For years, MFA was treated as a timing problem. Add enough friction, the thinking went, and attackers would be exposed before they could act. Real-time phishing relay attacks dismantle that assumption. They do not wait for friction. They route around it.
In a relay attack, the victim authenticates against a convincing proxy. Every credential entered, every MFA prompt approved, is forwarded to the real service in real time. The attacker does not crack anything. The authorized user performs a legitimate login. The attacker inherits the session.
From the perspective of the authentication system, the event is valid. The password is correct. The MFA approval is timely. The session originates from a recognized identity provider. Logs record a clean login — because it was one.
This is the structural flaw that relay attacks exploit. They do not defeat authentication. They inherit it. Detection fails not because systems are slow, but because there is nothing anomalous to detect.
Push-based MFA is particularly susceptible: it produces a time-bounded approval that can be forwarded immediately. OTP codes carry enough validity to be captured and reused within the same session window. Passkeys improve resistance against credential harvesting but remain vulnerable in browser-mediated flows that can be proxied or abused through compromised endpoints. Legacy hardware tokens, designed to verify sessions rather than people, share the same fundamental weakness.
The pattern is consistent: any authentication mechanism that verifies the session rather than the individual can be relayed. Speed is irrelevant when the authentication event itself travels through attacker infrastructure.
Token does not harden the relay vector. It eliminates it.
Authentication with Token requires biometric verification on the Token device, combined with cryptographic proof bound to the specific target domain. The authentication event does not occur in the browser. It does not traverse the network. It cannot be intercepted because it never enters transit.
Token also enforces physical proximity. The device must be within range of the system being accessed. An attacker who intercepts traffic, proxies a session, or compromises an endpoint still cannot produce a valid authentication event without the physical device and the biometric of the authorized individual. Both must be present. Neither can be substituted.
There is nothing to relay. No code. No approval. No browser event. Identity is asserted on the person, not passed through the network.
This is the architectural distinction that relay attacks cannot cross. They depend on authentication being something that moves. Token ensures it never does.
Real-time phishing relay is not an incremental threat. It is evidence that session-based authentication has reached its limit. Any system that authenticates the transaction rather than the person will remain within reach of an attacker positioned in transit.
Token stops relay attacks not by reacting faster, but by making the attack surface structurally unavailable. When authentication cannot be proxied, relayed, or replayed, speed becomes irrelevant.