The Aflac Breach Shows Why Legacy MFA Is Broken — And What Actually Works
By Kevin Surace | 4 minute read
The Aflac breach last week wasn’t pulled off by elite hackers—it was enabled by the same
outdated multi-factor authentication (MFA) most enterprises rely on today.
Attackers used real-time phishing to trick users into approving logins via SMS codes or push-
based authenticator apps. These legacy methods don’t validate who is authenticating or where the
request is coming from. If a user is duped into interacting with a spoofed site, the attacker can
relay the authentication flow and gain full access—no hacking required.
This isn’t theoretical. It’s a common technique used by groups like Scattered Spider, who’ve hit
multiple insurers in the past month alone. And it’s becoming the preferred and easiest method to
gain access to almost any system. Because users feel protected by auth apps, and yet now
arguably they offer no protection from this type of simple attack.
Phishing-resistant next-gen MFA — specifically biometric FIDO2-based authentication —
closes this hack down completely. Solutions like Token Ring or Token BioStick go beyond
codes and approvals:
- Each device holds a unique cryptographic key pair per domain, created during secure
registration. - During login, the server issues a challenge that the device must sign — but only if:
1. The origin matches the domain from the original registration
2. The user provides a live fingerprint match on the device
3. The device is physically near the system being logged into (via secure Bluetooth)
– that is proximity-based
If any part of that chain is spoofed or proxied (e.g., a phishing site), the authentication simply
fails. The private key won’t respond.
This convenient technology prevents real-time phishing, credential replay, and prompt fatigue
attacks. Even if a user clicks a malicious link, the attacker hits a wall—no credentials to steal, no
session to hijack.
I worry that legacy MFA like SMS and authenticator apps are no longer defensible and in
essence =obsolete as this easy social engineering hack gains widespread use. Enterprises
handling sensitive data need phishing-resistant authentication that cryptographically binds login
credentials to who is logging in, what device they’re using, and where they are.
The breach at Aflac could have been stopped. But CISO’s need to understand their auth apps and
legacy MFA are hacked daily. Even though they may have just rolled them out. It’s time to dump
them.
Ready to move to Next-Gen MFA? Request a demo.
Sign Up
Keep up to date with phishing and ransomware news.
Token will not sell, trade, lease, or rent your personal data to third parties.
