You have good passwords. Long, complex, unique.
But if someone gets one, they can access your account. Not immediately, maybe not right now. But they can.
Multi-factor authentication changes that. A stolen password becomes useless.
How Most Breaches Start
Phishing email tricks someone into password. Old forum hacked with reused password. Compromised computer logs keystrokes. Vendor stores passwords poorly.
Hundred ways password leaks. Once it does, if password protects important things – email, financial, network access – someone logs in.
Might not do it immediately. Might hold it, sell it, use it for months.
Good password only barrier against casual attackers. Stolen password is key that works fine.
What MFA Does
Logging in requires something you know (password) and something you have (phone).
Someone tries login with stolen password, gets asked for second factor. Code from app. Text message. Notification.
They don’t have phone. Code doesn’t work. Login fails.
Now stolen password is just password. Doesn’t open door.
Why Insurance Asks
MFA works. Data is clear: reduces breach risk by orders of magnitude.
Firm with MFA vastly less likely to suffer breach from stolen credentials.
The Common Excuses
Annoying to users – for week, then second nature.
Only for sensitive accounts – breaches start from non-sensitive.
Tool doesn’t support – that’s gap you should document.
Locked people out – training issue, not MFA issue.
Types of MFA
Authenticator apps – most secure, hardest to intercept.
Text messages – good, SMS can theoretically intercept.
Security keys – most secure, costs money.
Push notifications – good if phone secure.
Best: authenticator for most, security key for most sensitive, text as backup.
How to Implement
Week 1: Email – master key
Week 2: Admin, password managers
Week 3: Everything in scope
Week 4: Backup codes stored, people trained
One hour per person setup, minute per login.
What Gets Easier
Once MFA everywhere, other decisions simpler. Use simpler passwords. Breached lists don’t matter. If accessed, probably right person.
When insurance renewal comes, say MFA mandatory everywhere without exceptions.
Stolen password is solved problem. MFA solved it years ago. If you don’t have it, now’s time. Users adjust, breach risk drops, insurance faster.