Last week, Qantas joined a growing list of high-profile companies breached by Scattered Spider, a sophisticated threat group known for exploiting human error and weak authentication systems—not by hacking through firewalls, but by walking right through the front door.
The Qantas attack, like recent breaches at Aflac and Hawaiian Airlines, didn’t rely on zero-days or advanced malware. It was likely executed through real-time social engineering—also known as “vishing”—where attackers pose as internal personnel, exploit trust, and bypass legacy multi-factor authentication (MFA) methods. In this case, the target was a third-party call-center platform. Once access was granted, records for up to 6 million customers were exposed.
This is the new normal—and legacy MFA is failing to stop it.
Scattered Spider and groups like them rely on the same predictable weakness: legacy MFA that uses SMS codes, authenticator apps, or push approvals.
These methods can be:
• Relayed in real time through phishing sites and spoofed portals.
• Bypassed with help-desk manipulation, where attackers trick agents into issuing new credentials or approving access.
• Exploited using MFA fatigue, where attackers bombard users with push notifications until they approve one.
In all these cases, the underlying problem is simple: the system doesn’t know who is authenticating or where the request is coming from.
That’s exactly what Token fixes.
Token’s biometric FIDO2-based authentication devices—Token Ring and Token BioStick—are engineered to eliminate the very attack vectors Scattered Spider exploits.
Here’s how:
Each Token device generates a unique cryptographic key pair for each specific domain during registration. That key pair is tied to the exact origin (like login.qantas.com) using rpIdHash.
During login:
All Token authentication requires a live fingerprint scan. No scan, no login. An attacker calling the help desk or phishing an employee has no way to replicate the user’s biometric input.
This is critical: even if a bad actor physically steals the device, it’s useless without the fingerprint match.
Token Ring uses secure Bluetooth proximity to ensure the user is physically near the login endpoint. No remote logins from across the globe. No "accidental" approvals. No spoofing.
Unlike passwords, SMS codes, or TOTP tokens, Token credentials are never shared. The private key never leaves the device, and it can’t be reused, intercepted, or guessed.
With Token, you don’t get MFA fatigue. There’s no code to intercept, no app to spoof, and no prompt to trick someone into accepting. You can’t fake a fingerprint and you can’t spoof a domain match.
Even if an attacker tricks a user into visiting a fake login page or makes a convincing phone call, the Token authenticator refuses to respond. The login fails.
If Qantas had deployed Token devices across its internal and third-party workforce:
That’s the power of phishing-resistant, hardware-bound, biometric MFA.
Today’s cyber threats don’t need to “hack” you—they just need to outsmart your users and exploit outdated defenses. Every major breach over the last year—from Okta to Aflac to Qantas—has shown the same lesson:
Token proves there’s a better way. A way that stops real-time phishing, social engineering, and spoofed access attempts in their tracks.
It’s not about being smarter than the attacker. It’s about deploying security that makes the attacker irrelevant.