Why MFA matters - and is so often misunderstood
MFA (multi-factor authentication) is the single most effective measure against account takeovers. Studies show MFA blocks >99 % of automated attacks. But not all MFA is equal. Some methods are now trivially bypassed; others are practically unhackable.
Prefer phishing-resistant MFA
Passkeys (FIDO2/WebAuthn) and hardware tokens are domain-bound - they simply don't work on a phishing site.
SMS and email are the weakest tiers
SIM swapping and phishing proxies target these. Replace them where you can.
MFA fatigue is real
When your phone buzzes in the middle of the night: don't approve a push by reflex. Pause and ask: did I just log in?
The MFA hierarchy (worst to best)
🟡 SMS / voice call Better than nothing, but vulnerable to SIM swapping (an attacker convinces your carrier to port your number to a new SIM). Also interceptable via SS7 weaknesses.
🟡 Email code Only as secure as the email account itself - the very thing we want to protect.
🟢 TOTP app (authenticator) Google Authenticator, Microsoft Authenticator, Authy. Code rotates every 30 seconds. Resistant to SIM swapping, but not to phishing: enter the code on a fake page and it gets relayed in real time.
🟢 Push notification "Approve sign-in?" with yes/no. Convenient, but vulnerable to MFA fatigue: an attacker sends 50 pushes in the middle of the night, eventually someone taps "yes".
🟢🟢 Number-matching push Like push, but you have to enter a 2-digit number from the browser into the phone. Significantly slows down MFA fatigue.
🟢🟢🟢 Passkey / FIDO2 / WebAuthn Cryptographically bound to the domain. On a phishing page it does not work - the domain doesn't match, the key refuses. The gold standard.
🟢🟢🟢 Hardware token (YubiKey, FIDO2 stick) Physical USB/NFC stick. Same security as passkeys, platform-independent. Recommended for privileged accounts (admin, finance).
What is a passkey, concretely?
A passkey is a cryptographic key on your device (phone, laptop, security key), unlocked with biometrics (FaceID, fingerprint) or PIN. At login:
- The website asks: "Prove it's you."
- Your device signs a challenge with the private key.
- The website verifies with the public key - done.
There is no code to type, no secret on the website's side, and no phishing surface, because the key is bound to the real domain.
An employee clicks on a perfect Microsoft 365 login look-alike. Types username and password. The fake page relays the data to the real ms-online.com and prompts for MFA. Without passkey: the authenticator code is also relayed, the attacker has full access. With passkey: the device recognizes the wrong domain - the key is never released. Phishing fails.
Three steps for you this week
- Inventory: which accounts have which MFA today? (Bank, email, Microsoft 365, cloud storage, social media.)
- Upgrade: where SMS is active, switch to authenticator or passkey.
- Save recovery codes: setup gives you 8-10 single-use codes. Print them, store in a safe. Not in the same account.
The most common mistakes
MFA only on email
All other accounts share email as a recovery path. If email falls, everything falls.
Backup codes in the same manager
If the manager is compromised, the codes are gone with it. Paper in a safe is better.
Only one hardware token, no backup
Tokens get lost. Always register a second factor in parallel.
Approving pushes blind
Unexpected push: ignore, then change your password in case someone has it.
The simple rule
Wherever possible: passkey. Where not: authenticator app with number matching. Never SMS-only for important accounts.