Token eliminates stolen-credential risk with hardware-anchored, biometric-bound authentication. Phishing-resistant. Zero Trust ready. Identity assured.
Joined April 2017
- Tweets 45
- Following 182
- Followers 3,770
- Likes 355
Photos and videos
Salesforce MFA enforcement hits July 1. Most orgs will comply but only a few will verify the human behind the login.
A YubiKey checks a box. Biometric match-on-chip hardware closes the gap.
hubs.la/Q04kVyk60
#PhishingResistant #BiometricAuthentication #PhishingProof
70
Salesforce's phishing-resistant MFA deadline is July 1.
Token proves the person — not just the credential. Hardware-bound. Biometrically enforced. FIDO2-certified.
hubs.la/Q04kdfZk0
#PhishingResistant #IdentitySecurity #PhishingProof
1
37
So they showed up in person. Silent Ransom Group is now sending fake IT techs to plug USB drives into your computers.
Phishing-resistant MFA stops this at step one: hubs.la/Q04kJwCQ0
#CredentialSecurity #IdentitySecurity #BiometricAuthentication
42
Salesforce's phishing-resistant MFA mandate takes effect July 1.
A synced passkey satisfies FIDO2. It doesn't prove the authorized person is present.
That's the gap. That's what Token closes.
hubs.la/Q04kd8N20
#PhishingResistant #IdentitySecurity #PhishingProof
66
Strong MFA is necessary. It's no longer sufficient.
The new question isn't "did the user authenticate?"
It's "what exactly did the user authorize, and under what conditions?"
Full breakdown: hubs.ly/Q04jlKBm0
#CredentialSecurity #CyberThreats #cybersecurity
61
Hardware-bound biometrics fix the credential problem:
→ Fingerprint match never leaves the device
→ Domain binding blocks lookalike sites in hardware
→ Proximity check: user within 3 feet
Stop managing credentials. Start proving the human:
hubs.la/Q04jVDLq0
53
The useful question after Carnival isn't whether your employees have MFA.
It's whether your MFA can be relayed, reset, or socially engineered.
Domain-bound, hardware-bound, biometric FIDO2 closes those paths at the protocol layer.
hubs.la/Q04jd2Jz0
#IdentitySecurity
47
The FBI warned about device code attacks.
The victim used MFA. Authentication succeeded. The attacker still got in.
This isn't credential theft. It's authorization manipulation. The threat model has changed.
hubs.la/Q04jm4wN0
#CredentialSecurity #CyberThreats
53
82% of breaches involve stolen credentials. Your MFA isn't stopping them.
Phishing kits clone domains in minutes. Deepfakes approve push notifications across time zones. If a secret can be known, it can be stolen.
hubs.la/Q04jgy940
#NextGenMFA #IdentitySecurity
40
The Carnival disclosure follows a pattern showing up across enterprise breaches:
→ Phishing relay
→ Push-approval abuse
→ Help-desk manipulation
hubs.la/Q04jcRcb0
40
#MFA authenticates the perimeter. It doesn't protect what's already inside.
That's the real lesson from the Nitrogen ransomware group and the Foxconn incident — and it has nothing to do with malware sophistication.
hubs.la/Q04gppbJ0
#CyberThreats #IdentitySecurity
72
Legacy MFA has one fatal flaw: it assumes enrollment can't be abused remotely. In outsourced environments, that assumption breaks.
When identity can be re-issued over a phone call, attackers don't bypass your controls. They use them. hubs.ly/Q04gd1ll0
#PhishingResistant
56
Ransomware doesn't need to break in anymore. It inherits access.
That's the real lesson from the Nitrogen ransomware group and the Foxconn incident — and it has nothing to do with malware sophistication.
hubs.la/Q04gvRK30
#CyberThreats #IdentitySecurity
1
92
They're calling your employees, faking IT support, and walking them through OAuth flows until Salesforce issues the token itself.
Auth apps see none of it. Hardware-bound identity does.
hubs.ly/Q04fr-1y0
#IdentitySecurity #PhishingResistant
68
Insurance wasn't breached. Identity was borrowed. Scattered Spider called the help desk. Impersonated an employee. Reset MFA. Got in.
No malware. No exploit. Just a support process that couldn't verify who was asking.
hubs.ly/Q04gcL0R0
#PhishingResistant #CyberThreats
75
CrowdStrike just named Cordial Spider and Snarky Spider. Same playbook. New crews. More scale.
They don't need to break your stack. They just need one person to answer the phone.
hubs.la/Q04frk5p0
#BiometricAuthentication #CredentialSecurity #IdentitySecurity
57
Salesforce is the new identity goldmine.
Google. Adidas. Amtrak. Medtronic.They weren't hacked. Their employees were coached into handing over access.
Auth apps confirmed it happened. They didn't stop it.
hubs.ly/Q04fsg4N0
#IdentitySecurity #PhishingResistant
83
Valid credentials ≠ valid identity.
Attackers didn't exploit a vulnerability. They became a recognized user. That's not a cloud problem. That's an authentication problem: hubs.la/Q049slv90
#BiometricAuthentication #IdentitySecurity #CredentialSecurity #PhishingResistant
1
49
CrowdStrike is tracking two new groups running the Scattered Spider playbook across finance, healthcare, and retail.
Their only tool: human judgment under pressure.
That's not a vulnerability you patch. It's one you architect around.
hubs.la/Q04fr9q70
#IdentitySecurity
70
As long as identity can be reassigned over the phone, attackers will make that call.
More training won't fix it. Better monitoring won't fix it.
Remove the attack surface. Don't manage it. Learn more: hubs.la/Q049lhqb0
#BiometricAuthentication #IdentitySecurity
3
55