Kevin Surace
2 minute read
Another week. Another preventable breach. This time it is DoorDash, confirming that a social engineering scam gave attackers access to sensitive customer and driver information. But the real story is not the scam. The real story is the failure behind it.
The weak link was legacy MFA. Again.
DoorDash’s statement reads like every breach disclosure of the past two years. Attackers tricked an employee. Credentials were obtained. A login was approved. And suddenly, the attacker had access to internal tools. The company emphasizes that no passwords were exposed. But that misses the point. The problem is that passwords no longer matter. Phishers do not need them. They only need a moment of human error and an MFA method that trusts the user too much.
This is why attackers keep winning. Legacy MFA still allows them to.
SMS codes. Authenticator apps. Push notifications. Time-based OTP. These methods were not built for a world where AI can generate perfect phishing sites in 30 seconds and spoofed help desk calls are indistinguishable from the real thing. They cannot validate who is authenticating. They cannot validate where the request is coming from. And they cannot prevent a real-time relay attack when the victim truly believes they are logging into the legitimate site.
This is exactly how attackers keep getting in at DoorDash, MGM, Caesars, Aflac, Qantas, Hawaiian Airlines, UnitedHealth, and hundreds more. They are not breaking in. They are logging in. With your unsuspecting employee’s MFA or authorization.
The solution is not more training. The solution is not more warnings. The solution is not asking employees to stare longer at URLs. The solution is replacing the authentication system that keeps failing.
This is where Token changes everything.
TokenCore™ Wearable and TokenCore™ Portable eliminate the entire attack path that brought down DoorDash. They work differently than every legacy MFA method that attackers love.
They require a live biometric fingerprint match. No fingerprint means no login.
They require the device to be physically near the machine logging in. Remote attackers cannot authenticate from anywhere.
They cryptographically bind every credential to the real domain. A fake site cannot obtain a signature. The Token device simply refuses to respond.
They never send a push. They never generate a code. They never ask the user to approve anything. There is nothing to phish, nothing to relay, nothing to intercept.
If DoorDash had deployed Token, the attacker’s entire playbook would have collapsed instantly. The phishing email would have been irrelevant. The spoofed request would have failed. No fingerprint means no signature. No proximity means no authentication. No domain match means no access.
This is the difference between legacy MFA and phishing-resistant biometric FIDO2 authentication. One trusts the user and gets breached. The other trusts cryptography and stops the breach cold.
DoorDash is not alone. Every enterprise still running legacy MFA is heading toward the same headline.
It does not matter how large the company is. It does not matter how trained the users are. Modern attackers only need a moment. Legacy MFA gives them everything else.
If you want to shut down real-time phishing, relay attacks, help desk exploitation, and social engineering completely, there is only one answer.
Use Token. Or wait for your version of the DoorDash breach.
Get Token products online now at store.tokecore.com
Zero trust has a clear mandate: never trust, always verify. Most enterprises apply this principle to their networks, devices, and applications. They rarely apply it to the moment identity leaves their direct control. Outsourced support desks and business process outsourcing providers now handle identity verification for millions of employees and customers. These teams operate under SLAs built around speed and resolution. They rely on scripted questions, knowledge-based verification, and procedural checks. None of these methods produce cryptographic proof.
When Hawaiian Airlines confirmed a recent cyberattack that disrupted its internal systems, it wasn’t just another headline—it was another red flag.
Another day. Another preventable breach. This time it’s a major UK based insurance company, Allianz Life, and the attackers didn’t need zero-day exploits or complex malware. They just talked their way in.
Subscribe to The Assured Identity Brief for sharp insights on identity security, authentication, and the threats security leaders must stay ahead of.