FIRESIDE CHAT: In the AI age, your MFA, authentication apps can be compromised in minutes
None
<div class="entry" morss_own_score="5.445652173913044" morss_score="37.61623446518499"> <img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/Fireside-Chat_2025_brshed-960x609.jpg"> <h5>By Byron V. Acohido</h5> <p>The authentication layer that corporate America spent a decade building is now a liability.</p> <p><em><strong>Listen to the podcast:</strong><a href="https://soundcloud.com/byron-acohido/token-podcast-reduce-room?si=6b6ffba72873484581bea0a16583e93b&utm_source=clipboard&utm_medium=text&utm_campaign=social_sharing">The day MFA became the problem</a></em></p> <p>That’s the blunt assessment of Kevin Surace, chairman of <a href="https://www.tokencore.com/">Token</a>, a Rochester, N.Y.-based security company whose biometric hardware is drawing attention from enterprise security teams and federal regulators alike. Surace made the case in a recent LastWatchdog Fireside Chat podcast ahead of RSAC 2026.</p> <p>The numbers back him up. When Microsoft dismantled the <a href="https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/">Tycoon 2FA</a> phishing kit last year, investigators confirmed the tool had been used to execute 96,000 successful break-ins — every one of them bypassing a legitimate authentication app.</p> <p>“All the MFA you’ve been using and all the auth apps you’ve been using are compromisable in minutes,” Surace said. “If someone wants to compromise them, that’s the bottom line.”</p> <p>The shift accelerated, Surace explained, when major platforms began mandating MFA. Salesforce’s move to enforce its authenticator app across its entire customer base became a flare in the sky for threat actors. Within a week, kits to defeat it were in circulation.</p> <p><a href="https://www.lastwatchdog.com/wp/wp-content/uploads/token-use-case.png"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/token-use-case-520x332.png"></a>Token’s answer is hardware-bound biometric authentication. The company’s Token Ring and Token BioStick devices store a user’s fingerprint locally, cryptographically bind it to a specific domain, and require physical proximity to complete a login. No credential leaves the device. No remote relay attack can replicate it.</p> <p>Insurance carriers and the FBI have begun signaling the same direction — pushing organizations toward phishing-proof biometric authentication as a baseline standard.</p> <p>“Shut the front door,” Surace said. “If the front door was closed and locked and deadbolted, you wouldn’t worry about getting in the network as much.”</p> <p><a href="https://www.lastwatchdog.com/wp/wp-content/uploads/Byron-sepia-hedcut-1.png"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/Byron-sepia-hedcut-1-100x139.png"></a></p> <p>Acohido</p> <p><em><a href="https://www.lastwatchdog.com/pulitzer-centennial-highlights-role-journalism/">Pulitzer Prize-winning </a>business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.</em></p> <p><em>(<strong>Editor’s note</strong>: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)</em></p> <p> <a href="https://www.facebook.com/sharer.php?u=https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/facebook.png" title="Facebook"></a><a href="https://plus.google.com/share?url=https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/google.png" title="Google+"></a><a href="/cdn-cgi/l/email-protection#67581412050d0204135a212e3522342e2322425557242f26335d4255572e09425557130f02425557262e4255570600024b4255571e0812154255572a21264b4255570612130f0209130e0406130e080942555706171714425557040609425557050242555704080a1715080a0e1402034255570e094255570a0e091213021441060a175c0508031e5a4255570f131317145d4848101010490b061413100613040f0308004904080a48010e1502140e03024a040f06134a0e094a130f024a060e4a0600024a1e0812154a0a01064a0612130f0209130e0406130e08094a061717144a0406094a05024a04080a1715080a0e1402034a0e094a0a0e091213021448"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/email.png" title="Email"></a></p> <p>March 22nd, 2026 </p> <p> </p></div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/" data-a2a-title="FIRESIDE CHAT: In the AI age, your MFA, authentication apps can be compromised in minutes"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.lastwatchdog.com">The Last Watchdog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by bacohido">bacohido</a>. Read the original post at: <a href="https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/">https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/</a> </p>