Multifactor Authentication – Annoying or Essential?

Almost every modern website today offers some form of Multifactor Authentication (MFA): whether it’s a TAN code via SMS, a time-based one-time password (TOTP) from Google Authenticator, or a digital signature as we know it from banking apps.

The goal is always the same: extra security when logging in. But why is a password alone no longer enough?

Passwords – a Deceptive Sense of Security​

Many users believe that a “strong password” is enough protection. The reality looks different:

• Data leaks: Passwords are repeatedly exposed through hacks and leaks. Even if only password hashes are stolen – modern computers can often crack them quickly.
• Password reuse: A real risk. If a password is compromised on one service, other accounts are often endangered too. Password managers like KeePassXC or Vaultwarden help to securely manage unique passwords.

Conclusion: Passwords alone are no longer sufficient.

MFA as a Digital Door Lock​

Let’s imagine login as a door:

• Username + password are the classic key.
• Each additional factor is another lock that must be opened – or another door or security gate you must pass through before gaining access.

This creates a multi-layered barrier against attacks – even if one key is lost.

Types of Factors​

In general, authentication is divided into three classes – though modern methods increasingly blur the boundaries:

1. Something you know​

• Classic passwords or PINs: A certain minimum length should be reached before a password is considered secure. We recommend at least 16 characters with a character mix to increase password complexity.
• Answers to security questions (although insecure and no longer recommended).

Tip: If you still have to change your password regularly, we recommend – turn that off. Regularly changing passwords tends to reduce security. Instead, use a password manager and assign each account its own password – this increases security.

2. Something you have​

• Smartphone apps with TOTP (e.g., Google Authenticator)
• Hardware tokens like YubiKeys or smartcards
• Digital signatures possible only with a private key
• Secure storage media (e.g., Secure Enclave, encrypted files)

3. Something you are​

• Biometric features like fingerprint, facial recognition, or iris scan

Contextual factors (additional)​

• Login only from known devices (e.g., via WireGuard)
• Restrictions by location or time

Modern Authentication Systems​

Modern systems offer a comprehensive service:

• Employee identities, roles, group memberships, etc. can be managed centrally. Often, there are integrations with classic, widespread user management systems like LDAP.
• Depending on the security level, additional factors can be required (step-up authentication).

Such systems are known as PAM (Privileged Access Management) or IAM (Identity and Access Management). Well-known examples include:

• Keycloak (on-premise, open source)
• Okta
• Microsoft Entra

The range of on-premise software is limited, and larger providers usually only make solutions available to enterprises.

Practical Tips for Companies​

• Introduce password managers: Employees should never reuse the same password.
• Enforce MFA – especially for critical systems like email, cloud services, or remote access.
• Use hardware tokens for admin accounts.
• Raise awareness: Employees should understand that MFA isn’t an “annoying detour,” but a lifesaver for company data.

Conclusion​

Multifactor Authentication may sometimes seem inconvenient – but it is one of the most effective defenses against cyberattacks.

• Companies that implement MFA drastically reduce their risk of compromised accounts.
• Individuals protect their digital identities in a sustainable way.

Our tip: Start with your most important accounts and introduce MFA step by step. We’re happy to support you – from choosing the right solution to implementing it in your company.