You are one data breach away from having your entire online life turned upside down. The problem is passwords, which are hopelessly fragile ways to secure valuable resources.
Don't be lulled into a false sense of security by the belief that creating a longer, more complex, harder-to-guess password will somehow make you safer online. You can create a password that is so long and complex it takes you five minutes to type, and it will do nothing to protect you if the service where you use that password stores it improperly and then has their server breached. It regularly happens.
And even with reasonable policies in place (complexity, changed regularly, not reused), people are still the weakest link in the security chain. Social engineering can convince even intelligent people to enter their credentials on a phishing site or give them up over the phone.
The solution is two-factor authentication, or 2FA. (Some services, being sticklers for detail, call it multi-factor authentication or two-step verification, but 2FA is the most widely used term, so that's the nomenclature I've chosen to use here.)
Also: Massive online purchase loss because people can't remember passwords[1] | The Firefox password manager now tells you when you use leaked passwords[2] | The Windows 10 security guide: How to protect your business[3]
A 2019 report from Microsoft[4] concluded that 2FA works, blocking 99.9% of automated attacks. If a service provider supports multi-factor authentication, Microsoft recommends using it, even if it's as simple as SMS-based one-time passwords. A separate 2019 report from Google offered similar conclusions.
In this article, I answer some of the most common questions people ask me about 2FA.
How does 2FA work?
Turning on 2FA for a service changes the security requirements, forcing you to provide