Legacy MFA and auth apps are obsolete. Hackers exploit them daily. Token stops them cold.

ROCHESTER, N.Y.: #BioKey--Token, a revolutionary provider of secure, biometric identity protection solutions, announced that its technology is the industry’s only available solution that could have prevented the serious data breach that Aflac confirmed on June 20, 2025. The Alflac breach possibly exposed customers’ Social Security numbers, insurance claims, and personal health information and is considered to be the biggest breach in a growing wave of cyberattacks targeting the insurance industry.

“With billions in revenue and millions of customers, Aflac now joins a troubling list,” said Kevin Surace, Chair, Token. “Erie Insurance and Philadelphia Insurance Companies were also hit this month, with major IT disruptions affecting customer services.”

According to industry experts, sources close to the investigation say all signs point to Scattered Spider —a fast-moving, aggressive cybercrime group that’s quickly becoming a top threat. The breach method relies on (and expects) legacy multi-factor authentication (MFA) — where SMS codes can be intercepted or relayed, and users can be tricked into approving authenticator app prompts during real-time phishing. These methods are easily manipulated and no longer offer protection.

This type of hack requires little to no technical ability, and almost anyone who can create a simple spoofed webpage can execute this hack in minutes, leaving every company fully exposed today.

Token Ring and Token BioStick leverage a combination of biometric ID (fingerprint) and proximity (using encrypted Bluetooth) to the specific device logging in to the actual registered application. Token stores a unique private key per site, secured by fingerprint. During login, it signs a one-time challenge from the real site’s FIDO2 server, which verifies the signature and origin. If the origin doesn’t match, the login is rejected — blocking phishing and spoofing outright.

This stops real-time phishing because every credential is cryptographically locked to the exact web origin it was created for, and the authenticator will only sign a challenge that (a) comes from that origin and (b) is confirmed by a live fingerprint-match. A phisher can steal nothing re-usable and cannot trick the token into signing for the wrong site. If Aflac employees were using a Token product, the hack could not have occurred.

Why the “real-time relay” trick fails

Summary:

Because Token products store a negotiated key pair per site and will only release a signature when:

A remote adversary has no path to “spoof the key” or “forward the signature” the way they can with OTP codes or push-approval apps. Implemented correctly, FIDO2 offers true phishing-resistant MFA — and that’s what makes biometric Token products orders of magnitude safer than legacy MFA.

The fastest, most effective way to lock down your data and networks is to roll out Token Ring or Token BioStick across your workforce. Even if an employee falls for a phishing email, hackers still hit a dead end. Why? Because legacy MFA — like SMS codes and authenticator apps — is laughably easy to bypass. Hackers relay codes, spoof app prompts, and trick users every day.

But Token’s biometric FIDO2 authentication and proximity controls make that impossible. Credentials never leave the device, can’t be replayed, and only work with a live fingerprint match and the right domain next to the actual device logging in. It’s the difference between a padlock and a vault.

About Token

In a world of stolen identities and compromised user credentials, Token is changing the way our customers secure their organizations by providing passwordless, biometric, multifactor authentication. We deliver the next generation of multifactor authentication that is invulnerable to social engineering, malware, and tampering for organizations where breaches, data loss, and ransomware must be prevented. To learn more, visit www.tokenring.com.

Fonte: Business Wire