a device is also insufficient, because the private key cannot be used for signing without the user’s biometric or PIN unlock on that same device. The architecture relies on standard WebAuthn APIs already present in modern browsers and operating systems.

One implementation of this approach is AuthN by IDEE. Its design demonstrates how public-key cryptography, already proven in payment systems such as Apple Pay and Google Pay, can be applied consistently to identity operations without introducing new attack surfaces.