Roughly ninety percent of successful breaches now begin by defeating the identity layer, and the multi-factor tools most companies just finished rolling out are exactly what attackers are walking through. Kevin Surace explains how AI turned faces, voices, and one-time codes into easy forgeries, and what it takes to prove a real human is the one logging in.
For most of the internet's life, proving identity has meant proving something you know or something you hold: a password, a code, a text message. Kevin Surace, CEO of TokenCore, argues that era is closing fast. As one of the people who helped invent the AI assistant at General Magic, he has a clear view of why the same technology now makes faces and voices simple to fake.
Why isn't MFA enough? Because it protects a weak foundation. A decade-old paper mapped fifteen ways to defeat SMS codes, auth apps, and push approvals. Few attackers bothered with them until platforms like Salesforce and Microsoft made those methods mandatory. Now the attack has moved to where the door is.
Surace walks through one of the common methods: an AI-written phishing email from a service you already trust, a PDF, and a pixel-perfect login page generated in moments. The credentials you enter relay to an attacker who is logging into the real site in real time. The push prompt asks if it is you, you approve, and the intruder is inside within minutes.
The numbers back it up. Palo Alto Networks Unit 42 found that roughly ninety percent of successful intrusions over the past year involved hacked identity, almost all of them MFA or auth apps. The people compromised had privileged access, which means they had MFA in place.
So what actually works? Surace makes the case for biometric-assured identity, a category Gartner projects growing into a twelve billion dollar market. TokenCore ties access to a fingerprint stored only on your device, the exact domain your account lives on, and physical proximity over a short-range wireless link. Look-alike domains never register, remote relays never get close enough, and the company never holds your biometric.
The hardware comes as a ring, a portable, or a node about the size of an AirTag, and it is FIDO2 compatible, so it works with existing single sign-on. Most customers go passwordless once it is running. The reaction Surace hears most often from security leaders is that they can finally sleep at night.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Kevin Surace, Chief Executive Officer, TokenCore
LinkedIn: https://www.linkedin.com/in/ksurace/
RESOURCES
Learn more about TokenCore: https://www.tokencore.com
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Kevin Surace, TokenCore, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, biometric assured identity, identity security, multi-factor authentication, MFA bypass, phishing resistant authentication, FIDO2, credential theft, passwordless, deepfake, AI security, account takeover, Unit 42, Gartner
The Identity Gap Behind Nearly Every Breach | A Brand Spotlight Conversation with Kevin Surace, CEO of TokenCore
[00:00:20] Sean Martin: And hello, everybody. Thanks for joining us for this chat. We're gonna have, uh, a good conversation with Kevin Surace from TokenCore. How are you doing, Kevin?
[00:00:29] Kevin Surace: I am so good. How are you,
[00:00:30] Sean Martin: I'm doing fantastic. And, uh, we, we had a chance to, uh, to connect around RSAC Conference. Didn't get a chance to record there. We're gonna have a nice conversation, I think, rooted in identity. So who, who am I? Who am y- who are you? No, it's much, much big- much bigger and broader than that.
[00:00:49] Kevin Surace: be AI avatars, actually. There is no way for the audience to
[00:00:52] Sean Martin: That's right. Yeah. They, they may think I am all the time anyway. Um, so we're gonna have some fun today. I'm excited for this conversation. Uh, let, let's start with an overview of who you are, and then, uh, we'll go from there.
[00:01:06] Kevin Surace: Uh, who I am or who TokenCore is, how
[00:01:08] Sean Martin: Well, you know, of you first and then the company.
