Two‑factor authentication (2FA) or a strong password: what’s more important?

Despite being a vital component in protecting your online identity and avoiding a data breach, pass­words are one of the most annoying elements of digital living. And in a study conducted by Google, 75% of people said that they were frustrated by trying to keep on top of their pass­words.

With the average person now having up to 100 pass­words for online accounts — because of the sheer number of online services that now require a pass­word — this frustration is under­standable, and in these circumstances it’s often easy to cut corners.

Exasperated by numerous requests for new pass­words, people tend to do one or both of the following: either reuse a handful of pass­words (or possibly just one) across all services; or make some slight but obvious alteration to a common pass­word (like P@sswordFB for Facebook, P@sswordIG for Instagram, and so forth), resulting in multiple, weak pass­words.

Consequently, because of the pass­word problem outlined above, many online services now require an extra layer of security, which combines your user­name and pass­word with a secondary method of identification. This is known as two‑factor authentication (2FA) — also referred to as multi‑factor authentication (MFA).

Adding extra security with two‑factor authentication

Two‑factor authentication (2FA) works by adding an extra layer of security to online accounts, which goes beyond your user­name and pass­word, requiring an extra login credential (such as a one‑time passcode, sent to your phone via SMS). By utilizing two forms of identification, accessed via a third‑party authenticator (TPA) or separate device, 99.9% of automated attacks are prevented (according to 2019 research from Microsoft).

Most online services nowadays offer two‑factor authentication, which increases the security of your account, said Sarogini Muniyandi, Senior Manager in F‑Secure’s Threat Protection Engineering. If the 2FA is available, do consider turning it on. With this extra layer of security, even if someone steals your pass­word, they still only have half of the key needed to get into your account.

Does two‑factor authentication fix the pass­word problem?

Thanks to the added security that two‑factor authentication provides, it can be tempting to think that a secure pass­word is no longer an important component in avoiding a cyber attack. But it’s the combination of both a secure pass­word and a secondary credential via 2FA that makes it so difficult for cyber criminals to breach.

Both a strong pass­word and two‑factor authentication are absolutely crucial for securing online identities, explained Laura Kankaala, F‑Secure’s Threat Intelligence Lead. A strong pass­word means a unique pass­word, which is not easy to guess. Easy to guess means that the pass­word is a very clear sequence of numbers (12345678) or a word in a dictionary.

Put simply: there’s no getting around the need for a strong pass­word. If your first line of defense is a weak pass­word then it makes it much easier for an attacker to breach your account, as they only have one piece of information — your 2FA credential — that they need to obtain. Thankfully, though, you can create complex pass­words using free tools such as F‑Secure’s strong pass­word generator.

The uniqueness of the pass­word further protects our online identities. Even if we accidentally type our pass­word in a malicious fake site, our whole online life is not compromised via a common pass­word in the critical services that we use, Kankaala said. And multi‑factor authentication makes the complexity of the attack from a threat actor’s perspective more complex. It is not impossible to manipulate the user to give out their 2FA token, but it still makes the attacks harder to conduct at scale.

And it’s important to remember that two‑factor authentication is a preventative measure, which should be enabled wherever available. Otherwise, it may be used against you when trying to retrieve a breached account.

It is also important to enable 2FA before any­thing bad happens, Kankaala said. Because if threat actors get access to your account, they will definitely enable 2FA on your account to lock you out.

Could browsers and autofill be the answer?

Having established the need for strong pass­words, there are a few ways to make managing them more feasible. For example, to combat the impossible task of remembering every pass­word, many people now store credentials in their web browser, and opt to have them automatically filled in (functionality known as autofill). This has become the default way of managing pass­words for many of us, with a 2022 report finding that 75% of respondents said they saved at least some of their pass­words in their web browser.

This is a step in the right direction, but unfortunately cyber criminals have noticed this as well, explained Joel Latto, Threat Advisor at F‑Secure. In 2022, the info­stealer malware type gained popularity among cyber criminals, and it was often used to steal login credentials stored in browsers. For example, in December 2022 alone, F‑Secure saw 23 million credentials stolen with malware such as RedLine Stealer, Raccoon Stealer and Vidar Stealer.

Even Google — which produces Chrome, the world’s most popular web browser for managing pass­words — is trying to find an alternative, having introduced passkeys in May 2023, claiming that this was the beginning of the end of the pass­word.

Passkeys are digital credentials that aim to replace pass­words by adding a new layer of security that connects user accounts to web­sites or apps, across platforms and devices. They allow people to verify them­selves with a fingerprint, a face scan, or a screen lock PIN. And even if passkeys are somehow breached, they only work on the account owner’s device.

It is very positive to see these eco­system owners trying to address a real consumer pain and a real security risk related to creating and using pass­words properly, said Timo Salmi, F‑Secure Senior Solution Marketing Manager, who has spent years working on solutions that help users secure their accounts.

However, we won’t be saying goodbye to pass­words any time soon, and they will remain an important part of our online security for the immediate future. But if browsers aren’t the best and most secure way of storing them, what’s the alternative?

Managing and creating strong pass­words

Modern problems require modern solutions, and this is where pass­word managers come into play. A pass­word manager is an application that not only generates strong and long pass­words for you, but it also stores them securely. To access your vault of pass­words, you only need to remember one master pass­word. This, of course, needs to be strong and unique as well, but we’re all much better equipped to remember just one master pass­word than a hundred of them.

With F‑Secure Total — which contains F‑Secure’s highly-rated ID Protection — your pass­words are monitored, you will be alerted of breaches should they occur, and you can generate and manage strong pass­words for every online account that you have.