AI phishing has grown more targeted and realistic, overwhelming the limits of human judgment.
Ronnie Manning, Chief Brand Advocate at Yubico, explains that employees cannot be expected to catch every scam as attacks scale.
He says enterprises need phishing-resistant authentication like Passkeys and hardware security keys to block attacks automatically and remove human error.
Sophisticated, AI-driven phishing attacks are forcing companies to reassess their corporate security. Yesterday's clumsy, typo-filled scams are nothing compared to today's hyper-personalized, emotionally charged, and AI-engineered attacks that can mimic colleagues, leaders, and even friends with unsettling accuracy. With human judgement no longer a sufficient defense, the industry is turning to tech to replace vulnerable habits with authentication that can't be tricked.
For an expert's take, we spoke with Ronnie Manning, the Chief Brand Advocate at Yubico, a leading provider of authentication security hardware. With over two decades of experience launching new technologies and a background as the company’s former CMO, Manning has had a front-row seat to this evolution for years. In his view, the old idea that only a handful of "privileged users" needed serious protection vanished the moment the office perimeter dissolved. Now, he says, many enterprises are taking a hard look at their authentication strategies.
"The only reliable path forward is modern authentication that takes the choice out of the user’s hands. FIDO2 Passkeys and hardware security keys can do that. Training has value, but it's unrealistic to expect every employee to spot every scam," says Manning. It's a reminder that the most effective security upgrades start by reducing what employees need to guess or interpret.
AI's new tricks: Manning explains that the real danger is no longer volume anymore but precision. "AI allows hackers to create personal, targeted phishing attacks at scale. By scraping publicly available information, they can create custom landing pages and emails that convincingly impersonate others and include your personal details," he says. "This enables extremely accurate email phishing, text message phishing, and even voice phishing with voice cloning."
While AI gives adversaries the power to craft these highly personalized operations, the answer to the challenge is a class of tools defined as "fundamentally phishing-resistant" authentication. The technology is designed to eliminate vulnerable elements like SMS codes, as its direct cryptographic bond between the user and the service means there is no transferable code to be phished. This bond also verifies that a website is legitimate before an authentication credential is ever sent, effectively blocking the attack automatically, even if a fake login page fools a user.
Mind the wooden door: But even this strong protection can be undermined if account recovery methods are not equally secure. Manning notes an often-overlooked weakness: "downgrade attacks" that bypass strong primary authentication by targeting a weaker secondary option, like a simple text message code, to gain access. "The weakness in secondary, or backup, authentication is a real vulnerability. If you have a big steel wall with one little wooden door in it, you're not protected. Your security has to be steel all the way around and fully locked down. That is the only approach," Manning insists.
All systems go: For any executive questioning the feasibility of such a widespread change, Manning says the transition is already a present-day reality. Major technology platforms are on board, building the infrastructure and driving the widespread adoption of phishing-resistant authentication. "The popular identity platforms, like Microsoft, Okta, and Ping, are all building Passkey support, so the massive ecosystems are there to support this. There is industry momentum behind this; it was even a major point of discussion at Black Hat," he notes.
Two keys better than one: The ecosystem is designed for flexibility, where organizations can use different types of authenticators—like FIDO2 Passkeys and hardware security keys—based on specific needs. "We see the best results when organizations use multiple authenticators together," Manning explains. "A physical key can ground a user’s identity for high-stakes moments like onboarding, while a syncable passkey on a trusted phone can handle everyday logins with less friction."
As attacks become more automated, a simple proof of physical human presence is emerging as an important safeguard. Manning explains that this principle provides a barrier that, by its physical nature, is designed to prevent a remote AI agent or piece of malware from bypassing the login, as code cannot replicate the required human interaction.
The path of least resistance: The technological evolution often goes hand-in-hand with a cultural one. For a smooth transition, leaders are encouraged to educate their teams on the "why" behind the change, framing it as a benefit that makes everyone's lives both easier and more secure. "Education is key," says Manning. "When teams know why the change matters, the resistance drops quickly."
The result is a new model that is both more secure and easier for employees, Manning concludes. By challenging the long-held belief that strong security must be complicated, leaders are encouraging adoption.
"There's a legacy mindset that strong security has to be difficult. FIDO2 and Passkeys prove otherwise by delivering the highest level of authentication in a way that's extremely easy to use. Once people see they can log in faster and stay more secure, it's a light bulb moment. A simple touch or facial scan is all it takes to break the belief that security has to be a burden." Nothing sells the shift faster than employees discovering the technology makes their day easier.
