TokenCore and The End of MFA As We Know It
If you are a CISO still feeling smug about that big MFA rollout from the last two years, this one might sting. According to Kevin Surace, the executive behind TokenCore’s biometric assured identity platform, the bad guys have already moved on. In fact, they have been living rent free inside your “zero trust” narrative for a while.
“About 90% of the ransomware attacks over the last year, year and a half, have been identity based attacks,” Surace explains. That is not a side note. That is the story.
We have spent the last decade obsessing over perimeter firewalls, microsegmentation, EDR, and zero trust architectures. Yet the overwhelming majority of successful attacks are still walking in through the front door, wearing stolen credentials and MFA codes like a VIP badge.
Surace’s view is blunt:
“Virtually all attacks are coming in the front door.”
And that front door, in 2026, is your MFA and auth apps.
Welcome to the uncomfortable reality check.
Identity Is the New Perimeter, And It Is Paper Thin
Most security leaders intellectually accept that “identity is the new perimeter.” The problem is that the perimeter we have built around identity is laughably weak against modern phishing, spoofing, and relay attacks.
Surace lays it out in terms that should make any CISO squirm:
“We all are using auth apps and MFA, and in our mind, we think they are secure. They are the furthest from secure. They are essentially hackable by any team. It’s a ridiculously easy thing to do, and I could teach everyone how to do it here in one minute.”
This is the part of the movie where your training budget and phishing simulations quietly die inside. Because while awareness training helps around the edges, it absolutely does not change the fundamental math of human error at scale.
Kevin cites a telling example from the industry: a large Microsoft related compromise where attackers used shared MFA codes and compromised auth apps to break into 96,000 accounts and in some cases issue destructive wipe commands through Intune.
“They had broken into 96,000 accounts by essentially compromising the Microsoft auth app. They were not the right identity getting in. They were not the person that you wanted in there, but they were in there.”
Once inside, the attackers did what serious intruders always do. They often escalated privileges, created a new global admin account, and even told Intune to wipe huge numbers of devices. Wiped clean, phones included.
The takeaway is painfully simple. A single identity slip can become an extinction level event for your environment. Surace estimates that for a company like that, just clawing back to operational normal could take “six or nine months” of grinding, expensive recovery work.
And no, your phishing training is not going to save you.
“Across an organization of hundreds or thousands of people who have a variety of access to data, you know some number between 10 and 30% will fall for it, no matter how much training you give them… There was a great study last year at UC San Diego across 19,000 workers… no matter how much training you gave them, it only improved the rate of identification of a spoofed email or phishing email by 2%.”
Two percent. That is what you bought with all those LMS modules everyone hates.
Zero Trust Without Assured Identity Is Just A Buzzword
The industry has wrapped itself in the comforting blanket of zero trust for the last five years. But as Kevin points out, a policy of “never trust, always verify” is only as good as your ability to verify an actual human, not just a secret or token.
“Zero trust has been sort of at the forefront of people’s minds for at least, we’ll say, five years or so. Zero trust encompasses a lot, including AI in the network and what can people access. But you shouldn’t trust anyone, and at some point we are going to have to move beyond what someone possesses or knowledge that can be shared.”
That phrase “knowledge that can be shared” is the crux.
Everything your current MFA stack depends on can be:
- Phished
- Spoofed
- Relayed
- Socially engineered
- Or simply approved by a tired user on autopilot while watching Netflix
“That’s what happens with these phishing spoofing attacks. You are coaxed into sharing your MFA code or touching your auth app and saying it’s you, but it’s not you. You’ve just let in the guy in Russia. You let in the bad actor.”
Zero trust architectures still largely accept “possessed a device or code” as equivalent to “is the human we intended to trust.” Surace’s whole argument is that this equivalence has become indefensible.
From MFA To Biometric Assured Identity
So what is the alternative? Kevin and the team behind TokenCore are betting hard on a category that Gartner has described as Assured Identity, with biometrics as the flagship technology.
“We think that the future – for Zoom communication, video communication, audio communication, or any access to any application or network with data – has to be biometric assured identity. Otherwise you don’t know who is logging in. You actually have no idea.”
The key word here is who. Not a device, not a password, not a one time code, not a magic link. A human.
Surace’s definition is straightforward:
“Biometric assured identity guarantees that the person logging in is the person period full stop.”
For TokenCore, that assurance is delivered primarily through fingerprints stored in dedicated hardware that users can carry with them.
- A small wireless device you can slap on the back of your phone
- Something you can keep on your keychain
- A form factor you can leave on your desk
- Even a wearable ring
These devices are not generic USB tokens or smartcards rebranded for 2026. They are purpose built wireless biometric devices with some critical properties:
- Fingerprint securely stored on device only
“That fingerprint is stored in a device that you have with you… in a secure element, so no one can get it out. It’s never shared, it’s never put in the network, because that would be a problem.”
- Domain bound authenticationWhen you register with an application, the credential is cryptographically bound to that specific domain.
