The Anti-virus Times

Tuesday, February 17, 2026

The security of the online accounts we use every day hinges primarily on our passwords. However, there’s a growing trend towards implementing two-factor authentication (which is now required on some websites). Let’s weigh the pros and cons of using this security method…

Email, social media, online banking and shopping, government services, corporate infrastructures and applications…We’re getting increasingly dependent on information technologies in our daily lives. With so many accounts to juggle, the temptation to simplify how we manage them is strong. However, overly simplistic practices greatly increase the risk of our accounts getting compromised.

Previously in the Antivirus Times, we talked at length about the benefits of using password managers. We highlighted the advantages of these utilities, which simplify the process of keeping track of multiple passwords and help protect them. We also pointed out these programs’ shortcomings, including the distinct possibility of the master password getting compromised (the biggest risk) and potential security loopholes in specific apps. Back then, password managers appeared as a workable solution, especially in scenarios involving access to multiple infrastructures and services requiring authorization.

A year later in this pubblication, we provided guidelines for creating strong passwords. We came up with a method that involved analysing online services that might require such passwords, and suggested basic rules for creating them.

Two years have passed. What’s changed?

Users are still required to enter a secret word, but the trend is obviously shifting away from fortifying password strength to relying more on two-factor authentication.

The magic of 2FA

Use different passwords for each account, and make them too long and complex to guess—these aspects are of concern to IT professionals. Modern-day users choose the easier path: they forget their newly created password almost instantly and generate another convoluted character sequence whenever they need to log in again. Creating a strong password without memorising it, only to get a new one at each subsequent sign in, has become a matter of convenience for online stores, especially if you don’t use a specific account very often.

Using two-factor authentication, also referred to as two-step verification or simply “2FA” does improve account security. This protective measure prevents perpetrators from gaining unauthorised access to (hacking into, to put it simply) an account and serves as an extra security layer to save the day should the password get stolen. It has been implemented on many websites including email services, social media, and even some online stores. If two-factor authentication is enabled, a user will be required to supplement their login and password with additional confirmation by entering a time-sensitive code received via SMS or email, an app-generated one-time password, or a security token, or even biometrics.

Depending on the website and its settings, a confirmation may be required only at the first login, for each subsequent sign-in, or at regular intervals. Requiring a confirmation whenever a new device (a device the security system doesn't recognise) attempts to sign in with your credentials creates an essential barrier that stands in the way of attackers.

It ensures that only the legitimate account owner can use another device to sign in to their 2FA-protected account.

However, attackers can mount caller ID spoofing attacks or use malware to view SMS message contents on a compromised device. And it is mobile carriers that are solely responsible for maintaining the integrity of communications in their respective cellular networks, so relying on SMS is not entirely risk-free for businesses and individuals. Unfortunately, incidents of cellular networks being used as a medium for attacks are not uncommon. The proliferation of 5G does provide certain security improvements, but attackers still have quite a few options at their disposal for mounting attacks on carriers’ infrastructures.

App-based confirmation can also be used instead of SMS messages. For example, the 2FA app scans QR codes generated on its respective authentication website. An app can also generate TOTPs (time-based one-time passwords) and OTPs (one-time passwords). Users confirm their identity by entering these short-lived passwords, which expire in 30-60 seconds. Their time-sensitive nature effectively invalidates cybercriminals’ efforts to intercept them.

So, two-factor authentication appears to be a robust security practice.

And now that it has become the default, is there more to be done? Undoubtedly, its ability to thwart most intruders’ attempts to gain unauthorised access to accounts is a clear advantage. Should an attacker try to sign in to another person’s account, access won't just be denied, but the user will also be notified of the login attempt and will be able to change their password immediately to block any future intrusion attempts.

However, two-factor authentication is by no means the be-all and end-all of cybersecurity. In some cases, cybercriminals can circumvent it by brute-forcing verification codes. But account security can be enhanced even further by introducing additional verification steps, namely, MFA (multi-factor authentication). This method involves multiple confirmations for accessing an account from a device.

Multi-factor authentication is gaining popularity because it offers an effective way to make protection routines more reliable. Even if an attacker manages to steal or guess the password, they will still have to overcome multiple challenges: biometrics, an SMS confirmation code and a security token. Making verification more complex significantly reduces the likelihood of a successful attack.

In addition, multifactor authentication is effective against phishing and brute-force attacks because it involves multiple checks that aren’t easy to circumvent. Although we’re reluctant to upset our readers, we’re still compelled to mention the fact that multifactor authentication can also be circumvented—if it hasn't been set up properly.