In our last post, I encouraged Christian charities to audit their passwords and commit to stronger and more secure login habits. That’s a critical first step, but it is also only a first step.
Even the strongest passwords can be compromised through phishing attacks, data breaches, or social engineering. So once your passwords are squared away, what’s next?
Let’s take some time to discuss how your charity can go beyond passwords with tools like multi-factor authentication (MFA), passkeys, single sign-on (SSO), and token-based authentication.
Turn on Two-Factor or Multi-Factor Authentication (2FA / MFA)
Turning on Two-Factor or Multi-Factor Authentication is one of the simplest and most effective ways to protect your accounts today.
With MFA, even if someone gets your password, they can’t log in without a second layer, such as a code from your phone, an app notification, or a biometric scan (fingerprint or facial recognition).
Most platforms your charity already uses (email, donation platforms, cloud storage) support MFA. Some are opt-in, meaning you, the user, must enable them, and some are opt-out. You can find out about most services by quickly going to your account settings.
The biggest complaint with 2FA/MFA is that it can get “annoying” when logging in from a public or new device. I have certainly let my annoyance get the best of me at times when my MFA seems not to recognize me as me, but trust me, this annoyance pales in comparison to the annoyance of having to recover a compromised account.
Quick Tip: App-based authenticators (like Google Authenticator or Microsoft Authenticator) are safer than receiving codes via text message.
Passkeys for Supported Services And Accounts
Passkeys are a newer, passwordless login technology that uses a device-specific key, often tied to your fingerprint, face, or device PIN, to log in.
They’re faster, easier, and far more secure than traditional passwords because:
- There’s no password to steal or reuse.
- They’re resistant to phishing.
- You only need to remember your device login.
While passkeys aren’t yet available everywhere, more platforms are constantly adopting them. For now, they’re a smart choice for any supported account, especially financial platforms and shared admin tools.
Consider Single Sign-On (SSO) for Teams
If your organization uses multiple tools and platforms, consider using a Single Sign-On (SSO) provider like OKTA, Ping, OneLogin, CyberArk, etc.
With SSO, staff log in once to a central dashboard and then gain secure access to all approved tools, without needing to remember a different password for each one.
Benefits include:
- Centralized control over who can access what.
- Fewer login prompts for staff.
- Easy deactivation when someone leaves the organization.
SSO is especially useful as your team grows or you onboard volunteers and temporary staff.
Look Into Token-Based or App-Specific Authentication
For advanced use cases—like accessing databases, APIs, or integrations—token-based authentication is a safer alternative to username-password combos.
These “tokens” are time-limited, encrypted credentials often used by applications and tools behind the scenes. If you’re unsure whether this applies to your team, chat with whoever manages your systems or digital tools.
Even for everyday users, many platforms offer app-specific passwords or “access tokens” for linked tools—these can limit the damage if a credential is compromised.
Upgrade to Hardware Security Keys
Hardware security keys are a strong option for those who want even more protection or are security nerds like me.
You insert or tap these small physical devices (USB, NFC, or Bluetooth) to confirm your identity. You must have the physical key present to log in.
They’re ideal for:
- Admins with access to critical systems.
- Staff handling donor or financial data.
- Leaders frequently log in from different locations or devices.
Brands like Yubico, Feitian, and SoloKeys offer hardware-based options that work with major platforms like Google, Microsoft, and more.
Unlike SMS or app codes, these keys are immune to phishing attacks and can be used for both MFA and passwordless logins in supported systems.
Stay Vigilant: Even Good Security Isn’t Foolproof
Let’s be real: even with the best security, there’s no such thing as being 100% secure. A highly motivated attacker—especially one with resources, time, or insider access—can eventually find a way in. As the saying goes, “All security is theatre.”
But that doesn’t mean we give up—quite the opposite.
Security is about raising the cost of an attack, buying time, reducing risk, and deterring casual or opportunistic threats. It’s about making your charity a harder target than the one next door.
That’s why vigilance matters. Even with MFA, passkeys, and token systems:
- Stay alert for phishing attempts.
- Educate staff regularly on what suspicious activity looks like.
- Don’t ignore gut feelings when something seems “off.”
- Never log in using a link in an unexpected email.
Ultimately, security isn’t a one-time setup. It’s an ongoing posture. One that combines good tools with good habits and an aware team.
What You Can Do This Week
- Turn on MFA for all staff accounts, especially email and cloud storage.
- Try enabling a passkey for any supported personal or organizational account.
- Review who has access to your critical systems, and how they log in.
- Look into security keys for your leadership or admin accounts.
- Start a conversation with your staff about secure access in your context.
Good tools, good habits, and good awareness go further than any one product ever will. By staying proactive, you and your team can help protect the important work you do every day.