“It is domain bound to that application. Domain bound means that if someone spoofed the site, and it was petegreen.salesforce.con instead of petegreen.salesforce.com, our device would do nothing, because your fingerprint is cryptographically bound to the original domain you signed in at, so nobody can spoof the domain.”
- Proximity bound using short range BLEYou must be physically close to the device that is logging in.
“You have to be proximal to the computer logging in, within three feet. It is not cellular, it is not Wi Fi, it’s only BLE, only Bluetooth, short range. So if I’m not within a few feet of the device that’s actually doing the logging in, it also doesn’t work.”
Compare that to your current auth app, which happily lets some attacker in another country light it up over Wi Fi and cellular and politely ask your user “Is this you?”
“The problem with auth apps is someone in Russia can light up your auth app because it works over cellular and Wi Fi. It says, Is this you? You go, Yeah, that’s me. Well, you can’t do that with our devices. Nothing happens.”
Identity stops being “whoever can reach the push notification” and becomes “the correct fingerprint is physically here, now, on the enrolled device and correct domain.”
Why Fingerprints Beat Faces And Voices In The Age Of AI
By this point, you might be wondering about other biometrics. Face ID. Voice recognition. Behavioral models. Surely in 2026 the industry has something fancy here, right?
Surace has news for you, and it is not flattering to your favorite sci fi flavored control.
“With AI, your face, which I can find on the web in many places, and your voice, which I can find right after this podcast – all is imminently spoofable, like 100% with AI.”
Fingerprints, on the other hand, are fundamentally harder to capture and reuse at scale.
“What I don’t have is your fingerprint, and I can’t get your fingerprint unless I’m the FBI following you around to restaurants and grabbing a glass and dusting it, and maybe I can lift enough of that fingerprint to then generate an artificial finger. This is really hard to do, really hard, and it would have to be a perfect image. The likelihood of that is about zero, because, as we know, all these bad actors are thousands of miles away. They’re not following you around the restaurant.”
You also have ten fingers to work with.
“Even if somehow, I don’t see it happening, one got compromised, or a finger got injured, or something like that, you’ve got nine more. You can enroll all of them.”
The result is a biometric factor that is both difficult to steal remotely and practical to use at scale.
And it is fast.
“Fingerprint takes under two seconds. I can log in in two seconds, instead of 30 seconds with an auth app, so I’m actually saving time and gaining productivity with all my workers.”
Security that is stronger and faster is the only kind that survives contact with real users.
Continuous Assurance Without Driving Users Crazy
One natural concern with biometrics is session persistence. Once you have confirmed who is at the keyboard, how often do you need to re verify?
TokenCore supports live and periodic rechecks, but Surace is pragmatic about how much is actually needed.
“Once you have identified for sure biometrically, the person who’s logged in is the person, rechecking that they’re still the person five or 10 or 15 minutes later isn’t as important as getting in the first time.”
That said, some customers do opt for recurring checks.
“We do have customers who are doing that. Every 15 minutes, it comes up and it says, you’ve seen this, inactivity, right? There hasn’t been any activity. Verify it’s still you. In our case, you can actually ask the device to re-verify that this person is the person who they are with their fingerprint.”
For highly privileged roles like admins, you can crank that sensitivity up even further, verifying after just a minute or two of idle time.
But importantly, that is not where the real ransomware threat lives.
“In the ransomware department, that’s not happening. What’s happening is people are coming in from overseas. These are bad actors, generally Russia, China, North Korea, Iran, and today, Iran especially. That could change any day, but right now, they’re a pretty bad actor. That’s what we’re trying to protect against.”
The core value is stopping those remote identities from ever being able to log in as your users, even if they get the password, the MFA code, and a perfect clone of your web application.
MFA And Auth Apps: Great For Teenagers, Useless For Enterprises
He’s is not saying MFA is useless in every context. It is just useless as a serious control at enterprise scale against real adversaries.
“The real word here is that your MFA and auth apps don’t protect you one bit, not a bit. They protect Pete Green from some teen trying to get access to your bank account, I get that. They do not protect your company one bit, because with 100 employees, 1,000 employees, 10,000 employees, 30% of them are absolutely going to give up their auth app or give up their MFA code. I guarantee it. They do it every day, even when they think they’re not.”
The illusion of safety is arguably more dangerous than no control at all, because leadership believes a problem has been solved that in reality is just getting started.
This is where Kevin credits Roger Grimes of KnowBe4, who published a paper years ago describing a dozen ways MFA and auth apps would inevitably be compromised when attackers shifted their focus.
“All of those 12 methods have come to pass, some easier than others, but he called it. MFA and auth apps offer zero security from a reasonable team with almost no tech skills. It’s that easy.”
If you are still structuring your identity roadmap around legacy MFA as a primary control, you are essentially fortifying the Maginot Line in an age of tanks and aircraft.
Implementation Reality: Working With What You Already Have
Of course, CISOs do not live in slideware. They live inside stacks of legacy apps, brittle integrations, under resourced IAM teams, and executives who want miracles delivered by Q3.
