Codebreakers reached Bank Sepah’s customer records by using administrative credentials that had never been tied to any specific device. The collective simply logged into portals and databases, extracting names, account details, and personal identifiers without triggering any platform exploit.

The incident followed the common pattern seen across financial services where authentication still depends on reusable secrets. Once obtained, those secrets granted full access because the systems lacked any mechanism to confirm that requests originated from previously registered hardware. Lateral movement to production data occurred because the presence of a correct username and password was treated as sufficient proof of legitimacy.

Credential Reuse and Lateral Movement

Attackers obtained credentials that remained functional across multiple systems. Traditional authentication factors can be intercepted or reused during login, registration, or reset processes, after which the platform grants a session without further hardware verification. In this case the absence of device binding meant any valid credential pair sufficed to reach sensitive records.

Public reporting confirms the root cause was credential exposure rather than a zero-day flaw. The centralized store of reusable secrets therefore became the single point that enabled large-scale exfiltration once it was reached.

Device-Bound Public-Key Authentication

MFA 2.0 uses phish-proof, passwordless authentication built on public-key cryptography, the same technology found in Apple Pay and Google Pay. A private key stays on the user’s device and never leaves it. The device signs a server-issued challenge, and the service validates the signature against the registered public key. Because no reusable secret travels the network, stolen credentials lose their value.

This approach requires only same-device authentication and maintains no central credential database. It applies across registration, device onboarding, authorization, authentication, and decommissioning, closing the stages that credential-based systems leave open.

Why Detection Cannot Replace Prevention

FIDO2 and passkeys strengthen the login step yet leave earlier and later stages exposed. Bank Sepah’s exposure began before any login ceremony, through credentials that could be obtained and replayed outside controlled flows. Device-bound verification eliminates that exposure because cryptographic proof cannot be transferred or reused.

MFA 2.0 is not continuous authentication, behavioral monitoring, anomaly detection, session analysis, or risk-based authentication. Its principle is prevention: the attack cannot succeed because there are no transferable credentials to compromise. Implementations such as AuthN by IDEE demonstrate that keys remain tied to the hardware or secure enclave where they were created, removing the need for secondary devices while protecting both customer and administrative accounts through the same mechanism.