How Token Would Have Stopped the Qantas Breach Cold

Last week, Qantas joined a growing list of high-profile companies breached by Scattered Spider, a sophisticated threat group known for exploiting human error and weak authentication systems—not by hacking through firewalls, but by walking right through the front door.

The Qantas attack, like recent breaches at Aflac and Hawaiian Airlines, didn’t rely on zero-days or advanced malware. It was likely executed through real-time social engineering—also known as “vishing”—where attackers pose as internal personnel, exploit trust, and bypass legacy multi-factor authentication (MFA) methods. In this case, the target was a third-party call-center platform. Once access was granted, records for up to 6 million customers were exposed.

This is the new normal—and legacy MFA is failing to stop it.

What Went Wrong?

Scattered Spider and groups like them rely on the same predictable weakness: legacy MFA that uses SMS codes, authenticator apps, or push approvals.

These methods can be:

•    Relayed in real time through phishing sites and spoofed portals.
•    Bypassed with help-desk manipulation, where attackers trick agents into issuing new credentials or approving access.
•    Exploited using MFA fatigue, where attackers bombard users with push notifications until they approve one.

In all these cases, the underlying problem is simple: the system doesn’t know who is authenticating or where the request is coming from.

That’s exactly what Token fixes.

How Token Stops This Cold

Token’s biometric FIDO2-based authentication devices—Token Ring and Token BioStick—are engineered to eliminate the very attack vectors Scattered Spider exploits.

Here’s how:

1. Origin Binding (No Replay, No Relays)

Each Token device generates a unique cryptographic key pair for each specific domain during registration. That key pair is tied to the exact origin (like login.qantas.com) using rpIdHash.

During login:

•  The server issues a one-time challenge.
• The Token device signs it—but only if the request comes from the original domain.
• A spoofed or relayed request from evil.example.com will fail. The private key simply won’t respond.

2. Biometric Match Required

All Token authentication requires a live fingerprint scan. No scan, no login. An attacker calling the help desk or phishing an employee has no way to replicate the user’s biometric input.

This is critical: even if a bad actor physically steals the device, it’s useless without the fingerprint match.

3. Device Proximity

Token Ring uses secure Bluetooth proximity to ensure the user is physically near the login endpoint. No remote logins from across the globe. No "accidental" approvals. No spoofing.

4. No Shared Secrets to Steal

Unlike passwords, SMS codes, or TOTP tokens, Token credentials are never shared. The private key never leaves the device, and it can’t be reused, intercepted, or guessed.

5. Unphishable. Period.

With Token, you don’t get MFA fatigue. There’s no code to intercept, no app to spoof, and no prompt to trick someone into accepting. You can’t fake a fingerprint and you can’t spoof a domain match.

Even if an attacker tricks a user into visiting a fake login page or makes a convincing phone call, the Token authenticator refuses to respond. The login fails.

What If Qantas Used Token?

If Qantas had deployed Token devices across its internal and third-party workforce:

•  The attacker’s spoofed access attempts would have failed silently.
• The call-center platform would have blocked unverified logins tied to the wrong domain.
• Even if a user was socially engineered, no credentials could be reused or relayed.
• No data would be exfiltrated. The breach simply wouldn’t happen.

That’s the power of phishing-resistant, hardware-bound, biometric MFA.

The Bottom Line

Today’s cyber threats don’t need to “hack” you—they just need to outsmart your users and exploit outdated defenses. Every major breach over the last year—from Okta to Aflac to Qantas—has shown the same lesson:

Legacy MFA is obsolete.

Token proves there’s a better way. A way that stops real-time phishing, social engineering, and spoofed access attempts in their tracks.
It’s not about being smarter than the attacker. It’s about deploying security that makes the attacker irrelevant.