If you accept that passwords will eventually leak — and the breach data says they will — then the only sane design is one where a leaked password isn't enough to get in. That's what multi-factor authentication (MFA) delivers: it decouples 'knows the password' from 'is the user.'
Not all MFA is equal
- SMS codes. Better than nothing, but vulnerable to SIM-swapping and interception.
- Authenticator apps (TOTP). A solid baseline for most accounts.
- Push approvals. Convenient, but watch for MFA-fatigue attacks where users approve out of annoyance.
- Hardware keys & passkeys. Phishing-resistant by design — the gold standard for privileged access.
Where to start
Roll out MFA in order of blast radius. Email and identity-provider accounts first (they can reset everything else), then VPN and cloud admin consoles, then everything that touches customer data. Privileged accounts deserve phishing-resistant factors, not just any second factor.
MFA is a safety net, not a force field
MFA dramatically raises the cost of a leaked password, but it doesn't make leaks harmless. Attackers still phish one-time codes, and a reused password is a signal that the user's hygiene needs attention. Pair MFA with leaked-credential monitoring so you both block the easy path and learn which accounts to harden next.
The combination is what works: monitoring tells you a credential is exposed; MFA buys you the time to rotate it before it's abused.
Leicbit Team
Cybersecurity experts dedicated to protecting organizations from credential theft and data breaches.