Passwords have long been the cornerstone of digital security, serving as the primary means of verifying a user's identity. However, as cyber threats have become more sophisticated, the limitations of relying solely on passwords have become evident. As noted in a DemandSage report, 35 Password Statistics 2025 – Data Breaches & Industry Report, “In the USA alone, in 2025, there have been 18.4 billion data points leaked out of which 2.28 billion are leaks related to passwords. One of the main reasons for these leaks could be that 84% of people reuse passwords and only 34% update them monthly. This makes all of our online accounts vulnerable due to our bad password hygiene. Another worrisome stat is that “123456” remains the most-used password, with 4.5 million users, which is usually cracked in under 1 second.”
These statistics show just how exposed online accounts can be when passwords (single-factor authentication) are the sole line of defense.
The most popular single-factor credential is a password; however, there are several problems with relying on a single password to protect an account. As stated by CISA in August 2021, “Today, CISA added the use of single-factor authentication for remote or administrative access systems to our Bad Practices list of exceptionally risky cybersecurity practices. Single-factor authentication is a common low-security method of authentication. It only requires matching one factor—such as a password—to a username to gain access to a system. Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions.”
Beyond CISA’s warning, real-world evidence highlights why relying solely on passwords is inadequate. According to a 2022 report by LastPass, “89% of respondents acknowledged that using the same password or variation is a risk, but only 12% use different passwords for different accounts, and 62% always or mostly use the same password or a variation.” Furthermore, the report also revealed generational differences: 51% of Gen Z users tend to memorize their passwords, while only 38% of Boomers do the same, suggesting varying password practices but equally concerning vulnerabilities across age groups.
Even strong, complex passwords are not immune to compromise. Massive breaches at companies like Roku have shown that once passwords are leaked, attackers can easily exploit them. All it takes is one compromised password for a hacker to access sensitive personal data, corporate systems, or even critical infrastructure.
This combination of human error, poor password hygiene, and large-scale breaches makes single-factor authentication an outdated and unsafe method for securing accounts. Strengthening defenses requires going beyond passwords alone.
Read also: 5 Steps to improve password security in healthcare
The consequences of inadequate authentication are evident in numerous data breaches:
Related: The password crisis in healthcare
Correct login credentials are only one factor in protecting your data. There needs to be another layer of credentials to keep your information secure. There are three different types of authentication:
CISA recommends organizations to “consider enforcing MFA on Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs).” For a fully secure account, it's best practice to have two or more types of credentials to ensure only authorized access is maintained. This can fall into two categories: two-factor authentication (2FA) or multi-factor authentication (MFA).
The main difference between 2FA and MFA is the number of credentials involved to gain access to an account. 2FA requires two authentication credentials, whereas MFA requires more than two authentication credentials. This can be two or three credentials, but the only criterion to qualify as MFA is that there is more than one credential required to confirm a person's identity.
One example of 2FA is withdrawing money from an ATM. A person needs two authentication credentials to confirm their identity. First, they use their bank card as a possession credential. Then they enter a PIN code as a knowledge credential. It's highly unlikely that a person would have both credentials unless they had permission to access the bank account. Therefore, this is a secure method of withdrawing money from an ATM.
When logging into an online banking account, a user first enters their username and password (something they know). After that, the bank sends a one-time passcode (OTP) to their mobile phone (something they have). To complete the login, the user may also be required to provide a fingerprint scan on their device (something they are).
In this case, the login process combines knowledge (password) + possession (OTP) + inherence (fingerprint), making it MFA.
It sounds like MFA and using all 3 authentication credentials is the best way to keep your network secure. After all, there are few chances that a hacker would get access to all 3 authentication credentials. However, you don't want to create an authentication process that is too slow or complicated for people to use efficiently. This can hinder workflow and agitate employees. You'll want to find the right balance between protecting your data while accurately confirming the identity of people requesting access to accounts.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
No system is 100% secure. Sophisticated attackers may still attempt SIM swapping, token theft, or phishing attacks targeting MFA codes. However, MFA greatly reduces the chances of unauthorized access compared to passwords alone.
Some users find MFA adds extra steps, but many organizations use user-friendly methods like push notifications instead of codes. The minor inconvenience is outweighed by the major security benefits.
Most MFA systems provide backup methods, such as recovery codes, email verification, or alternate trusted devices. It’s important to set these up in advance to avoid being locked out.