A photo of three security-related objects neatly arranged on a beige surface: a notecard with the handwritten number "7091" on the left, an antique brass clock key in the center, and a transparent card displaying a black fingerprint on the right.

Three Pillars of Authentication: What You Know, What You Have, What You Are

Image generated by ChatGPT and modified in Affinity Photo

Did you know that account takeover cases increased by 13% in 2024 compared to 2023, while financial losses from account takeover fraud reached nearly $13 billion in 2023? Despite these staggering numbers, only 38% of enterprise organizations have deployed multi-factor authentication despite its effectiveness. As someone deep in the weeds of writing a cybersecurity book, I’m encountering these statistics daily.

While working on the authentication chapter of my upcoming book, I’ve been struck by how much the landscape has shifted. What seemed like ‘extra security’ just a few years ago has become absolutely essential. The hackers aren’t just getting smarter—they’re getting faster, and they’re using AI to scale their attacks like never before.

2FA Stops 99.9% of Account Hacks

The latest research paints a sobering picture. The Veriff Fraud Report 2025 reveals that account takeovers and multi-accounting surged in 2024, with cybercriminals exploiting stolen credentials. Even more concerning? 1 in 3 attacks leveraged AI-generated deepfakes or synthetic data to bypass detection.

But here’s what gives me hope: Microsoft found that enabling two-factor authentication can stop 99.9% of account hacks, and Google’s research shows that adding a recovery phone number can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks

Why Passwords Alone Are Dead

As I dig deeper into my research, one thing becomes crystal clear: passwords alone are digital fossils. Password reuse is one of the leading reasons account takeover can cause so much collateral damage, with some studies showing that up to 78% of individuals using the same password for more than one account.

Think about it—when hackers breach one service and dump millions of passwords online, they’re not just getting access to that one account. They’re betting that you’ve used that same password everywhere. And unfortunately, they’re usually right.

Not All 2FA is Created Equal

Here’s where my book research gets interesting. While any 2FA is better than none, not all methods are equal. Forrester estimates that SMS 2FA stops only 76% of attacks—significantly less effective than other methods.

Source: Why using SMS authentication for 2FA is not secure, IS Decisions.

SMS verification, while convenient, has a major flaw: SMS authentication sends 2FA codes unencrypted over text message. SMS 2FA codes can easily be compromised by man-in-the-middle attacks and SIM swapping. I’ve discovered numerous cases where criminals convinced mobile carriers to transfer victims’ phone numbers to new SIM cards, instantly bypassing SMS-based 2FA.

The Better Way: Authenticator Apps

An authenticator app is safer than SMS authentication because it generates 2FA codes locally, which prevents cybercriminals from intercepting the codes as they can with SMS. These apps create time-based, one-time passwords (TOTP) that refresh every 30-60 seconds, making them nearly impossible to steal and reuse.

Popular options include:

I use the authenticator feature in 1Password; it’s significantly easier than picking up your phone every time you need an authentication code.

There are many authenticators available, including many non-paid open source alternatives. Just search.

Two Immediate Steps You Can Take Today

  1. Audit Your Critical Accounts: Start with email, banking, social media, and any accounts containing financial information. Enable 2FA on each of these immediately—yes, today.
  2. Ditch SMS for Apps: If you’re currently using SMS-based 2FA, switch to an authenticator app. The setup takes minutes, but the security improvement is massive (up to 99.9%).

Cybersecurity: Psychology is More Important Than Tactics

As I continue writing my book, I’m reminded daily that cybersecurity isn’t just about the tools—it’s about changing our mindset. 73% of consumers believe the brand (Amazon, Facebook, Bank of America, etc.) is accountable for account takeover attacks and responsible for protecting account credentials.

The reality is that your personal security is ultimately your responsibility.

The good news? MFA adoption significantly reduces your risk of account takeover. The same principles that protect corporate accounts work just as effectively for your personal accounts—fewer successful attacks, better protection of your private data.

2FA is No Longer ‘Optional’

Two-factor authentication isn’t optional anymore; it’s survival. As I write this book, every expert I interview says the same thing: it’s not if you’ll be targeted, but when. The question is whether you’ll be ready.

Have You Switched to 2-Factor Authentication?

Are you using 2FA on all your important accounts, or is there something holding you back? Let me know in the comments below—your insights might just make it into my book!

Website Power Tip: Find Cybersecurity Answers in Seconds

Need specific cybersecurity guidance? Use the Search Box on the top right corner of the Adventures of a Sage home page to quickly discover all those cybersecurity tips you always wanted to know about (but were afraid to ask). It’s a treasure trove of jargon-free advice!

The Sage’s Invitation

The path to digital security is a shared endeavor. Join me—share your thoughts on the cyber challenges you foresee in 2025 below. Together, we can navigate this landscape with wisdom and care to block the bad actors.  Sign up for email alerts using the form below.

PS—If you don’t see the signup form below, your browser is blocking the form with its security settings, or with a plugin. Here’s an alternate form to get you subscribed.