Generative AI just made phishing so easy that anyone can do it—and do it convincingly. According to Axios, researchers demonstrated that in just 30 seconds, a simple natural-language prompt was all it took to build a pixel-perfect spoofed login site. No coding. No technical skills. Just type “build a copy of the website login.okta.com,” and a convincing clone appears, ready to trick anyone into handing over credentials.
That is not speculation. In the time it takes to make coffee, an attacker can spin up hundreds of these sites, blast out phishing emails, and wait for a single victim to click. Once the victim logs in, the attacker relays the credentials in real time to the real website. The real system then asks for multi-factor authentication. And here’s where legacy MFA completely fails. The victim, thinking they are logging into the real system, opens their authenticator app and approves the login. But they just authenticated the attacker, who is now inside the real system with full access.
The old advice “check the URL carefully, hover over links, watch for bad spelling” is meaningless when the fake site looks flawless. The Axios piece calls out the bigger picture: attackers are innovating faster than defenders, and the traditional defensive tweaks are no longer enough.
Their entire goal is to render your MFA and auth apps useless. And they are succeeding every hour.
This is exactly why Token Ring and Token BioStick stop this attack cold. Token products work fundamentally differently from MFA apps, SMS codes, or passkeys. They cryptographically bind each login to the legitimate domain. If a spoofed site tries to request authentication, Token simply refuses to sign it. There is nothing to approve and no code to relay. On top of that, every login requires a live fingerprint match and physical proximity to the user’s authorized device. Even if an attacker has the username, password, and physical possession of the Token device (which is highly unlikely), and the device has not been disabled, they still cannot log in without the authorized user’s biometric, which is stored inside the product in the equivalent of an electronic vault.
Generative AI has democratized phishing. That makes all traditional MFA—SMS, app-based, or even push approvals — obsolete for protecting valuable systems. Attackers can spin up 100 fake sites in an afternoon and statistically guarantee a victim. So not even the best training can stop this dead across 100’s of employees. The only real defense is phishing-proof, hardware-based authentication that removes user judgment from the equation.
If you are relying on legacy MFA today, you are already behind. AI just made phishing an everyone-can-do-it attack. Token products make those attacks impossible to succeed.