A single set of valid credentials proved sufficient for attackers to reach administrative interfaces, move laterally, and trigger ransomware deployment at Under Armour. No zero-day exploit or advanced malware was required. The decisive factor was an authentication system that continued to treat transferable secrets as adequate proof of identity.
Public reporting shows the November 2025 incident began with credential access obtained through phishing or infostealer malware. Attackers used those credentials against remote portals and VPN services. Once initial sessions were established, they harvested additional credentials, escalated privileges, and executed ransomware while exfiltrating data. The pattern illustrates how reusable authentication factors allowed the entire sequence to proceed under legitimate-looking identities.
Why Credential Reuse Succeeded
Standard multi-factor methods such as SMS codes, time-based one-time passwords, and push notifications failed to block the access because each factor remains transferable. An attacker who captures or intercepts the response can replay it in the same login flow the legitimate user would follow. The system then issues a session token without ever confirming that the cryptographic material originated from the registered device. This design leaves the perimeter open to any party holding the right combination of secrets, regardless of other security controls in place.
How Device-Bound Public-Key Authentication Changes the Outcome
MFA 2.0 replaces reusable credentials with private keys that remain on the user’s hardware and never leave the device. Authentication occurs through a challenge-response protocol verified against the corresponding public key registered during onboarding. Because the private key is non-exportable and the protocol is bound to the same device, an adversary possessing only stolen usernames or passwords cannot complete the proof. No code is sent for interception, no notification appears for approval, and no central database exists that can be drained.
This approach is prevention-focused. The attack cannot succeed because there are no phishable factors to compromise. Coverage spans registration, device onboarding, authorization, authentication, and decommissioning instead of stopping at the initial login prompt. FIDO2 and passkeys have already demonstrated that public-key methods can secure individual events; MFA 2.0 applies the same cryptographic principle consistently across the full identity lifecycle.
One implementation of this model is AuthN by IDEE, which enforces device-bound keys without requiring a second device. During device loss or replacement, the registered public key is decommissioned through an administrator-approved process that again relies solely on non-phishable factors. Cryptographic verification happens at the moment of authentication rather than through analysis of ongoing sessions.
Practical Differences in Credential-Driven Incidents
- Would device-bound keys have prevented the initial access? Yes. The attacker would need physical control of the hardware containing the non-exportable private key.
- Does this require users to carry additional hardware? No. The credential resides on the user’s existing workstation or laptop.
- What occurs during device replacement? Decommissioning removes the old public key; a new device is onboarded through the same cryptographic registration process.
By removing the transferable secrets that allowed the Under Armour attackers to establish trusted sessions, organizations eliminate the first step that led to ransomware deployment and data exposure.