[00:01:11] Kevin Surace: Sure. Okay. Well, uh, s-surprising, I'm mostly known in the AI circles, uh, for being the father of the AI assistant. Uh, me and my team at a company called General Magic some years ago invented the darn thing and, uh, laid out all the patents for doing such a thing, and that led to products like Siri and Alexa and everything else that we know today. And in fact, all of those, uh, uh, techniques are still being used for all of the, uh, sort of voice interaction that we're seeing today in voice AI. So, um, so that's, that's, uh, a lot of where I started. Um, uh, in the last, uh, five years, I've been very concerned about what AI does to our identity, what AI does to our identity online, what AI is doing, uh, in terms of empowering, uh, bad actors in ways that you couldn't have thought of just two or three years ago. And, um, and it's becoming an epidemic. Ev- you know, every, ev-ev-every major
[00:02:08] Sean Martin: Mm-hmm.
[00:02:08] Kevin Surace: is being done basically the same way, and it's all about attacking identity. So it's a, it's an interesting time. But anyway, that's my background and, uh, and, uh, what I'm, what I became concerned about over the last several years.
[00:02:19] Sean Martin: Yep. And so how does that connect to, uh, what you're doing at TokenCore? And maybe a, a, yep, an overview of how TokenCore came to be as well.
[00:02:29] Kevin Surace: Well, TokenCore came to be fourteen years ago as a spin out out of Rochester Institute of Technology, and a group of engineers, uh,
[00:02:38] Sean Martin: Yeah,
[00:02:42] Kevin Surace: wearable devices. a lot of those things included payments and, uh, car doors and things like that. And, uh, I came, uh, came to be involved about five years ago and recognized that those are all interesting, but they can be done okay by a, a phone, and you probably have a phone, and it's good enough. But, uh, what was clear could happen, and I, I, I didn't come up with this. I had read a, a really good paper from a gentleman about ten years ago that said- Someday the world's gonna move to MFA, 2FA, SMS codes, and auth apps, and here are the 15 ways that are really easy for them to be hacked. he publishes this. It's someone in the industry, I won't mention his name, but everyone knows him, people weren't really paying attention to that. And I read that and I go, "This is a serious problem that's about to happen." Now, why it wasn't a problem five years ago is no one was using MFA and auth apps, so the bad actors didn't have to go after that factor, right? Well, all of a sudden, just in the last two years, you know, Salesforce forces auth apps, Microsoft forces auth apps. Just go down the line, either auth apps or SMS or, or some other, uh, MFA. And these are very old techniques and technologies. They're basically all 20 years old. Could've done any of them for the last 20 years. They are not secure. and so only in the last, you know, 12 to 18 months, all the bad actors quickly, what do they do? They go off and do what the guy said they would do. I, I had someone on our podcast recently ask me, "I, I can't believe that, that, uh, all of a sudden they're attacking, uh, the auth app at Salesforce. Why are they doing that?" I go, "Because until, you know, a year ago you didn't use the auth app to Salesforce. You didn't have to attack it. All you needed was someone's credentials on the, on the dark web." Now I actually need to attack that, and the method to do so, 15 methods, were laid out, like I said, a decade ago. So this is what's, uh, what's fascinating and what, uh, not only keeping me up at, at, at night. I, I just spoke at, uh, at a major CSO, uh, CISO conference and, um, I, I will tell you, everybody's, you know, trying to close the gap on identity and, um, and we, we think there's only one sure way to do that, so that's what we spent the last five years proving and rolling out and, and, you know, it's g- the space is on fire, so we feel very fortunate.
