Upgrading Your Nonprofit’s Security: When and Why to Choose Phish-Resistant MFA Options for Nonprofits
Protecting your nonprofit’s data—from donor lists and financial records to confidential client information—is a fundamental part of protecting your mission. While the conversation around security can sometimes feel overwhelming, the core decisions are often straightforward: Which investments deliver the most protection for the most critical assets?
Multi-Factor Authentication (MFA) is the most effective single step any nonprofit can take to prevent common attacks. If your team is already using MFA (such as receiving a code via text or an authenticator app), you are doing much better than most.
However, as the calendar turns, many organizations and staff face a heightened risk. Seasonal pressures, like urgent delivery delay scams, fake holiday bonus notifications, or wire transfer requests from a “traveling executive” often exploit the rush and distraction of the end of the year. Criminals rely on staff to take immediate, urgent action without pausing to verify.
For your most targeted staff and your most critical systems, it is time to look at the next level of defense: phish-resistant MFA options for nonprofits.
The Security Spectrum: Not All MFA is Created Equal
Think of your current authentication process as a series of gates. When you use your password and then input a code from a text message or an authenticator app, that is two gates. It works, but both gates can potentially be compromised by sophisticated attacks called phishing.
With AI technology, phishing attacks are getting smarter, and some can trick a user into inputting their one-time code on a fake site, allowing the attacker to steal the code in real-time. This is called an Attacker-in-the-Middle or AitM attack. This is why we recommend an upgrade for the most targeted staff.
We call the highest level of security Phish-Resistant MFA. This is MFA that simply cannot be tricked by a fake website. The two best phish-resistant MFA options for nonprofits are Physical Security Keys and the emerging technology of Passkeys.
Option 1: Physical Security Keys (The Best for Critical Roles)
Physical keys, like those made by Yubico, plug into your computer’s USB port or tap against your phone. They replace the step of typing in a code with a simple touch of the key.
How They Stop Phishing
The key to their security lies in the underlying technology (called FIDO). When you tap the key to log in, it doesn’t just send a secret code; it confirms your login only to the genuine website it was originally registered with. If a scammer sends you a link to a fake site that looks exactly like your bank or Microsoft login, your physical key will simply refuse to work, automatically blocking the phishing attempt.
Who Needs a Physical Key?
While all staff can benefit, we recommend starting with staff whose accounts are highly valuable targets for cybercriminals:
- Executive Directors & Leadership: Protecting executive accounts is critical for preventing wire fraud and impersonation.
- Chief Financial Officers (CFOs): Their access to bank accounts and financial systems requires the highest level of security.
- IT Administrators: Accounts with the power to change security settings for the entire organization must be locked down.
- HR Staff: They hold highly sensitive staff and volunteer PII (Personally Identifiable Information).
Making the Investment: Nonprofit Discounts
The cost of a security key is minimal compared to the cost of a security breach. Fortunately, there are excellent options available:
- Yubico’s Secure it Forward Program: Yubico offers security key donations to qualifying nonprofits to help them implement strong authentication. This is an excellent place to start to outfit your critical staff.
- We recommend checking with your current IT vendor or support team about key costs and benefits.
Option 2: The Future of Logging in — Passkeys
Passkeys are a modern authentication method that is rapidly being adopted by technology companies (Google, Apple, Microsoft, etc.) because they solve the password problem entirely.
If you have a modern smartphone or computer, you likely already have the ability to use passkeys.
What Is a Passkey?
Think of a passkey not as a password you remember, but as a digital signature automatically stored and managed by your device (your phone, laptop, or password manager).
- Common Use Case: When you log into an account that supports passkeys, your device asks you to confirm it is you—usually with a fingerprint, face scan, or a simple PIN.
- What Happens Next: Your phone or computer then digitally signs the login request, proving your identity to the website. Crucially, no password or secret code is ever typed, sent, or shared.
Passkeys are More Secure and Easier to Use
- No Password Required: They eliminate the need for a password entirely, meaning there is nothing to forget and nothing to be stolen from a data breach.
- Phish-Resistant: Like physical keys, they are built on the same FIDO standards, meaning your device will only authenticate you to the real website, making phishing impossible.
- Seamless Experience: Once set up, logging in is as fast as unlocking your phone.
We strongly urge you to use the passkey option whenever it is available on an application or service. It delivers the highest security with the best user experience and is a great phish-resistant MFA option for nonprofits.
Communicating the MFA Upgrade: Getting Staff Buy-In
The biggest barrier to new security measures is staff frustration. Our advice is to communicate the why and make the how as simple as possible.
1. Focus on the Mission, Not the Mechanics
When introducing physical keys or encouraging passkey adoption, shift the conversation from “It’s an IT requirement” to “It’s how we protect the people and mission we serve.”
“Our new security keys/passkeys protect our donor data, keep our grant funds safe from fraud, and ensure we can maintain the public trust required to carry out our mission.”
2. Use Simple Analogies for Training
Your staff are professionals, but they may not be technical experts. Use simple, relatable comparisons when explaining the new tools. You can explain a Physical Security Key as being just like the highly-secure key card or fob you use for the office building—you must have the physical item and tap it to get in. A Passkey can be compared to the identity chip in your modern car key; you don’t have to put it in a lock or type a code; simply having the key near the car and pressing the button (your fingerprint) is enough to prove it is you.
3. Emphasize the Recovery Plan
Staff worry most about losing a key or forgetting a PIN. Ensure your IT staff or provider has a clear, documented, and practiced recovery process for these “break glass” moments. Knowing they won’t be locked out for a week builds confidence in the new process.
Next Steps
- Start the conversation with your leadership team and IT staff.
- Identify the individuals in your organization who hold the most sensitive access and are the most valued targets, and make a plan to implement phishing-resistant MFA for them first.
- Research phish-resistant MFA options for nonprofits like Yubikey and passkeys.
- Include training for staff if you move forward with a phish-resistant MFA upgrade.
This approach offers an immediate and significant return on your security investment.
You Have the Power to Secure Your Mission
The most important takeaway is that your nonprofit is capable of managing your own cybersecurity effectively. You are hopefully already using tools like strong passwords, MFA, and security awareness training. Adopting phish-resistant MFA options for nonprofits like physical keys and Passkeys is the next logical step in building a mature and resilient security posture. These tools are available, accessible (especially with nonprofit discounts), and are a worthy investment to protect the vital work your organization does.
Ready to Strengthen Your Security Posture?
If you have questions about implementing FIDO keys, planning staff training, or where Passkeys fit into your overall IT strategy, we are here to help.
To get started with an expert conversation about your organization’s unique risks, contact Community IT today. We offer a free cybersecurity assessment led by our CTO and cybersecurity expert, Matthew Eshleman, to help you chart your next steps with confidence.
Community IT has been serving nonprofits exclusively for almost twenty-five years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We also offer nonprofit managed security services – proactive cybersecurity tactics that drastically reduce the risk of damage during a cyberattack. If you have questions about cybersecurity, incident response planing, or business continuity, you can learn more about our approach and client services and contact us here.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
As advocates for using technology to work smarter, we’re practicing what we recommend. This article was drafted with the assistance of an AI, but the content was reviewed, edited, and finalized by a human editor to ensure accuracy and relevance.
Photo by Evgeniy Alyoshin on Unsplash