Hawaiian Airlines Breach Highlights the Critical Need for Phishing-Resistant MFA, Says Token
In the wake of Hawaiian Airlines’ recent disclosure of a cybersecurity incident that disrupted internal IT systems, Token, a leader in biometric, passwordless authentication, has issued a sobering reminder: this breach, like many others before it, was entirely preventable. Security researchers believe the attack was carried out by the same threat group, Scattered Spider, which has previously targeted organizations using real-time phishing tactics and spoofed websites to bypass weak multi-factor authentication (MFA) methods such as push approvals and authenticator apps.
“These aren’t sophisticated attacks,” said Kevin Surace, Chair of Token. “They’re simple relays executed through fake websites, and they work because companies continue to rely on outdated MFA solutions like TOTP codes, app prompts, or authentication apps. Hawaiian Airlines has now joined a growing list of victims that includes insurers, retailers, and other airlines—all compromised because legacy authentication methods are no match for modern phishing.”
Token’s innovative products—Token Ring and Token BioStick—are specifically designed to stop these types of attacks in their tracks, offering a level of security that traditional MFA solutions simply cannot match.
Why Token Outsmarts Traditional MFA
The playbook for these breaches has become disturbingly predictable:
- A spoofed website tricks an employee into entering their credentials.
- The attacker relays those credentials and the MFA code to the legitimate site—or tricks the employee into approving the login via their authentication app.
- Access is granted because the authentication method trusts the user, not the origin of the login attempt.
Token’s approach eliminates this vulnerability entirely. Its technology combines biometric fingerprint verification, local cryptographic keys, and origin-checking to ensure that only the legitimate user, on the correct device, accessing the intended site, can log in.
“Even if an employee fell for the phishing link, Token would have blocked the login,” explained Surace. “The fake site wouldn’t pass the cryptographic check, and in fact, the Token product wouldn’t even engage unless the user was physically present at the device. Proximity is required.”
Unlike passkeys, which can be synced across cloud accounts and potentially exploited during account takeovers, Token’s credentials are securely stored in tamper-proof hardware. These credentials are tied to specific domains and can only be unlocked with a live biometric scan performed locally on the computer attempting to log in. This ensures there’s no code to intercept, no password to steal, and no cloud account to hijack.
Real-World Validation
Just days before the Hawaiian Airlines breach, Token issued a warning following the Aflac breach, emphasizing that the continued use of weak MFA leaves organizations dangerously exposed to phishing attacks. Now, Hawaiian Airlines finds itself in the same predicament, underscoring the urgent need for stronger authentication methods.
“How many breaches do we need before we replace security theater with real security?” asked Surace. “Token isn’t just another MFA solution—it’s phishing-proof, foolproof, and deployable in a single day.”
A Growing List of Victims
The pattern is clear: attackers are exploiting the same vulnerabilities time and again. Organizations across industries, from insurance giants like Aflac to major airlines like Hawaiian Airlines, have fallen victim to these attacks. Each breach serves as a stark reminder that relying on outdated MFA methods is akin to leaving the front door unlocked in a high-crime neighborhood.
Legacy MFA solutions, while better than passwords alone, are increasingly insufficient against modern threats. Attackers have adapted, leveraging social engineering techniques to bypass these systems with alarming ease. For businesses, the cost of inaction is too high—data breaches result in financial losses, reputational damage, and regulatory scrutiny.
The Path Forward: Phishing-Proof Authentication
Token’s message is clear: the time for half-measures is over. Organizations must move beyond traditional MFA and adopt solutions that are truly phishing-resistant. Token Ring and Token BioStick offer a compelling alternative, combining cutting-edge biometrics with robust cryptographic safeguards to create a virtually impenetrable layer of protection.
Deploying Token’s solutions doesn’t require a complete overhaul of existing systems. In fact, the company emphasizes that its products can be implemented in as little as a day, making it easier than ever for organizations to upgrade their security posture without disrupting operations.
About Token
Token’s mission is to eliminate identity-based attacks with the world’s strongest authentication. Token Ring and Token BioStick provide true passwordless, biometric MFA that cannot be phished, replayed, relayed or spoofed. Built on FIDO2 biometric standards, Token is trusted by organizations where security failures are not an option.
