In September 2023, MGM Resorts suffered one of the most visible cyberattacks in recent memory. Hotel guests could not use digital room keys. Slot machines and ATMs were disrupted. Websites went offline. Operations across major properties were thrown into chaos. MGM later estimated the incident cost roughly $100 million in lost revenue.
According to widely reported accounts, the front door was not kicked in by a zero day exploit, nation state malware, or some impossible technical breakthrough. It was opened with a phone call.
An attacker reportedly posed as an employee, called the IT help desk, and convinced someone to reset access. From there, the attackers had what they needed to move through the environment, escalate privileges, disrupt operations, and create an extraordinary financial and reputational disaster.
To be clear, Token was not broadly available as an enterprise deployed biometric identity platform in 2023. MGM could not reasonably have been expected to use a solution that had not yet reached broad market availability. But the lesson from MGM was obvious even then: any security system that allows a phone call to reset the thing protecting access is vulnerable to social engineering.
Three years later, that lesson is no longer theoretical, and the technology to eliminate that weakness is available now. Today, enterprises can deploy Token biometric assured identity across their workforce. That means passwords can become irrelevant, push prompts can disappear, recovery calls no longer grant meaningful access, and attackers cannot talk their way around the real identity requirement.
The fatal flaw in password based security. A password is not proof of identity. It is a secret that can be guessed, bought, stolen, phished, reset, or simply handed over by a help desk employee trying to be helpful. Traditional MFA often fails for the same reason. A push notification can be approved. A code can be read aloud. An authenticator app can be enrolled again. A recovery process can be socially engineered. Security teams keep adding layers to a broken premise: that a remote caller can somehow prove they are the real employee. They cannot. Not reliably. With AI generated voice cloning, perfectly researched impersonation, spoofed internal messages, stolen employee data, and attackers who understand help desk workflows as well as your own staff, this problem is getting worse, not better.
The question should not be whether an attacker can convince someone to reset a password. The question should be: why does resetting a password still give an attacker meaningful access?
With Token, it does not. No fingerprint, no access. Token biometric authentication devices, including TokenCore Wearable and TokenCore Portable, remove the password as the thing that matters.
A password can be reset. An attacker can know it. An attacker can even convince a help desk employee to issue a new one. It still does not give them access. Every authentication requires the authorized user’s live fingerprint on their Token device. No fingerprint, no access. That is a hard gate.
Token also uses phishing resistant FIDO2 authentication. Each credential is cryptographically bound to the legitimate domain where it was registered. A fake login page cannot request a valid authentication for the real site. A relay attack cannot simply forward a code or push approval. There is no reusable secret to steal, no six digit code to repeat, and no approval prompt to manipulate. The credential is locked to the real site. The physical Token device is required. The authorized fingerprint is required.
In addition, Token’s proximity controls ensure the authenticator is physically near the device being used for the login. That is biometric assured identity. A phone call cannot reset a fingerprint. This is the distinction every CISO, CIO, and board member needs to understand. A help desk can reset a password, reset an authenticator app, enroll a new phone number, and create a temporary exception. But a help desk cannot remotely manufacture the authorized employee’s fingerprint inside their Token device.
That means the most common social engineering attack chain collapses. The attacker can call. They can sound convincing. They can know the employee’s manager, title, department, birthday, recent travel, and last project. They can threaten urgency. They can claim the CEO is waiting. They can say they are locked out before a major customer meeting. None of it matters. Without the actual biometric Token device and the actual authorized user’s fingerprint, the system does not authenticate them.
That is what MGM did not have available to deploy broadly in 2023. It is what enterprises can deploy today. Stop treating recovery as an exception to security.
The uncomfortable truth is that many organizations have spent millions deploying MFA while leaving a giant back door open through password recovery, MFA resets, and help desk exceptions. Attackers know where that door is. They are walking through it every day.
The answer is not another security awareness course telling employees to be more suspicious. Training matters, but it cannot turn every employee and every help desk agent into a perfect human lie detector. The answer is to make social engineering irrelevant at the authentication layer. That capability is available now.
Passwords can be reset. Fingerprints cannot. No Token. No fingerprint. No access.