The MGM Resorts and Caesars breaches were not anomalies. They were demonstrations of a structural fact: identity that can be reset remotely will eventually be reset by someone who should not have access.
What made those incidents significant was not the sophistication of the attack. It was its simplicity. Attackers did not exploit code vulnerabilities. They impersonated employees, contacted help desks, and had authentication reset. Legitimate access followed. Everything else — ransomware, data theft, operational disruption — was a consequence of that first failure.
Attackers replicated the same method across hospitality and retail organizations of all sizes in the months that followed. The specific brands changed. The mechanics did not. An attacker gathers employee information, contacts a support desk, triggers an MFA reset or re-enrollment, and receives access. The variation is surface level. The underlying control failure is identical.
That pattern persists because the underlying architecture did not change. Additional monitoring, mandatory training, and elevated alerting do not alter the core condition: identity can still be remotely transferred. As long as that remains true, the attack path remains open.
Hospitality and retail operate under conditions that make resettable authentication especially dangerous. High employee turnover, seasonal workforces, and geographically distributed locations place routine authentication pressure on help desks. Help desk teams are measured on speed. They resolve access issues quickly because the business demands it. That operational reality is not a failure of process — it is the condition attackers deliberately target.
Push-based MFA and authentication applications offer no protection once a reset occurs. Passkeys improve resistance to phishing, but they still depend on enrollment flows that can be socially engineered. Legacy hardware tokens carry the same exposure: an administrator presented with a credible account of an employee access emergency can still register a new device. The technology differs. The attack surface does not.
Token makes identity non-transferable. Authentication requires a biometric match on the Token device itself. That device must be physically present and in proximity to the system being accessed. Identity is cryptographically bound to the individual, to the hardware, and to the domain.
There is no remote reset. There is no emergency bypass. There is no alternate enrollment path reachable by phone. A help desk agent can document and escalate — but cannot issue new identity. The attack surface that enabled the MGM breach, and every breach that followed it, does not exist.
Token removes the attack surface entirely. The attacker’s first move — the identity reset — fails. Without access, there is no ransomware, no data exfiltration, no operational disruption. The chain breaks at the point it must.
CISOs in hospitality and retail operate under precise constraints. Uptime is not optional. Guest experience is not negotiable. Speed of operation is a business requirement, not a preference. Token enforces identity automatically, without adding steps to workflows or placing additional judgment demands on teams already operating under pressure.
The failure these breaches exposed is not process. It is that identity itself remained negotiable. Attackers will always find and exploit a negotiation point. Token removes it.