Hundreds of popular websites now offer some form of multifactor authentication (MFA), which can help users protect access to accounts when their password is cracked or stolen. But people who don’t take advantage of these added safeguards may find it much harder to regain access when their account is hacked, as more and more thieves will provide multifactor options and link the account to the device they control.
Certainly, disabling MFA when offered is a far greater risk for people who have a habit of reusing or recycling passwords across multiple sites. However, any service to which you entrust sensitive data can be hacked, and enabling multi-factor authentication is good protection against leaks or theft of credentials used to rob your account.
Moreover, the multitude of websites and services that support multifactor authentication are fully automated and extremely difficult to seek help for when downloading accounts. An even bigger problem is if attackers can also modify and/or remove the original email address associated with the account.
Email, SMS, and one-time application-based codes are considered less robust from a security perspective, as they can be undermined by a variety of well-established attack scenarios, from SIM replacement to mobile-based malware. It, therefore, makes sense to secure your accounts with the strongest form of MFA available. But keep in mind that if the only added authentication options offered by a site you often own are SMS and/or phone calls, that’s still better than just relying on a password to protect your account.