Session hijacking and two-factor authentication (2FA) compromise were a painful headache for security teams for years. One-time password (OTP) authentification is common yet is insufficient to protect against modern real-world attack scenarios. According to the 2023 State of the Phish report by Proofpoint, 84% of organizations faced at least one successful phishing attack last year, while 54% faced three or more attacks. To improve the authentication process, Grammarly’s security team worked with a white-hat partner to simulate a sophisticated cyberhack on the existing OTP system. We’ll share our insights from this experiment and explain why we made the switch to the FIDO2 standard based on our learnings.