Why Passwords Still Get Stolen: The Case for Device-Bound Credentials

Why Credential Theft Keeps Working

In 2025, credential theft increased 160% year over year. Attackers stole 1.8 billion logins from 5.8 million infected hosts. Of those stolen credentials, 276 million included active session cookies, giving attackers direct access to authenticated sessions without needing a password at all.

The Verizon 2025 Data Breach Investigations Report found that 88% of web application incidents involved stolen credentials. Not zero-day exploits. Not sophisticated malware. Stolen usernames, passwords, and tokens.

The security industry responds to these numbers with more MFA prompts, shorter token lifetimes, and faster password rotation policies. But these are mitigations, not fixes. They reduce the blast radius of credential theft without addressing why credentials keep getting stolen in the first place.

Jasson Casey, CEO of Beyond Identity, frames it differently. "It's not necessarily that long-lived and rotation is the problem," he explained on The Security Podcast of Silicon Valley. "The problem is that it moves in the first place."

The Real Problem: Secrets That Move

Every authentication system built on shared secrets has the same structural flaw. The secret has to travel from one place to another, and every stop along the way creates a copy that can be intercepted.

Casey walks through what actually happens when a user types a password into a browser. "Imagine I'm a piece of data traveling from the browser all the way back to the database on the back end," he said. "You're getting written and read from memory on the local system. If you're in an enterprise, probably in a Palo Alto or a Zscaler reverse proxy, a content distribution network, probably in the ALB if you're in Amazon, maybe in another load balancer, probably in a Kubernetes service mesh."

Each of those systems terminates and re-establishes TLS connections. Each one stores the credential in memory, at least temporarily. "When I store and then load a piece of memory, the data is still in the memory unless I go back and write over that memory," Casey noted.

This is not a theoretical risk. The 2017 Cloudbleed incident demonstrated it concretely: a buffer overread bug in Cloudflare's HTML parser leaked chunks of heap memory from other customers' requests, exposing cookies, authentication tokens, and POST bodies that happened to be in adjacent server memory. More recently, the threat actor Secret Blizzard (attributed to Russia's FSB) has been capturing and man-in-the-middling TLS connections targeting diplomatic organizations by installing rogue certificate authorities on target devices.

The pattern extends beyond passwords. Access tokens, API keys, session cookies: they all move. They all get copied into memory at multiple points. They all create attack surface.

This is fundamentally different from the way most organizations think about zero trust security. Zero trust assumes the network is hostile, but many implementations still rely on shared secrets for authentication, re-creating the same vulnerability at the identity layer.

How Device-Bound Credentials Work

The fix that Casey and his team built starts with a simple question: "Is there a world where it didn't have to move?"

The answer uses asymmetric cryptography. Instead of sending a shared secret across the network, the authenticating device holds a private key and only sends the corresponding public key, which reveals nothing useful to an attacker.

But Beyond Identity took it further. "One of our guys came up with this stronger idea," Casey said. "What if we could guarantee it didn't move?"

The guarantee comes from hardware security modules already present in most modern devices. TPMs (Trusted Platform Modules) in laptops and desktops, Secure Enclaves in Apple devices, and TrustZone in ARM processors all provide the same core capability: they generate and store cryptographic keys inside a tamper-resistant boundary that prevents extraction.

TPM-generated keys have a critical property: the private key material never leaves the chip. Even if an attacker gains full administrative access to the operating system, tools like Mimikatz cannot extract TPM-protected keys. The key can sign authentication challenges, but it cannot be copied.

Beyond that, the device can produce a cryptographic attestation proving the key was generated inside the TPM and has never been exported. This is the same mechanism that underpins server-side HSMs (Hardware Security Modules) used to issue TLS certificates, applied to client-side authentication.

The W3C formalized a related standard in 2025 with the Device Bound Session Credentials (DBSC) specification, which binds web sessions to device-specific private keys. Even if session cookies are stolen via malware, they cannot be replayed from a different device.

What Changes When Credentials Never Leave the Device

When the secret never moves, entire attack categories disappear.

Credential stuffing requires a stolen password. If there is no password, there is nothing to stuff. Phishing requires a user to enter credentials on a fake site. If authentication happens through a hardware-bound key exchange, there are no credentials to enter. Session hijacking requires copying a session token. If the session is bound to a TPM-backed key, the token is useless on any other device.

Casey put it bluntly: "If I can guarantee credentials don't move, then credential theft goes away. Stuffing, spraying, all of that goes away."

This shifts the security model from the detection-and-response cycle of the 2010s toward prevention. "I think this decade is interesting because we can shift a lot of our attention from detect and respond a little bit left to identify and protect, which is really more about prevention," Casey said.

The shift is already underway. Sixty-nine percent of users now have at least one passkey, and 48% of the top 100 websites support them. Login success rates with passkeys reach 93%, compared to 63% with traditional authentication. The passwordless authentication market is projected to reach $55.7 billion by 2030.

The distinction that matters most in this transition is hardware-bound versus software-synced passkeys. Synced passkeys (like those backed up through iCloud Keychain or Google Password Manager) improve usability but still expose the private key to software. Hardware-bound passkeys stored in TPMs or secure enclaves provide the stronger guarantee: the key cannot be extracted, period.

For organizations serious about eliminating credential theft rather than mitigating it, hardware-bound is the architecture that delivers. The same principle applies to AI agent authentication: non-human identities handling sensitive operations need credentials that cannot be exfiltrated from the runtime environment.

Enterprise Deployment: What Actually Breaks

The technology works. The deployment is where it gets hard.

Casey is candid about what Beyond Identity learned from rolling out device-bound credentials at scale. "Big lessons learned from us were the standard operating procedure in the identity world is to involve the entire workforce in rollouts. That's horrible."

Asking every employee to change their password is asking them to participate in a security infrastructure deployment. "You're basically asking everyone in your workforce to go help you, person in charge of IT or security, go change or update a security control in the business," Casey explained. "I put the failure more on the system designers like us. Why did we come up with a system where the end user has to be involved in what is fundamentally a technical operation?"

With device-bound credentials, the goal is reducing end-user involvement to the absolute minimum. The device already has the hardware. The key generation can happen silently. The authentication can happen transparently.

But enterprise buyers are not monolithic. Casey identifies four distinct personas that can each block a deployment: the champion, the budget holder, the administrator, and the end user. "The way that you make your product sell to these different personas can actually be at odds with each other," he noted. Product management, UX, and product marketing need to be aligned on solving for all four.

The most successful deployments embed Beyond Identity engineers alongside customer teams. "Enterprise administrators have grown up and expect that if you are critical infrastructure to their business, you're going to be available and be in the trenches with them," Casey said. Legacy application compatibility, BYOD policies, and device-loss recovery workflows are the friction points that determine whether a rollout succeeds or stalls.

The authorization layer faces similar enterprise adoption challenges: the technology is straightforward, but the organizational integration demands close collaboration between vendor and customer engineering teams.

Listen to the Full Episode

Jasson Casey joined Jon McLachlan (co-founder of YSecurity and Cyberbase.ai) and Sasha Sinkevich (co-founder of YSecurity and Cyberbase.ai) on The Security Podcast of Silicon Valley to discuss why identity, not infrastructure, is the real security boundary.

The conversation covers the full arc from TLS vulnerabilities and the Cloudbleed incident to TPM architecture, enterprise deployment lessons, and how Beyond Identity's product has held up against state-actor attacks.