TokenCore and The End of MFA As We Know It
By Pete Green
In a recent interview at the RSA Conference 2026, Kevin Surace, the Chair member of TokenCore, shared compelling insights on the evolving landscape of cybersecurity. His focus was on the glaring inadequacies of Multi-Factor Authentication (MFA) in modern security frameworks, with a particular emphasis on how identity-based attacks have dominated the cybersecurity threat landscape.
Surace directed his critique toward Chief Information Security Officers (CISOs) who may still feel a sense of confidence after rolling out MFA solutions in the last couple of years. He cautioned that the landscape around identity verification has shifted dramatically, noting that "the bad guys have already moved on." Surace poignantly pointed out that a staggering 90% of ransomware attacks over the past 18 months stemmed from identity-based vulnerabilities. This statistic serves as a wake-up call, indicating that despite investments in perimeter defenses like firewalls and zero-trust architectures, attackers are still exploiting stolen credentials and MFA codes to gain unauthorized access to sensitive environments.
According to Surace, the notion that "identity is the new perimeter" is widely accepted among security leaders. However, he argues that the defenses surrounding this new perimeter are alarmingly thin, offering little resistance to contemporary attacks characterized by phishing, spoofing, and relay tactics.
Surace’s blunt observations have left many CISOs uncomfortable: "We all are using auth apps and MFA, and in our mind, we think they are secure. They are the furthest from secure." Given the rate of human error and the efficacy of phishing attempts, even the most well-trained employees can fall victim to these attacks. Surace cited a significant security incident involving a large-scale Microsoft compromise where attackers broke into 96,000 accounts by leveraging shared MFA codes and hacked authentication apps.
The implications of such breaches are dire. Surace estimated that recovering from such incidents could take companies “six or nine months” of intensive, costly remediation, underscoring the fragile state of many organizations’ defenses. Moreover, he mentioned that awareness training does little to alter the fundamental statistics: "Across an organization of hundreds or thousands, some number between 10 and 30% will fall for phishing attempts, no matter how much training you give them." A revealing study conducted at UC San Diego demonstrated that training only marginally improved the identification of phishing emails by 2%.
Surace also commented on the prevailing zero-trust model that has gained traction over the past five years. While the philosophy of “never trust, always verify” might resonate, it is essentially ineffective unless the verification is tied to ensuring the actual human identity rather than merely a token or secret. He emphasized that zero-trust protocols must evolve beyond their current reliance on credentials that can easily be exploited.
As an alternative, Surace and the TokenCore team advocate for a model they term "Biometric Assured Identity," which uses biometric data—primarily fingerprints—as the primary form of identity verification. The rationale behind this approach is straightforward: it guarantees that the individual attempting to log in is indeed that individual, eliminating the ambiguity associated with tokens or passwords.
TokenCore’s biometric solution is designed for versatility, offering a range of deployment methods, including small devices that can be worn or carried. The focus is on ensuring that biometric data remains stored securely and is not easily transferable, thereby reducing the risk of remote exploits.
Further, these biometric devices offer specific advantages inherent in their design, such as domain-bound credentials and the requirement for proximity during login, thereby thwarting numerous attack vectors. A fingerprint, securely bound to a specific domain, can provide an additional layer of security that conventional MFA solutions cannot offer.
Surace made it clear that the future of secure access hinges on identifying individuals through biometrics, rather than relying on facets like facial recognition or voice authentication, which can be easily spoofed in today’s digital landscape. He underscored the practical challenge of independently acquiring someone’s fingerprint, which contrasts sharply with the broader availability of images and audio samples that can be used for impersonation.
The ongoing evolution of cyber threats necessitates a re-evaluation of current security frameworks. The reality is that legacy MFA systems, while offering some degree of protection, fail significantly against organized adversaries. Surace describes MFA apps as effective for less critical scenarios, such as personal banking, but insufficient for enterprise-level security, where attackers can easily bypass typical safeguards.
For organizations intent on adopting a more robust identity verification framework, implementing biometric assured identity should be a priority. TokenCore’s solutions cultivate user-friendliness while mitigating complexities associated with legacy systems that can burden IT departments.
In summation, the security landscape is shifting. As organizations grapple with persistent threats and evolving tactics from cyber adversaries, there is a pressing need to rethink and upgrade their identity management strategies. TokenCore advocates for prioritizing biometric technology to address the fluctuations in identity verification and provide a more robust defensive posture.
By doing so, organizations can not only enhance their security frameworks but also future-proof themselves against emerging threats targeting human vulnerabilities.
As the cybersecurity dialogue continues, it is crucial for CISOs and security teams to assess their current identity controls critically, explore biometric solutions, and prepare for a landscape where identity verification is not merely a checkbox but a cornerstone of reliable security strategies.
For further exploration of biometric assured identity, organizations are encouraged to visit TokenCore and consult their technical specialists to understand implementation and pricing, ensuring they remain ahead in a rapidly evolving cybersecurity domain.