Fighting Phishing: Why Two-Factor Authentication Is No Longer Enough

Fourteen years ago, Google introduced two-factor authentication (2FA), which became an essential tool for verifying user identity and preventing phishing scams. And, like so many technologies dating back to 2011, it’s time for a 2FA update.

While 2FA is widely used across enterprise companies, only 34% of mid-sized organizations currently use 2FA. Those who have implemented the protections through SMS codes or authenticator apps may be operating under a dangerous assumption: Their systems are secure. 

Unfortunately, the tactics used by cyberattackers have evolved with the times. Phishing attacks that were once preventable by traditional 2FA codes or device prompts can now be circumvented entirely. As you look to protect your organization and its users in an altered landscape, adding advanced protections like key-based authentication constitutes more than an upgrade. It’s essential for your peace of mind.

The frustration of an ever-changing cybersecurity landscape

Cybersecurity threats are always in motion, which is why it’s impossible to set up a security feature and never worry about it again. An organization like yours may have only recently implemented 2FA across your system logins. Forcing your team to make another change to their processes with a new kind of 2FA is understandably frustrating.

But there’s no denying that phishing attacks should be a constant concern in 2025. In 2019, Google estimated that users faced one-in-a-million risk of facing the kind of attack designed to steal 2FA codes. Now, we see those kinds of attacks in our work with Personified’s clients every day. Google’s advice to high-risk users then is the same as ours now: Transition to key-based authentication.

Nonprofits face particularly high stakes when it comes to security. Your donor databases, sensitive communications, and operational continuity all depend on robust protections. Yet many organizations, especially those with limited IT resources, find themselves caught between the need for security and the reality of an increasingly complex threat landscape.

How phishing attacks became an industrialized threat

Today’s cybercriminals operate sophisticated “phishing as a service” businesses that have transformed attacks from amateur scams into professional operations. Attackers can purchase complete phishing kits that include pre-built templates and automation software to use with compromised email accounts.

These kits enable attackers to send convincing communications that appear to come from trusted sources. These templates enable phishing attacks to look like bid proposals, grant notifications, or vendor communications that arrive just as your team may be expecting legitimate versions of the same messages.

The attack process has multiple stages designed to bypass spam filters. Rather than including malicious links directly in emails, attackers redirect recipients to innocuous-looking pages hosted on legitimate platforms like Webflow, Canva, or Zoom Docs. These platforms can’t block every user-generated page, so the malicious content slips through.

From there, victims encounter what appears to be a standard login page—often a replica of pages you might find on Google, Microsoft, or other common platforms. Often the only indication that the page is a phishing attack is in the URL; attackers use random URLs that are not the real login page web address. Behind the scenes, the attackers are capturing credentials in real time to gain access to user accounts.

Why traditional two-factor authentication is inadequate

The fundamental flaw with SMS codes and authenticator app codes is simple: any authentication method that users copy and paste into the legitimate login page can also be copied and pasted into an attacker’s page. When someone enters a six-digit code from their authenticator app on a phishing site, that code works just as well for the attacker as it does for the legitimate user.

Modern phishing attacks exploit this weakness through sophisticated proxy techniques. Attackers create fake login pages that capture your username and password, then use that information to log into the real website in the background. When the legitimate site requests two-factor authentication, the fake page displays the same request to you. The attackers prompt a suspicious login, so you get an SMS text code or a device prompt to authenticate the login, or you’re asked for a code from your authenticator app. The code you enter gets passed along to complete the attacker’s login to the actual account.

This isn’t a theoretical vulnerability—it’s happening constantly. We see phishing emails every week that include code specifically designed to circumvent traditional 2FA tools. 

The essential value of key-based authentication

The solution lies in authentication tools that cannot be inadvertently shared with attackers. Key-based multi-factor authentication provides this protection through two primary approaches: physical security keys and digital passkeys.

Physical security keys: Proven and approachable

Key fobs represent time-tested technology. These small devices plug into USB ports or connect via NFC, creating a cryptographic handshake that only functions on legitimate websites.

The beauty of physical keys lies in their simplicity and universal accessibility. The process is straightforward: plug in the key when prompted, and authentication completes automatically. There’s no code to copy, no app to open, and no opportunity for attackers to intercept credentials. They’re intuitive for users of any technical comfort level. 

When someone attempts to use a security key on a phishing site, the authentication simply fails. The key cannot be tricked by proxy sites because it communicates directly with the legitimate service through encrypted protocols that fake sites cannot replicate.

Digital passkeys: The convenience revolution

Digital passkeys maintain the same security principles as physical keys with an even more approachable user experience. These software-based credentials are stored on the user’s device, and the option to store them in password managers like 1Password provides seamless authentication across all devices without requiring separate setup for phones and laptops.

For organizations already using password management tools, passkeys integrate perfectly into your existing workflows. The login process is faster than traditional 2FA. Users simply approve the authentication request from their password manager rather than retrieving their phone to find a six-digit code.

Google validates the effectiveness of this approach by supporting passkeys in their Advanced Protection Program, which is designed for their highest-risk users. Digital passkeys are one of the rare win-wins in digital security: Delivering better protection while also increasing convenience for your users.

Advanced protection through device trust

If your organization requires maximum security, you can implement device trust policies that restrict network access to approved devices only. Once reserved for large corporations, this approach has become more relevant for organizations as cyber threats have intensified.

Device trust works by installing authentication certificates on approved devices, authorizing only those devices to access cloud resources like Google Workspace, Microsoft, or Okta. . Users don’t need to manage additional credentials—they simply use their assigned work devices and access functions normally. Any attempts to log in from unauthorized devices, including personal laptops or compromised systems, are automatically blocked.

This approach proves particularly valuable for nonprofits with teams that encompass volunteers using shared organization devices, remote workers, or staff with varying technical expertise. The security operates transparently while providing comprehensive protection from any source.

However, the engineering work required to implement device trust can be costly and complex. When you work with a specialized IT partner like Personified, you can manage this complexity behind the scenes without internal technical overhead.

Why training staff to recognize phishing tactics isn’t enough

While we offer training to ensure all users are empowered to recognize phishing messages and scams, organizations cannot rely solely on internal vigilance to prevent cyberattacks. Your staff is likely managing multiple responsibilities, checking emails during off hours, and expecting legitimate communications that are often impersonated by attackers. 

In these situations, people aren’t always going to double-check URLs or scrutinize sender addresses, especially when using mobile devices with smaller screens. Even the best-trained users will fail under pressure. 

Safeguards like key-based authentication shift cybersecurity responsibility from individual employees to systematic protections. The right tools will allow your organization to create a more reliable defense against phishing attacks.

Protect your organization with the new security baseline

Key-based multi-factor authentication represents the current best practice for organizational cybersecurity. Whether implemented through physical security keys, digital passkeys, or device trust policies, these approaches provide genuine protection against the phishing techniques that circumvent traditional two-factor authentication.

The transition may feel challenging, especially for teams that are stretched thin and already managing multiple security requirements. But your organization doesn’t have to navigate this complexity alone. 

By partnering with Personified, you gain the expertise of cybersecurity specialists who understand the unique challenges facing your organization. The question isn’t whether your organization will face sophisticated phishing attempts—it’s whether your authentication systems will protect you when they do. 

In 2025, that protection requires moving beyond traditional two-factor authentication. Ready to take the next step? Let’s connect and get started.