Everyone likes to tell people that they need to enable MFA – or multi-factor authentication “so you don’t get hacked”. For many users, MFA is a mandatory thing that is setup by someone like an employer, an annoyance that is making it hard for them to do the things they need to do. But in many cases, MFA can be a life saver.
Take a look at the graph above. That graph represents the number of times that someone has been trying to log into one of my sites since last month. On average, over the last six months, 1500 attempts were made to break into my website. None of them were successfull. The sole reason for this is that I have MFA enabled on that website. At this point, I’m half convinced that the hackers have found some leaked credentials somewhere – we all make mistakes – and there’s a fair chance that it might even be the correct credentials for the website.
But their login attempts and brute forcing doesn’t work, because MFA is setup to only login users when they present their MFA to the website. Which is something the attackers can’t do, so they just keep trying to repeat the same username and credentials over and over again.
MFA is not a miracle cure when it comes to protecting your website. However, it is an invaluable tool when it comes to protecting your accounts associated with the website, because even if you’d accidentally leak your username and password the attacker would be kept outside by your MFA implementation.
This is why you need to enable MFA everywhere. Unlike my website, many services don’t present you a chart and a log file for every failed login attempt. People trying to steal your credentials will just keep making attempts to login until at some point they succeed. You will likely not get notified until you are trying to use your credentials and notice strange things are happening. And by then it’s too late. Don’t let that happen to you, and protect your accounts with MFA so these login attempts become just a number on a chart.