The moment I realised 2FA had been off the entire time

My Steam friends list all received a phishing link from my account at the same time. I didn’t send it. I was mid-session on Sekiro, confused by the replies coming in, and the moment I worked out what had happened I scrambled — signed out of all sessions, changed the password, then pulled up my security settings.

2FA had been off the entire time. For some reason I’d never configured Steam Guard.

This post covers what Multi-Factor Authentication actually is, why a password on its own is no longer enough, and what you should do about it today — starting with the accounts you’ve probably forgotten about.

What multi-factor authentication actually is

MFA stands for Multi-Factor Authentication. Instead of relying on a single password to prove you are who you say you are, MFA asks for more than one form of proof before letting you in. The idea is straightforward: the more factors required, the harder the account is to breach.

Think of it like a door with two locks. A password gets you through the first one. MFA makes sure there’s a second. And that second lock is something an attacker is much less likely to have.

It shows up everywhere. Your email, your social media accounts, your bank, gaming platforms. That prompt asking you to approve a sign-in from your phone? That’s MFA doing exactly what it’s supposed to do.

You might also see it referred to as 2FA, which stands for Two-Factor Authentication. It’s the same principle, just specifying that exactly two factors are involved. Most platforms use the terms interchangeably, but technically 2FA is a subset of MFA. If a site asks you to set up “extra security” or “two-step verification”, that’s 2FA. It’s the most common implementation you’ll encounter day to day.

MFA is the broader term. Two factors is the baseline. More is better.

Before MFA, there was one factor — and you already know what it was

Single-factor authentication is exactly what it sounds like. One factor. One barrier between an attacker and everything behind your login screen.

For decades, that factor was your password. You created one, you remembered it (or didn’t), and that was the entire security model. Type the right string of characters and you’re in. That was it.

The problem is that passwords are guessable, stealable, reusable, and forgettable. As the internet grew and data breaches became routine, it became obvious that one factor wasn’t holding up. A password on its own was never designed to carry that much weight.

2FA, Two-Factor Authentication, was the answer. Add a second layer to the sign-in process and a stolen password alone is no longer enough. An attacker needs the password and something else. That something else is what made account takeovers significantly harder without physical access to a device or a much more sophisticated attack.

MFA takes that principle further. Two factors is the baseline. More is better. Understanding what those factors actually are is where most people’s knowledge stops. So let’s fix that.

Single-Factor vs Multi-Factor Authentication Single-Factor vs Multi-Factor Authentication SINGLE FACTOR Password only One layer of protection between you and everything in your accounts. A stolen password means full access. The attacker never needs your device. ✗ One shot. Game over. VS MULTI FACTOR Password + second factor Multiple layers between you and anyone trying to get in. A stolen password is not enough. The attacker needs your device too. ✓ Password alone gets nowhere.

One lock versus many. The difference a second factor makes.

The three MFA factors — and what they actually mean

Your password gets you to the door. It’s not an MFA factor. It’s the baseline credential that came before MFA existed. The factors are what come after it. Most systems ask for one of these on top of your password, but understanding all three helps you make better decisions about how you protect your accounts.

The Three MFA Factors The Three MFA Factors FACTOR 01 Something you have A device registered to you. An attacker needs it in their hands to use it. Phone · Token · YubiKey FACTOR 02 Something you are Biometrics tied directly to your body. Significantly harder to fake. Fingerprint · Face ID · Voice FACTOR 03 Something you do A human action that proves there’s a person in the loop. Push approval · CAPTCHA

This is why it’s called Multi-Factor Authentication. It’s a defence in depth principle. More on defence in depth soon on the CyberMusing blog.

Why one password isn’t enough

That password you’ve had since secondary school, the one you’ve quietly reused across six different accounts, is almost certainly in a database somewhere. Dictionary attacks work by running lists of known and commonly used passwords against login systems automatically. If your password has ever appeared in a data breach, it’s on a list.

Data breaches are more common than you think

You can check if your email address has appeared in a known breach at haveibeenpwned.com. Most people are surprised by what they find.

And once an attacker has your email credentials, the damage compounds fast. One password reset and they’re into everything tied to that address: other accounts, recovery options, anywhere you’ve used sign in with Google. The 3am suspicious sign-in flag appears, and by then it’s usually too late to stop the first wave of damage.

Simple passwords are inherently insecure. MFA doesn’t fix your password problem, but it means a password alone isn’t enough to get in.

How MFA stops the attack

MFA breaks the chain. A password alone isn’t enough to get through the door. The attacker also needs whatever second factor you’ve configured. Your phone. Your fingerprint. Your hardware key. Things they’re unlikely to have sitting next to them at 3am.

It’s not bulletproof. Some attacks are built specifically to bypass MFA. Real-time phishing is one of them, and it’s worth understanding how it works. But for the vast majority of account takeover attempts, MFA stops it cold. Most attackers aren’t running sophisticated targeted campaigns against you specifically. They’re running automated tools against thousands of accounts. MFA makes yours not worth the effort.

The strongest MFA uses a physical key

If you want to go a step further, a hardware security key like a YubiKey is the most phishing-resistant form of MFA available. It uses the FIDO2 standard, cryptographically bound to the real domain you’re logging into, which means a fake proxy page gets nothing. More on YubiKeys coming up in this series.

Why MFA matters if you’re breaking into security

MFA isn’t just something end users need to understand. It’s one of the most fundamental concepts in the field. Identity is what security professionals are ultimately trying to protect. MFA is the primary mechanism for doing that at the authentication layer. If you can’t explain it clearly, you’re missing a core building block.

In almost every security role you’ll encounter it. Configuring MFA policies, troubleshooting failed authentication, advising users on which method to use, explaining to a business why enforcing MFA across all accounts is non-negotiable. These are real, everyday tasks. The principle comes up in governance conversations, in incident response, in access reviews. It’s everywhere.

It comes up in interviews too

Being able to explain MFA in plain English (what it is, why it exists, how the factors differ) is a basic expectation at entry level. Going further, explaining the difference between SMS-based MFA and FIDO2, or why certain methods are more phishing-resistant than others, is what separates candidates who’ve just read about it from candidates who’ve actually thought it through. Know it well enough to explain it to someone who’s never heard of it. That’s the bar.

The audit challenge below isn’t just good personal security practice. It’s hands-on experience with something you’ll be asked about. Do it, document it, and you’ve already got something worth talking about.

Your challenge. Do this now.

Not a financial audit. A digital one. Grab a piece of paper or open a note on your phone and list every account you can think of. Email, social media, banking, gaming, streaming. Everything.

Log into each one and check whether MFA is enabled. If it isn’t, turn it on before you close the tab. It takes two minutes per account and it’s the single most effective thing you can do to protect your digital identity right now.

Start with these if you’re not sure where to begin

Your primary email account. This is the master key to everything else, so protect it first.

Your social media accounts. Facebook, Instagram, LinkedIn, X.

Gaming platforms. Steam, Xbox, PlayStation.

Anywhere you’ve stored payment details. Your bank, PayPal, Amazon.

If you’re breaking into security, document it

The audit you just did is a project. Write up what you found, what you changed, and why. That’s evidence of security awareness thinking, and it’s the kind of thing that comes up in interviews. Put it on your GitHub or reference it in a blog post of your own.

More guides like this, no gatekeeping

CyberMusing exists for people building their way into security without a roadmap. Every post is written to be useful, not to impress people who already know the answer.

Browse the Blog → Get in Touch →