Uber Breach (2022)
Cause: Password reuse + MFA fatigue
Attackers bought a reused password, spammed MFA until approved, and gained full internal access.
Every breach you hear about — ransomware, credential stuffing, MFA bypass, identity takeover — all start from the same root flaw: third‑party services are allowed to handle your primary credentials.
What Is SAPS?But they do. Every day. Everywhere.
HR portals, payroll systems, SaaS platforms, school systems, healthcare portals, banking dashboards, and even social media sites — they all ask for the same thing:
And because the internet was built this way 20 years ago, we all just… accepted it.
When a third‑party service stores your password hash, it becomes a single point of failure. If they get breached, attackers don’t just get access to that service — they get access to you.
This is not a bug. It’s the design of the modern internet.
Multi‑factor authentication (MFA) is widely assumed to protect user identity. In reality, it only protects the authentication process of the service being accessed.
MFA secures the service endpoint — not the user’s identity.
However, the critical weakness occurs at the password submission stage. Once the password is entered, the receiving endpoint — legitimate or malicious — has already captured it.
The verification code does not protect the credential; it only validates the session.
If the endpoint is compromised, spoofed, or part of a phishing attack, credential exposure occurs before the MFA challenge is even delivered.
This architectural flaw is the primary reason MFA bypass attacks continue to increase. The vulnerability is inherent to the model, not the second factor itself.
These limitations are structural. As long as primary credentials leave the identity provider, the model cannot provide end‑to‑end identity protection.
SAPS addresses this by ensuring primary credentials never leave the identity provider.
Security isn’t the only problem. The modern login experience is a daily source of frustration for users.
Most people don’t understand what an SMS or email code actually does. Older adults and non‑technical users often assume any box asking for a code is legitimate. They enter the code into phishing pages, fake login screens, or random websites “just to see if it works.” The system is so confusing that users are trained to give attackers exactly what they need.
Users aren’t failing security because they’re careless. They’re failing because the system is inconsistent, repetitive, and fragile.
Thumbprints and face scans were supposed to make things easier. Instead, they mostly unlock devices — not identity. They do nothing to fix the fact that primary credentials are still handed to random services across the internet.
They’re slow, unreliable, and vulnerable to SIM‑swaps and interception. Yet they’re still treated as “good enough” security.
The result: users are exhausted. The system is harder than it needs to be — and none of this fixes the root problem: primary credentials still leave the identity provider.
SAPS does not ask users to change how they think about identity. It changes where identity is protected.
No. SAPS uses secure device autofill, so the secondary credential is never typed, memorized, or managed by the user.
The experience feels exactly like a normal login:
Behind the scenes: SAPS isolates your identity, rotates credentials, and blocks phishing automatically — but the user experience stays effortless.
Because autofill only works on the real website domain, SAPS will not fill on fake or phishing pages. This gives users stronger protection than passwords, MFA codes, or authenticator apps — without adding any extra steps.
This removes the only real objection users have about “two passwords.” In practice, SAPS feels easier than MFA and safer than passwords.
Result: A familiar login experience, with a hard boundary preventing service‑level compromise from escalating into identity‑level control.
Every major breach — from small companies to global enterprises — starts with the same thing:
Not zero‑days. Not nation‑state attacks. Not advanced malware.
Just passwords.
The internet still runs on a single‑credential identity model that was never designed for today’s world.
Your bank doesn’t let random websites withdraw money from your account.
So why do we let random websites handle our primary identity credentials?
The internet needs a separation. A rule. A boundary.
SAPS introduces a simple rule the internet has been missing for 20 years:
Service‑level access can never escalate into identity‑level control.
SAPS separates identity from service access using two credentials and a strict non‑escalation rule.
Two credential domains: primary stays at the IdP, secondary stays with services, and tokens are unique per service.
These are public, documented incidents where attackers exploited the same flaw SAPS fixes: password reuse, identity escalation, and MFA bypass.
Cause: Password reuse + MFA fatigue
Attackers bought a reused password, spammed MFA until approved, and gained full internal access.
Cause: Single reused VPN password
One leaked password shut down fuel pipelines across the U.S.
Cause: Developer account compromise
One compromised identity escalated into customer vault backups.