FIRESIDE CHAT: In the AI age, your MFA, authentication apps can be compromised in minutes

AndyC 23 March 2026


By Byron V. Acohido
The authentication layer that corporate America spent a decade building is now a liability.
Listen to the podcast:The day MFA became the problem
That’s the blunt assessment of Kevin Surace, chairman of Token, a Rochester, N.Y.

[…Keep reading]

FIRESIDE CHAT: In the AI age, your MFA, authentication apps can be compromised in minutes

FIRESIDE CHAT: In the AI age, your MFA, authentication apps can be compromised in minutes

By Byron V. Acohido
The authentication layer that corporate America spent a decade building is now a liability.
Listen to the podcast:The day MFA became the problem
That’s the blunt assessment of Kevin Surace, chairman of Token, a Rochester, N.Y.-based security company whose biometric hardware is drawing attention from enterprise security teams and federal regulators alike. Surace made the case in a recent LastWatchdog Fireside Chat podcast ahead of RSAC 2026.
The numbers back him up. When Microsoft dismantled the Tycoon 2FA phishing kit last year, investigators confirmed the tool had been used to execute 96,000 successful break-ins — every one of them bypassing a legitimate authentication app.
“All the MFA you’ve been using and all the auth apps you’ve been using are compromisable in minutes,” Surace said. “If someone wants to compromise them, that’s the bottom line.”
The shift accelerated, Surace explained, when major platforms began mandating MFA. Salesforce’s move to enforce its authenticator app across its entire customer base became a flare in the sky for threat actors. Within a week, kits to defeat it were in circulation.
Token’s answer is hardware-bound biometric authentication. The company’s Token Ring and Token BioStick devices store a user’s fingerprint locally, cryptographically bind it to a specific domain, and require physical proximity to complete a login. No credential leaves the device. No remote relay attack can replicate it.
Insurance carriers and the FBI have begun signaling the same direction — pushing organizations toward phishing-proof biometric authentication as a baseline standard.
“Shut the front door,” Surace said. “If the front door was closed and locked and deadbolted, you wouldn’t worry about getting in the network as much.”

Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(Editor’s note: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)

March 22nd, 2026

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , ,

More Stories

A Domains Portfolio Belonging to RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

A Domains Portfolio Belonging to RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

AndyC 23 March 2026
A Compilation of BitCoin Wallet Addresses from the RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

A Compilation of BitCoin Wallet Addresses from the RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

AndyC 23 March 2026
When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Three

When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Three

AndyC 23 March 2026
What Is Physical AI, and What Does It Mean for Government?

What Is Physical AI, and What Does It Mean for Government?

AndyC 23 March 2026
RSAC 2026 Innovation Sandbox | ZeroPath: From Alarm Accumulation to Executable Fixes

RSAC 2026 Innovation Sandbox | ZeroPath: From Alarm Accumulation to Executable Fixes

AndyC 22 March 2026
RSAC 2026 Innovation Sandbox | ZeroPath: From Alarm Accumulation to Executable Fixes

How relieved are you with your secrets vaulting strategy

AndyC 22 March 2026

You may have missed

Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager

Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager

AndyC 23 March 2026
U.S. CISA adds Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities catalog

AndyC 23 March 2026
A Domains Portfolio Belonging to RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

A Domains Portfolio Belonging to RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

AndyC 23 March 2026
A Compilation of BitCoin Wallet Addresses from the RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

A Compilation of BitCoin Wallet Addresses from the RAMP (Russian Anonymous Marketplace) Forum Members – A Compilation

AndyC 23 March 2026
When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Three

When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Three

AndyC 23 March 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.