Transport for London and Western Sydney University both suffered credential-based breaches that exposed passenger and student records. Stolen or weak login details allowed unauthorized parties to reach internal systems holding names, contact information, travel histories, and enrollment records. The entries followed the pattern seen across most ransomware and data-access incidents tracked in Verizon’s DBIR: valid credentials supplied the initial foothold, after which further movement required little additional effort because the session already appeared legitimate.

Once the primary credentials were in hand—obtained through infostealer malware, prior phishing campaigns, or simple reuse—attackers authenticated directly. No subsequent control demanded possession of a factor that could not be captured or replayed in real time.

Reusable Secrets Created the Perimeter Breach

Both organizations relied on passwords or conventional multi-factor methods that still transmit or accept shared secrets. When those values appeared in credential dumps or were captured during earlier compromises, the organizations faced elevated risk because authentication succeeded at the edge using nothing more than values an attacker could type or paste. Downstream systems then operated on an already-authenticated session rather than verifying the device itself.

Device-bound public-key credentials remove the shared secret from every stage. The private key never leaves the hardware where it was generated, and only the corresponding public key is registered with the service. An attacker who obtains a username or even a prior password gains nothing usable for a new login attempt.

Traditional Second Factors Remain Replayable

SMS codes, time-based tokens, and push approvals can be intercepted or proxied once the primary credential is known. Phishing kits and session-proxy tools allow an attacker to satisfy both factors in a single flow, after which the resulting token or cookie grants access that downstream applications treat as valid.

Public-key cryptography changes this equation by eliminating any value that can be intercepted and reused. The cryptographic proof is generated on the device at the moment of each request and cannot be extracted for later use elsewhere.

Device-Bound Credentials Close the Full Lifecycle

MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. It uses device-bound credentials with no central credential database and operates as same-device authentication, requiring no second device. Because there are no reusable secrets to capture, the initial access vector that succeeded in these incidents cannot be exploited.

Registration, device onboarding, authorization changes, and recovery must also be bound to the same cryptographic identity. When every protected action requires fresh proof from the enrolled device, an attacker who compromises email, help-desk processes, or an earlier session still lacks the private key needed to register a fraudulent authenticator or reset access. The result is prevention at the first step rather than detection after unauthorized entry has already occurred.