What changes with this new HYPR and Yubico partnership?

Identity verification and YubiKey provisioning are now tightly connected, so each key is pre-registered to a verified user before shipment and activated securely upon arrival.

How does this improve remote rollouts?

Enterprises can ship keys globally with proof that intended recipients are the ones who activate the device, reducing logistics friction, failed enrollments, and deployment delays.

What compliance benefits does this provide?

The verified identity event is linked to the cryptographic credential, producing a clear audit trail and aligning with NIST 800-63-3’s assurance model while enabling AAL3-level authentication from first use.

Does this help with loss, replacement, or re-enrollment?

Yes. HYPR Affirm can re-verify identity for high-risk events like replacement or role changes before provisioning a new credential, maintaining continuous assurance and reducing social-engineering risk.

What is the end-user experience like?

Users receive a pre-registered YubiKey and complete a simple identity verification step to activate it. They log in with phishing-resistant passkeys—no passwords or complex setup required.

Table of Contents

Get the HYPR_Activity Newsletter

Stay ahead of the curve with the latest news, ideas and resources on all things Identity Assurance and Passwordless.

Blog Your Niece Can Now Launch a 'Sophisticated' Cyberattack

Your Niece Can Now Launch a 'Sophisticated' Cyberattack

Your niece doesn’t need to write malware, understand how SSO works under the hood, or possess any deep technical skill to launch the same so-called “sophisticated” MFA bypass attacks behind today’s breach headlines.

With basic tooling and straightforward instructions, she can execute voice phishing (vishing) campaigns now attributed to groups like ShinyHunters and Scattered Spider.

The outcomes are serious. The access is real. But the execution? Increasingly mundane — because this isn’t about elite attackers getting better. It’s about identity workflows and systems being executed at scale.

Alex Poole

4 Min. Read | February 5, 2026

Voice Phishing Attack, As Executed By Your Niece

Here’s how your niece, let’s call her Mary, actually executes these attacks in practice:

Mary doesn’t start by looking for a vulnerability in the traditional sense — the vulnerability is the human. She starts with an employee, someone whose name, role, and rough responsibilities are easy to piece together from LinkedIn, job postings, and basic company information. Basic internet fluency.

From there, Mary doesn’t craft an attack so much as assemble one. An AI-generated script fills in the gaps: the right tone, the right urgency, internal phrasing that sounds familiar enough to pass. The scenario is mundane by design — a broken phone, an Okta lockout, an executive who needs access restored, and FAST. It doesn’t need to be perfect. It just needs to sound routine.

Then, she makes the call.

There are no links to click and no suspicious emails to flag. Just a voice on the line. Caller ID spoofing makes the number look internal. Confidence carries the rest. The helpdesk agent does what they’re trained to do (and is in their title): help a colleague get back to work.

While that conversation unfolds, the real work happens quietly in parallel. A widely available phishing proxy sits between the employee and the legitimate SSO page. As the employee enters credentials and approves MFA, guided step by step over the phone ,session tokens are captured in real time. The authentication succeeds. MFA is technically “passed.” From the system’s perspective, nothing looks wrong.

From the attacker’s perspective, access is now persistent. And at no point did your niece “break” MFA, she simply walked through it.

As these campaigns expand, they increasingly resemble an industrialized workflow:

Target reconnaissance
Social Engineered vishing made fast and easy with AI
Proxy tooling to intercept authentication
Access abuse to reach sensitive systems
Extortion as the monetization layer

It is a supply chain — one that scales because the tools scale.

AI Accelerates the Collapse of the Skill Floor

AI didn’t create this class of attack, and it didn’t even fundamentally change the tactic. What it did was make something obvious that many security teams ignore: the success of these intrusions has very little to do with attacker skill, and almost everything to do with how identity systems are designed to be used.

This is why talking about a “lowered barrier to entry” only tells part of the story. The more important shift is that the attack no longer depends on individual capability at all. It depends on access to operationalized workflows. The fragile parts of the attack (the parts defenders assumed were hard) have been replaced with tooling.

As a result, these campaigns now look less like hacking and more like manufacturing. Trust is initiated through conversation. Authentication is intercepted through proxy tooling. MFA isn’t broken; it’s satisfied. Access isn’t escalated; it’s abused exactly as designed. Extortion follows. Each step is modular, repeatable, and easily handed off. Scale comes not from better attackers, but from better processes. This is why groups can run the same campaign across dozens or hundreds of organizations simultaneously.

Most organizations responded to phishing by hardening login. Attackers simply moved laterally across the identity lifecycle,to recovery, helpdesk, enrollment, and factor changes,where controls were weaker and trust assumptions were higher. The result is a diagnostic map of where identity systems still assume that successful authentication equals legitimate access.

As long as identity workflows are built around shared secrets, interceptable flows, and human trust at the moments that matter most, these attacks will remain viable.

What This Means for Enterprise Defense

When teenagers like your niece Mary can cause enterprise-scale disruption by executing a workflow, that’s not a threat intelligence problem. It’s an identity architecture problem.

The organizations that stop these attacks aren’t the ones adding more training on social engineering or longer helpdesk scripts. They’re the ones removing entire classes of failure.

Phishing-resistant authentication eliminates the ability to proxy sessions. FIDO2 Passkeys remove shared secrets entirely. Strong identity verification at recovery and high-risk moments ensures that “valid access” actually means legitimate access.

Until then, we’ll keep calling the attacks and methods sophisticated, while ignoring how easy the attacks have become.

Subscribe to our updates to receive expert insights and learn how HYPR's multi-factor verification and digital identity solutions can protect your business and customers.

Alex Poole

Alex Poole is Senior Manager of Growth and Marketing Operations at HYPR, where she leads initiatives focused on demand generation, pipeline acceleration, and channel growth. She helps bring HYPR’s identity assurance story to life through strategic campaigns and hands-on execution across marketing operations. Alex focuses on refining messaging, optimizing funnels, and driving measurable impact through every stage of the go-to-market motion.