Why You Need Multi-Factor Authentication (MFA) on Every Account—Right Now
#mfa#securitybasics#cybersecurity#devsecops
Seth Keddy

Seth Keddy @kedster

About: I specialize in deploying and documenting software applications across enterprise retail environments. Passionate about scripting, PowerShell, and scalable solutions that improve operations.

Location:
Springdale AR
Joined:
May 2, 2025

Why You Need Multi-Factor Authentication (MFA) on Every Account—Right Now

Publish Date: May 25
0 0

Image description

One password isn’t enough. Not in 2025. Not with phishing, data leaks, and account hijacking on the rise every year. It doesn’t matter if you're a software engineer, gamer, small business owner, or just someone trying to keep their email safe—if you’re not using multi-factor authentication (MFA) yet, you’re an easy target.

In this article, we’ll break down:

  • What MFA (and 2FA) actually is
  • Real-world attacks MFA would have stopped
  • How to set up MFA on Google, Microsoft, and more
  • The best MFA methods (and what to avoid)
  • Why it matters even on “non-important” accounts

What is MFA (and 2FA)?

MFA = Multi-Factor Authentication

2FA = Two-Factor Authentication (a type of MFA)

They both mean this: you need two or more of the following to log in:

  • Something you know (like a password)
  • Something you have (like your phone or security key)
  • Something you are (like a fingerprint or facial recognition)

Most common example:

You enter your password → then get a code on your phone. That’s 2FA.

Other examples:

  • Push notifications (Google Prompt, Microsoft Authenticator)
  • Hardware security keys (like YubiKey)
  • Biometric unlock after login attempt

Real-World Attacks MFA Could Have Prevented

Let’s look at how bad it gets when people don’t use MFA.

The Twitter Bitcoin Hack (2020)

Hackers gained internal access to Twitter tools via phishing employees. They used it to take over high-profile accounts like Elon Musk and Barack Obama to push a crypto scam. MFA on internal accounts would have blocked this.

Colonial Pipeline Ransomware (2021)

Attackers got into the company’s VPN using a single leaked password from a previous breach. No MFA required? They walked right in. The result? Critical infrastructure shutdown. National impact.

Reddit Hack (2023)

Employees received phishing texts that led to a fake login page. The attacker captured their credentials and got access to internal systems. Again, MFA would have stopped the session takeover even after stealing the password.

If it can happen to multi-billion-dollar companies, it can happen to you.

How to Set Up MFA (Quick Guides)

Google (Gmail, YouTube, etc.)

  1. Go to Google Security Settings
  2. Under "Signing in to Google", click 2-Step Verification
  3. Choose your method:
    • Google Prompt (recommended)
    • Authenticator app (Google Authenticator, Authy)
    • Backup codes (store offline!)
  4. Enable and test it
  5. Bonus: Turn on Advanced Protection for extra security

Microsoft (Outlook, Teams, Xbox)

  1. Go to Microsoft Security Info
  2. Click + Add sign-in method
  3. Choose:
    • Microsoft Authenticator (push notification)
    • Text message (less secure)
    • Email backup (not recommended)
  4. Save and test

Other Platforms

  • GitHub → Settings > Security
  • Facebook → Settings > Security & Login > Use two-factor authentication
  • Instagram → Settings > Security > Two-Factor Authentication
  • Amazon → Account > Login & Security > Two-Step Verification

Search more: https://2fa.directory

Which MFA Method Should You Use?

Not all MFA is created equal. Here's a breakdown:

Least Secure (but better than nothing)

  • SMS-based 2FA (text codes)
  • Easy, but vulnerable to SIM-swapping and phishing

Better

  • App-based codes (TOTP)
  • Apps: Google Authenticator, Microsoft Authenticator, Authy, Aegis
  • Works offline
  • Still phishable, but stronger than SMS

Best

  • Push-based MFA (Google Prompt, Microsoft push)
    • Reduces phishing risk
    • You can deny unexpected logins in real time
  • Hardware security keys (YubiKey, Titan, SoloKey)
    • Phishing-resistant
    • Doesn’t rely on trusting the device or network
    • Supports passwordless login with FIDO2/WebAuthn

Why MFA Matters Even on “Boring” Accounts

Think MFA isn’t needed on your food delivery or Spotify account? Think again:

  • Reused passwords are everywhere. If your Spotify password was leaked in 2019 and you use the same one for email? Game over.
  • Attackers chain accounts. From Dropbox to taxes to blackmail—it escalates quickly.
  • MFA slows bots down. Even if they get your password, the login fails.

Your email is the master key. If it's compromised, every account linked to it can be reset.

MFA for Devs and Engineers

If you're in IT, dev, or DevOps: MFA is a baseline requirement.

Turn it on for:

  • GitHub / GitLab
  • Cloud platforms: Azure, AWS, GCP
  • CI/CD systems, Jira, Confluence
  • VPNs and remote access tools

Use tools like Duo, Okta, Azure Conditional Access, or JumpCloud for team-wide policies.

Pro Tips for Backup and Redundancy

MFA can lock you out, too. Here’s how to avoid that:

  • Save backup codes (securely and offline)
  • Use TOTP apps that support export (Authy, Aegis)
  • Add more than one device (e.g., phone + tablet)
  • Buy two hardware keys: one primary, one backup

Bottom Line

If you’re not using MFA, you’re relying on a password that might’ve already been leaked.

MFA stops 99% of account takeovers. It’s free, fast, and already available on most platforms.

Your Next Steps

  • Go to your most-used accounts and enable MFA
  • Use app-based codes or hardware keys—ditch SMS
  • Help your team, friends, and family secure their accounts too
  • Because once your account is hacked, it's already too late

Resources

Comments 0 total

    Add comment