Why MFA matters (and which kinds really help)
Google’s large-scale study shows that even basic hygiene massively cuts risk; adding a recovery phone blocked the vast majority of automated and bulk phishing attempts in testing, and stronger factors performed even better. Security keys and other phishing-resistant methods are the gold standard for stopping targeted phishing.
Government guidance now clearly recommends phishing-resistant MFA—namely FIDO2/WebAuthn authenticators (security keys or built-in platform authenticators)—because they don’t share reusable codes with websites and can’t be tricked by look-alike phishing pages.
Turn on the strongest option first: passkeys and security keys
Passkeys are built on the W3C WebAuthn/FIDO2 standards: your device creates a unique public-key credential per site and unlocks it with a biometric or PIN, so there’s nothing to phish or reuse. Major platforms and browsers support it natively.
Platform docs explain why passkeys are safer than passwords: they’re unique per site, stored in secure device storage, and far less vulnerable to phishing. If your account offers “Use a passkey” or “Security key,” enable it.
For high-value accounts (email, cloud admin, finance), add a physical FIDO2 security key as a second enrolled method. Case studies and guidance highlight that security keys dramatically reduce phishing-based takeovers at scale.
If passkeys aren’t available, use an authenticator app—not SMS
App-based one-time codes (TOTP) or app push approvals are much safer than SMS. NIST’s identity guidelines formally restrict use of the public telephone network (PSTN) for out-of-band codes due to SIM-swap/port-out risks; if you must keep SMS as a fallback, treat it as last resort.
Push-based MFA should use number matching to defeat “MFA fatigue” spam approvals. Microsoft now enables number matching by default; turn it on anywhere your provider supports it.
CISA’s position is straightforward: aim for phishing-resistant MFA (FIDO/WebAuthn); otherwise harden push with number matching.
Lock down account recovery before attackers do
Add and confirm a recovery email, generate backup codes, and store them offline. Because SMS can be hijacked, add a PIN/passcode to your mobile carrier account to make SIM-swaps harder, and keep your phone and apps patched.
Set NIST-aligned password policies you can live with
Use a password manager and long passphrases. NIST says subscriber-chosen passwords should be at least eight characters, services should allow up to at least 64, stop forcing periodic changes without evidence of compromise, allow paste (so managers work), and screen new passwords against breach lists.
Passkeys reduce what you must remember, but for any account that still needs a password, follow those rules and turn on MFA on top.
Device-level protections that quietly boost your login security
Keep your OS and apps up to date; many MFA/authenticator protections rely on secure hardware storage and current cryptography. CISA’s mobile guidance calls out regular updates as a basic, high-impact control.
When you use platform authenticators (passkeys), modern systems store private keys in secure hardware (e.g., Secure Enclave/TPM/TEE) and require you to unlock the device to use them, which prevents malware or websites from extracting secrets.
What to enable, in order of impact
- Passkeys/security keys on your primary email, password manager, cloud storage, developer, and financial accounts. These accounts can reset everything else.
- Authenticator-app 2FA with number matching on any service that doesn’t yet support passkeys.
- Recovery hygiene: backup codes in a safe place, recovery email verified, and a carrier account PIN to blunt SIM-swaps.
- NIST-aligned passwords: long, unique, breach-checked; allow paste; no forced periodic changes without cause.
- Sign-in alerts and regular device review: turn on new-login notifications and prune old trusted devices/sessions. (Most providers include this in “Security” settings.)
- Regular updates for phones, browsers, and authenticator apps.
Quick setup checklist
Enable a passkey or add a FIDO2 security key wherever you see the option.
Switch any remaining SMS 2FA to an authenticator app; turn on number matching for push.
Generate and store offline backup codes; add a carrier account PIN; update your phone.
Replace weak passwords with long, unique passphrases; stop forced 90-day resets.
FAQs
What’s the single best protection I can enable today?
Passkeys or a FIDO2 security key on your primary email and password manager, because those accounts can reset access everywhere else. They’re phishing-resistant by design.
Is SMS 2FA still okay?
Better than nothing, but it’s vulnerable to SIM-swap and PSTN attacks; NIST restricts PSTN-based out-of-band authentication. Prefer authenticator apps or, ideally, passkeys/security keys.
Do passkeys work across my devices?
Yes. Platform documentation explains that passkeys are device-stored credentials that sync via the operating system’s credential manager (for example, Apple’s iCloud Keychain) and work across your signed-in devices.
Do I still need a password manager if I use passkeys?
For accounts that haven’t adopted passkeys yet, yes. Follow NIST’s password guidance and enable MFA on those accounts until they support passkeys.