[00:05:13] Sean Martin: and I, I want your take on what identity means. 'Cause I'm, I'm curious, when you're talking to CISOs, are they, are they thinking about and talking about and planning around What they think identity is and was five years ago, even a year or so ago, and it looks, it looks different from where things are heading and, and they're missing the mark? Yeah
[00:05:37] Kevin Surace: That, that is a great question. Uh, so I, I think Gartner said it best just recently. They created a new category, which only Gartner I suppose could do. Other people do, but th- they do it all the time, uh, that's called biometric-assured identity. And they basically said this is a nascent category, and in the end, given AI, it's going to be a $12 billion category in a matter of years. And, um, and I think that's right what we've done for identity for the longest time was, first of all, it was something you knew You knew your password. That was enough. Turns out really bad idea. We know that, right? Not good. And then it was maybe something you possess, like I have this device and it gives me a code, and therefore that's secure. out bad idea, actually. And I'll take you through... I can take the audience through real quickly how, how these hacks happen, how these, uh, you know, uh, intrusions happen and, uh, and how dangerous they are. so in the end with AI, actually, we're gonna go to some level of biometrics. the first people think, uh, uh, think is, "Well, how about face?" No. You have my face, and we have Sean's face right now this podcast. um, and so it's, uh, in 2017 it was proven that you, Sean, just being on here and once in a while turning and turning, AI can capture enough of your three dimensions that even with a three-dimensional camera, we can actually create a mask that goes on someone's face and it'll fool the camera, okay? That's 2017, so almost 10 years ago, right? So, um, most of these things work just 2D, so even 2D or 3D, forget face is done. Voice is already done. I can go to so many websites now, um, ElevenLabs and others, and just mimic anyone's voice with 15 to 30 seconds of their voice. It's all I need, and I've, and I've got a clone copy. So all the banks, you know, in, in, in Europe for a long time used voice print, and they can't do that anymore. That is a, that is a disaster. these things are interactive too, so it's not that they just say something. You can actually ask them and they'll interact and come back. So voice is gone, face is gone. So that leaves very few things. Fingers are still, uh, if you didn't put them in the network, are still private. You have 10 of them. Um, they are easy to read. there's a bunch of things you have to do with it, but if you treat it well, the, a fingerprint can last us probably decades. I mean, we've got a long time before some- somehow something's gonna thwart fingerprints because we all have very different fingerprints, you know, literally billions of them. Um, so, so that's what biometric assured ident- That's what biometrics means. That's what identity means to me. Identity means when I'm talking to Sean, when Sean's logged on to this platform, I know it's really Sean. It's not fake Sean. And when Sean logs on to his banking account, it's Sean. When Sean logs on to his email at work, it's Sean. not something he possesses or something he knows. It's actual Sean. period proven biometrically. Then there's no argument, right? the next step is what do we
[00:08:47] Sean Martin: Yeah.
[00:08:47] Kevin Surace: that? Which is everyone's next question, right?
[00:08:50] Sean Martin: Yeah, and I think the, a lot of organ- certainly banks and, and where money's involved, they, they require the proof of who you are, right? You come in and you actually sign, and, and you actually prove in person that you are that. Then once the account's created, then they fall back to the other stuff. I forget,
[00:09:10] Kevin Surace: That's
[00:09:10] Sean Martin: this, it was probably like a year and a half ago, I, I was gonna... I didn't do it 'cause I thought it would be a little creepy, but I was like, tongue print. So
[00:09:17] Kevin Surace: Yes.
[00:09:18] Sean Martin: I, I was gonna create an im-
[00:09:20] Kevin Surace: that'll
[00:09:21] Sean Martin: You, you lick, you lick a device, and there you go. But, um, joking aside, this, this is serious. And so tell us how TokenCore kinda gets in there and, and, uh, does its thing to, to kinda help with this.
