In the wake of Hawaiian Airlines' disclosure of a cybersecurity incident that disrupted internal IT systems, Token, the leader in biometric, passwordless authentication, issued a stark reminder: this breach, like others before it, was entirely preventable.
Security researchers suspect the same threat group, Scattered Spider, is behind the attack—relying again on real-time phishing and spoofed websites to bypass weak multi-factor authentication (MFA) like push approvals and authenticator apps.
“These aren’t sophisticated attacks,” said Kevin Surace, Chair of Token. “They’re simple relays, executed through fake websites. And they work because companies are still trusting outdated MFA like TOTP codes or app prompts or authentication apps. Hawaiian Airlines just joined a growing list that includes insurers, retailers, and airlines—because legacy authentication is no match for modern phishing.”
Token’s products—Token Ring and Token BioStick—are purpose-built to stop these attacks dead in their tracks.
Why Token Stops What Others Can’t
The breach playbook is now well known:
- A spoofed website tricks an employee into logging in.
- The attacker relays the credentials and MFA code to the real site (or tricks the employee into authorizing the attacker on their authentication application).
- Access is granted—because the authentication method trusts the user, not the origin.
Token products don’t make that mistake.
Token uses biometric fingerprint verification, local cryptographic keys, and origin-checking to ensure only the legitimate user, on the right device, accessing the right site, locally, can log in.
“Even if an employee fell for the phishing link, Token would have blocked the login. The fake site simply wouldn’t pass the cryptographic check, and, in fact, the Token product would have never even been engaged, since proximity is required,” Surace added.
Unlike passkeys—which can be synced across cloud accounts and exploited through account takeovers—Token’s credentials are stored in tamper-proof hardware, tied to a specific domain, and can only be unlocked with a live biometric scan local to the computer logging in. That means no code to intercept, no password to steal, and no cloud account to hijack.
Proven in the Real World
Just days ago, Token warned the industry after the Aflac breach that the use of weak MFA continues to leave companies wide open to phishing attacks. Now, Hawaiian Airlines finds itself in the same position.
“How many breaches do we need before we replace security theater with real security?” Surace asked. “Token isn’t just another MFA solution. It’s phishing-proof, fool-proof, and deployable in a single day.”
About Token
Token’s mission is to eliminate identity-based attacks with the world’s strongest authentication. Token Ring and Token BioStick provide true passwordless, biometric MFA that cannot be phished, replayed, relayed or spoofed. Built on FIDO2 biometric standards, Token is trusted by organizations where security failures are not an option.
For more information, visit www.tokenring.com.
View source version on businesswire.com: https://www.businesswire.com/news/home/20250701675809/en/
Token uses biometric fingerprint verification, local cryptographic keys, and origin-checking to ensure only the legitimate user, on the right device, accessing the right site, locally, can log in, so the breach at Hawaiian Air would be stopped.
Contacts
Media Contact:
Dan Chmielewski
Madison Alexander PR
949-231-2965
dchm@madisonalexanderpr.com