Two‑factor authentication (2FA) or a strong password: what’s more important?

Most online services now offer two‑factor authentication (2FA). And thanks to the added security layer that two‑factor authentication provides, some people no longer see the need for a strong password. But is this the right approach?

Two‑factor authentication or a strong password

Despite being a vital component in protecting your online identity and avoiding a data breach, passwords are one of the most annoying elements of digital living. And in a study conducted by Google, 75% of people said that they were frustrated by trying to keep on top of their passwords.

With the average person now having up to 100 passwords for online accounts — because of the sheer number of online services that now require a password — this frustration is understandable, and in these circumstances it’s often easy to cut corners.

Exasperated by numerous requests for new passwords, people tend to do one or both of the following: either reuse a handful of passwords (or possibly just one) across all services; or make some slight but obvious alteration to a common password (like P@sswordFB for Facebook, P@sswordIG for Instagram, and so forth), resulting in multiple, weak passwords.

Consequently, because of the password problem outlined above, many online services now require an extra layer of security, which combines your username and password with a secondary method of identification. This is known as two‑factor authentication (2FA) — also referred to as multi‑factor authentication (MFA).

Adding extra security with two‑factor authentication

Two‑factor authentication (2FA) works by adding an extra layer of security to online accounts, which goes beyond your username and password, requiring an extra login credential (such as a one‑time passcode, sent to your phone via SMS). By utilizing two forms of identification, accessed via a third‑party authenticator (TPA) or separate device, 99.9% of automated attacks are prevented (according to 2019 research from Microsoft).

Most online services nowadays offer two‑factor authentication, which increases the security of your account, said Sarogini Muniyandi, Senior Manager in F‑Secure’s Threat Protection Engineering. If the 2FA is available, do consider turning it on. With this extra layer of security, even if someone steals your password, they still only have half of the key needed to get into your account.

Does two‑factor authentication fix the password problem?

Thanks to the added security that two‑factor authentication provides, it can be tempting to think that a secure password is no longer an important component in avoiding a cyber attack. But it’s the combination of both a secure password and a secondary credential via 2FA that makes it so difficult for cyber criminals to breach.

Both a strong password and two‑factor authentication are absolutely crucial for securing online identities, explained Laura Kankaala, F‑Secure’s Threat Intelligence Lead. A strong password means a unique password, which is not easy to guess. Easy to guess means that the password is a very clear sequence of numbers (12345678) or a word in a dictionary.

Put simply: there’s no getting around the need for a strong password. If your first line of defense is a weak password then it makes it much easier for an attacker to breach your account, as they only have one piece of information — your 2FA credential — that they need to obtain. Thankfully, though, you can create complex passwords using free tools such as F‑Secure’s strong password generator.

The uniqueness of the password further protects our online identities. Even if we accidentally type our password in a malicious fake site, our whole online life is not compromised via a common password in the critical services that we use, Kankaala said. And multi‑factor authentication makes the complexity of the attack from a threat actor’s perspective more complex. It is not impossible to manipulate the user to give out their 2FA token, but it still makes the attacks harder to conduct at scale.

And it’s important to remember that two‑factor authentication is a preventative measure, which should be enabled wherever available. Otherwise, it may be used against you when trying to retrieve a breached account.

It is also important to enable 2FA before anything bad happens, Kankaala said. Because if threat actors get access to your account, they will definitely enable 2FA on your account to lock you out.

Could browsers and autofill be the answer?

Having established the need for strong passwords, there are a few ways to make managing them more feasible. For example, to combat the impossible task of remembering every password, many people now store credentials in their web browser, and opt to have them automatically filled in (functionality known as autofill). This has become the default way of managing passwords for many of us, with a 2022 report finding that 75% of respondents said they saved at least some of their passwords in their web browser.

This is a step in the right direction, but unfortunately cyber criminals have noticed this as well, explained Joel Latto, Threat Advisor at F‑Secure. In 2022, the info­stealer malware type gained popularity among cyber criminals, and it was often used to steal login credentials stored in browsers. For example, in December 2022 alone, F‑Secure saw 23 million credentials stolen with malware such as RedLine Stealer, Raccoon Stealer and Vidar Stealer.

Even Google — which produces Chrome, the world’s most popular web browser for managing passwords — is trying to find an alternative, having introduced passkeys in May 2023, claiming that this was the beginning of the end of the password.

Passkeys are digital credentials that aim to replace passwords by adding a new layer of security that connects user accounts to websites or apps, across platforms and devices. They allow people to verify themselves with a fingerprint, a face scan, or a screen lock PIN. And even if passkeys are somehow breached, they only work on the account owner’s device.

It is very positive to see these ecosystem owners trying to address a real consumer pain and a real security risk related to creating and using passwords properly, said Timo Salmi, F‑Secure Senior Solution Marketing Manager, who has spent years working on solutions that help users secure their accounts.

However, we won’t be saying goodbye to passwords any time soon, and they will remain an important part of our online security for the immediate future. But if browsers aren’t the best and most secure way of storing them, what’s the alternative?

Managing and creating strong passwords

Modern problems require modern solutions, and this is where password managers come into play. A password manager is an application that not only generates strong and long passwords for you, but it also stores them securely. To access your vault of passwords, you only need to remember one master password. This, of course, needs to be strong and unique as well, but we’re all much better equipped to remember just one master password than a hundred of them.

With F‑Secure Total — which contains F‑Secure’s highly-rated ID Protection — your passwords are monitored, you will be alerted of breaches should they occur, and you can generate and manage strong passwords for every online account that you have.

Generate strong and unique passwords with this free tool

Combining a strong password and two‑factor authentication is crucial for securing online identities. F‑Secure’s strong password generator does the first part for you. And best of all — it’s completely free.

Start generating strong passwords today.

Click here and use for free