Why Passwords Alone Are Not Enough
Passwords are stolen, reused across services, and cracked by brute force. Adding a second factor means an attacker who steals a password still cannot log in without the user’s device or biometric.
MFA Method Comparison
- TOTP Apps (Google Authenticator): Time-based one-time passwords. Secure and free, but can be phished.
- Hardware Keys (FIDO2/WebAuthn): Phishing-resistant. The gold standard for high-risk accounts.
- Push Notifications: Easy UX, but vulnerable to MFA fatigue attacks.
- SMS OTP: Weak — susceptible to SIM-swapping. Avoid for sensitive systems.