Why Cybersecurity Training Fails — And Why Legacy MFA Makes It Worse

A new study from UC San Diego Health should make every security leader stop and think. Researchers ran nearly 20,000 employees through ten simulated phishing campaigns over eight months. The result? Training made almost no difference. Employees who had recently completed mandatory cyber awareness courses failed phishing tests at virtually the same rate as those who hadn’t. The average gap was a sickly 1.7% improvement — effectively zero.

Think about that. Millions are spent on annual training, yet employees fall for the phish at the same rate anyway. Worse, most staff didn’t even engage with the material. Over 75% of employees spent less than a minute on the training page, and as many as half closed it instantly.

The lesson is harsh but clear: training alone does not protect enterprises from phishing.

AI Has Made Phishing Impossible to Spot

Generative AI has supercharged attackers. Today, anyone can spin up a pixel-perfect spoofed login page in under a minute. The fake site looks flawless, the URL uses look-alike characters, and the phishing email reads like it came from your own IT department. No amount of “hover over the link” or “check for spelling errors” advice helps when the fake looks better than the real thing.

That means relying on employees to detect phishing attempts is not just ineffective — it’s irresponsible.

Legacy MFA Fails the Moment One Employee Clicks

Even if just one employee clicks, the attacker wins. Here’s why:

Modern phishing kits don’t just steal usernames and passwords. They act as man-in-the-middle relays. When the real system asks for multi-factor authentication, the fake site simply passes that request along. The employee thinks they’re approving themselves in their authenticator app — but in reality, they’re approving the attacker.

This is exactly how Scattered Spider, Octo Tempest, and others are breaching Fortune 500 firms. SMS codes, push approvals, and authenticator apps can all be phished, relayed, or tricked. Training cannot prevent that.

Token Stops the Attack Chain Completely

Token Ring and Token BioStick were designed for this new reality. They eliminate the human element that training and legacy MFA still depend on:

• Biometric match required: No fingerprint, no login. Even if the device is stolen, it’s useless.
• Domain-bound credentials: Each login is cryptographically tied to the legitimate site. A spoofed or relayed page simply fails to authenticate.
• Proximity enforcement: The Token must be physically near the machine logging in. Remote attackers get nothing.
• No codes, no prompts, no approvals: With Token, there’s nothing to phish, nothing to relay, and nothing to fatigue a user into approving.

Even if an employee clicks the wrong link or falls for a perfect phish, the attacker still can’t log in. The authentication simply fails.

Training Won’t Save You. Token Will.

The UCSD study confirms what many CISOs already know: annual awareness training isn’t moving the needle. AI-powered phishing and real-time MFA relay attacks have made user judgment irrelevant. What matters now is phishing-proof architecture at the authentication layer.

That’s exactly what Token delivers.

Before the next breach headline has your company’s name on it, ask yourself: are you still betting on training and legacy MFA, or are you ready to deadbolt the front door shut?

Ready to see Token in action? Speak to an expert.