Google’s own research found that adding any form of multi-factor authentication (MFA) blocks 100% of automated bot attacks, 99% of bulk phishing attacks, and 76% of targeted attacks. Given that it takes fewer than five minutes to set up, MFA offers an extraordinary return on effort.
How MFA Works
Authentication factors fall into three categories: something you know (password), something you have (phone, hardware key), and something you are (fingerprint, face). MFA combines at least two. Even if an attacker steals your password, they cannot access your account without the second factor.
Types of MFA (Best to Worst)
- Hardware security keys (YubiKey) — phishing-resistant, gold standard.
- Authenticator apps (Authy, Google Authenticator) — excellent, widely supported.
- Push notifications — convenient but vulnerable to MFA fatigue attacks.
- SMS codes — better than nothing, but SIM-swapping is a real risk.
MFA Fatigue: The New Attack
Attackers who have your password will flood your phone with MFA push notifications hoping you approve one accidentally or in frustration. If you receive unexpected MFA prompts, deny them all and change your password immediately. Contact your security team if it happens at work.
Where to Start
Prioritise: email account first (it’s the master key to all other password resets), then banking and financial services, then work accounts. Most services offer MFA under Settings › Security.