[00:09:35] Kevin Surace: me give you, um, one stat. This is from Palo Alto Networks, Unit forty-two. Over the last year, f- uh, ninety percent of successful intrusions, um, hacked identity, and almost all of those were MFA, and Auth apps included those, right? Ninety percent, So w-- I know we're all talking about what happens if someone hacks an agent, and the agent goes rogue, and all that. Get that. Hasn't really happened yet, but we know, we know the attack vector to do so. But ninety percent of successful bad actor intrusions, including the biggest ones, Canvas, and Quantas, and Striker, and all these things, started with an identity hack. all of those people had privileged access, which means for sure they had MFA, for certain. No, no question. So how does this happen? Well, it happens... There's fifteen ways, but I'll give you the easiest one. The easiest one is, uh, is just an attacker in the middle or man in the middle, uh, uh, attack, but it's a relay attack. Basically, I use AI to create personalized phishing emails, very personalized. So Sean's email is different than mine is different than someone else's. AI creates them by grabbing stuff off the web about you, and so you get something that's very personalized. It comes from uh, Calendly, something that you trust, right? Comes from a service you trust. So DKIM works, right? All-- SPF works. the emails get through, and there's no links in the email body, but it says, "Hey, open this PDF. You've got to address some problem on the employee system or some record or something." People open the PDF. It-- Look, legit email, legit place it came from. They open it. It has a link in it. You go t-to that thing, and it takes you to whether it's a Microsoft site or an Okta login or whatever. And that site was generated by AI, and it's pixel perfect. It was generated in moments, right? It's pixel perfect. So you're looking at it. What do you do? You put in your login ID and password. It's pixel perfect. Those get relayed to the hacker. They're getting relayed to a hacker. Hacker's in Russia. They get relayed. He's going into the real site, right? He or she's going into the real site. And when he does, what happens after the password enters? It says- Is it you on your phone? your phone, the auth app says, "Is it you?" And what do you say? I'm logging in. This is site I always log into. it's me. And what did you just do? You let him in. You didn't let you in. There's nowhere to go. You got a 404 here, and they're in, in your system. And as you know, over the last, uh, few years, the time in system has gone way down, and they need literally just a couple of minutes. They know exactly where to go to extract exact what data, what, you know, what report they want. And within five minutes they're already emailing someone at that company saying, "Send me a million dollars or I'm gonna release this data, and here are some snippets." That's how easy... That's one of 15 ways. All 15 are used today, but that's a simple one that anyone on this call can do. Teens do it. there's, lastly, there's kits that you download to do this or that you subscribe to for $200 a month that build the site and build the emails. They build everything for you. They set the relay up. All you do is sit there and wait on a screen, and when someone does it, gonna let you in with their MFA, with their 2FA, with their SMS, with their auth app. Doesn't really matter.
[00:13:09] Sean Martin: Ah, and of course all the downstream stuff is fun there. So, uh, so what, uh... Yeah, let, let's, let... Yeah, let's, let's look at this. Uh, are you-- where are you sitting? At the enterprise, uh, employees or partners or customers?
[00:13:24] Kevin Surace: enterprise across all employees who have access to any data that one could ransom, right? Um, since, since, again, 90% of attacks are coming in this way, we have to close that door. So we make a variety of products. You know, here's, here's one. It's called a portable. Here's another one that's a wearable. We have a variety of form factors. But basically this is how they work. Number one, fingerprint required. So the fingerprint you registered when you were with IT is the only fingerprint that will work on that device from henceforth, unless you completely erase the device and hand it back to IT. Your fingerprint is stored with you on your device, never with the cor-corporation. Company doesn't have your biometrics. You have it. You have it right here. The second thing is, every time you register with whatever corporate applications there are, you are registering wi- uh, with your fingerprint being domain bound to the original domain you registered. So if it's okta.amazon.com, I'm making it up, I don't know if that's an actual subdomain, um, your, let's say ring in this case, or your portable device or whatever, they're all wireless by the way, there's nothing to plug in, um, will only work on that exact domain. So literally okta.amazon.com. So when the bad guy creates okta.amazon.con, you don't see the N because we-- it doesn't register. Nothing happens. It won't work at all. N- literally nothing happens Nothing. it's gonna over there for something, and here nothing can happen. La- sec- next thing, this only works over Bluetooth, BLE, so within three feet of the device logging in. So you need proximity on top of everything else. So proximity, domain bound, bound to your fingerprint, period, full stop. And there's no cellular on this, so nothing can light it up from more than three feet away. um, it stops all of these kinds of attacks. There, there is, there is n- there's no phishing spoofing attack. There's no MFA bombing attack. There's like, there's, there's no, uh, um, uh, SIM swap. None, none of these things work at all because it's you, it's you logging in within three feet, domain bound to the original domain that IT had you set your account up on. it. Like, nobody's get-- So I'll g- you know, I mean, I'll give you some examples, but I can tell you what people come back and say, CISOs really, or IAM leaders, right? "I can sleep at night." Is it... That's the, that's the line they always give me two weeks later.