Surace clearly understands that. The TokenCore model is built around fitting into what you already use, not ripping and replacing your entire identity ecosystem.
“We work with essentially all the SSOs and enterprise apps. So we work with what you have. You can set someone up in a minute or two, and they can set themselves up across 50, 100 applications.”
That matters, because the only thing more unrealistic than “just train users more” is “just re architect every identity integration you have.”
There is also an interesting adoption pattern: users start with corporate logins, then bring the same biometric device into their personal lives.
“What’s interesting we find is they use it at work, they bring it home, and they set themselves up for their bank accounts and other accounts at home, and then they have like 100 logins they have stored in this thing, which is fascinating.”
Critically, the company maintains a strong privacy boundary.
“That is the information that’s in that device. Their fingerprint, etc, is not shareable… their employer can’t get access to that. The user can erase it any time. They can say, I’m leaving, I’ve erased my biometric device, and I’m leaving it for the employer, because it’s the employer’s.”
This gives enterprises the control they need over hardware assets while letting users feel comfortable enrolling sensitive personal biometrics.
The Node And Form Factors That Don’t Get In The Way
At RSAC, Kevin’s team introduced a new form factor called the Node. The guiding principle is simple. If hardware gets in the way of adoption, it will never reach the ubiquity needed to shut down identity based attacks at scale.
“It is a tiny, little, round thing that is the size of an Apple AirTag. It doesn’t have any AirTag features or functions. It is simply the size of that. So if you have a phone holder that slaps an AirTag on the back of the phone… or the key chain holders or other things. That’s what’s cool about it. It just fits into that ecosystem.”
Alongside the Node, there is:
- A wearable ring form factor
- A portable device that looks like a stick and charges via USB C
- Desk friendly devices you can leave by your workstation
“We don’t want form factors to get in the way of someone having this level of biometric security on everything they do. We want everything.”
This is not a toy for executives only.
“This isn’t for C level execs or just admins, it’s for every employee that has access to any data or system whatsoever. That’s who it’s for. It’s for everybody. These are inexpensive. They’re easy. There’s a subscription format for them, for enterprises, so that they don’t have to own the device. They just subscribe to this thing. You’re subscribing to biometric assured identity.”
In other words, treat biometric identity the way you treat SaaS: operational expense, scalable, and not a forever capital asset that needs to be tracked in a spreadsheet last updated in 2019.
What CISOs Should Do Next
If you are a CISO or senior security leader, here is the uncomfortable but necessary checklist inspired by this conversation:
- Audit your real identity blast radiusAssume any attacker can phish a subset of your workforce, relay MFA prompts, and spoof your most commonly used SaaS login pages. Map what they can reach from there and how quickly they can hit privileged control planes like Intune, MDM, Azure AD / Entra, Okta, and core SaaS.
- Stop treating MFA as a solved problem
Reposition legacy MFA and auth apps as a baseline hygiene control from years past, not a primary defense against current bad actors. If your board deck still trumpets MFA rollout as “closing the identity gap,” rewrite it. - Evaluate biometric assured identity for high value roles immediately, then for everyoneStart with admins, IT, and users with access to sensitive customer or financial data. But plan for broad rollout. As Surace puts it, if you are “only protecting John Doe,” maybe you can skate by. As soon as you scale beyond a small team, the 10–30% failure rate in phishing resilience becomes intolerable.
- Look for domain bound and proximity bound solutions
Credentials bound to exact domains and short range BLE requirements are powerful constraints that break whole classes of remote exploit paths. These are not nice to have features. They are table stakes going forward. And wireless ease-of-use across all OS’s creates quick employee acceptance. - Run a pilot, then model the incident avoided
Pick a business unit with a history of phishing incidents or high access levels. Deploy biometric assured identity, simulate known phishing scenarios, and model the downstream blast radius you just eliminated. Use that to justify budget and roadmap changes.
TokenCore’s approach, articulated by Kevin, is very clear about where the industry needs to go:
“I will tell you the future of us gaining access to data and even being on Zoom with someone – you want to make sure that the right person is going to have the right fingerprint, period, full stop.”
You can either treat that as a radical statement or as a blunt forecast of where your peers are now or will be shortly. History is not kind to CISOs who bet against the future of identity.
If you want to explore biometric assured identity at the level described here, you can reach the team behind TokenCore through their site at tokencore.com, where technical specialists can walk you through how it works, how it is priced, and how to get your first deployment moving.
For CISOs under constant pressure to stop the next big ransomware headline, the bigger risk at this point may be staying in love with MFA as your primary identity control while attackers bypass it every day.
Author’s Note
The author sat down with Kevin Surace, Chair member at TokenCore’s biometric assured identity platform, at the 2026 RSAC Conference in San Francisco, March 23rd to 25th, 2026, to discuss why identity-based attacks have become so dominant and how fingerprints plus dedicated hardware can finally close the front door attackers have been walking through for years.
For more information, please visit https://tokencore.com.
About the Author
Pete Green is the CISO / CTO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.
Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.