[00:16:02] Sean Martin: Yep.
[00:16:02] Kevin Surace: finally sleep at night." This is, you closed the number one gap that everybody's coming in on, and that even with AI agents, they're gonna come in on. They're gonna come in with an identity, uh, uh, hack, because that's just, it's so easy.
[00:16:16] Sean Martin: Yep. And we get a cool ring.
[00:16:19] Kevin Surace: And you get a cool ring or a portable or our node, which is the size of an Apple AirTag. Goes in all the AirTag accessories. You slap it on the back of your
[00:16:27] Sean Martin: Nice.
[00:16:29] Kevin Surace: y- this is just something you carry with you. It's, you know, it's for you, and it's personal. And, no one, by the way, no one can get your fingerprint out of this thing because it's stored in a particular kind of secure element. It's called a secure element. It's a t- type of integrated circuit that, um, if you open the device up and try to do anything with that, it destroys the information, which on top of it is already encrypted. So even if you could get it out, you couldn't do anything with it. But furthermore, it destroys the data anyway. So your fingerprint is not... You know, unlike passkey, where passkeys can be... They are. They're stored in the network, so you can use them across devices. That's a very dangerous thing. And, and so this is stored in a device that no hacker can get into. And even if you lost the device and they got into it, they couldn't do anything with it. It's really, it's a really brilliant solution to this problem that
[00:17:19] Sean Martin: Ah.
[00:17:23] Kevin Surace: biometric FIDO2 compatible, so it'll work with services and all SSOs right out of the box.
[00:17:29] Sean Martin: So how, how does somebody, uh, get a ring? Close us out with how, how people get a, a token or a ring or whatever it is, uh, Air Tag.
[00:17:36] Kevin Surace: for, uh, um, you know, mostly they're corporate customers. You can just go to tokencore.com, uh, and, uh, and ask to speak to sales, and someone will get right back to you, fill out a form. Um, there's actually an online store. You-- If you wanna buy one or five or ten or 20, you can buy them right on the TokenCore store. Um, it's, uh, uh, it's online. Um, you know, I think, I think when you look at... When we look at all the happy cus-- like, the amazing customers that have rolled these out, um, it is the number one thing they say. First of all, they can sleep, and second of all, no one has gotten in through identity anymore. They can get your ID and password, but who cares? And by the way, most of our customers go passwordless after this because you don't need the password. You're fully protected by your, um, uh, you know, by your fingerprint.
[00:18:23] Sean Martin: Kevin, sounds really good. I'm sold. I'm sold.
[00:18:29] Kevin Surace: fortunate.
[00:18:31] Sean Martin: Ah, I, uh, I need to get, I need to get a ring and, uh, can I... And one, one for Marco too. Why not? And, and get our, get our team set up.
[00:18:40] Kevin Surace: everyone, everyone's gonna wanna identity hack you tomorrow, so
[00:18:43] Sean Martin: Yeah, tha- thanks, thanks for this chat to, uh, to make me a target.
[00:18:47] Kevin Surace: Put the
[00:18:49] Sean Martin: there you go. Uh, Kevin, it's great chatting with you. I, I feel like we could talk all kinds of fun stories for hours. Uh, maybe, maybe I'll have you back on to do some more of that. Uh, in the meantime, uh, everybody should connect with the TokenCore team and connect with Kevin and see how they, how they can fit into your, uh, identity management and, uh, protection programs. Thanks again, Kevin.