What is the single highest-leverage personal cyber-hygiene change you can make today?

Install a password manager and enable phishing-resistant MFA on email + financial accounts. Password reuse + weak MFA is the dominant root cause of personal account takeover. Fixing both knocks out the majority of risk.

Why is FIDO2 / passkey MFA categorically stronger than TOTP or SMS?

It is cryptographically bound to the legitimate origin URL — phishing proxies don't match, so the protocol fails. SMS and TOTP can be relayed in real time.. Domain-binding is the distinguishing feature. The other methods involve secrets the user can be tricked into relaying.

You receive an MFA push prompt at 2 AM. You are not signing in. Correct response?

Reject it, change your password from a known-clean device immediately, and report to security. An unsolicited prompt means the attacker already has your password. Rejection alone doesn't stop them — rotate the password.

Is a 16-character random password generated by a password manager 'secure'?

Yes — and it's also unique per account, which is what actually matters. Length + uniqueness > complexity rules. The defensive value of a password manager is that EVERY account has a different password, not that any individual one is brilliant.

Which MFA method does NOT defend against SIM-swap attacks?

SMS-based codes. SMS MFA is delivered to whichever device controls your phone number. SIM-swap attacks transfer control of your number; SMS MFA follows. Every other modern MFA method is tied to a device you control, not a phone number.

Passwords & MFA Basics — Why Most MFA Isn't Phishing-Resistant

The scenario

A self-employed Dutch consultant uses the same password for her client-portal account and her personal email. The password was leaked in a 2019 LinkedIn breach she never heard about. In 2026 an attacker takes the leaked credentials, automatically tries them against 200 SaaS providers, gets a hit on her client portal, downloads three years of invoice templates, and emails her clients new wire instructions for outstanding amounts. €91,000 moves before the third client calls her to check. The password was strong (16 characters). It just wasn't unique. Within four hours she had: enabled phishing-resistant MFA on every account, installed a password manager, and rotated 47 passwords. She wished she'd done it the day before.

How the attack works

Two layers of defence matter: the password itself, and the MFA on top of it. **The password layer.** Most attacks against passwords are not 'guessing your password' — they are reusing passwords from prior breaches. Every dump on Have I Been Pwned (haveibeenpwned.com) is a list of credentials being mass-tested against every SaaS the attackers can think of. The fix is a password manager (Bitwarden, 1Password, etc.) generating a unique strong password per account. Length matters more than complexity — a 16-character random string is fine; 'P@ssw0rd!' is not. **The MFA layer.** MFA adds 'something you have' to 'something you know'. But the four common MFA methods have very different security profiles. **SMS codes**: defeats password-only attacks but is relayable in real time by phishing kits and can be stolen via SIM-swap. Better than nothing, worse than every alternative. **TOTP authenticator apps (Google Authenticator, Authy)**: defeats password-only attacks, defeats SIM-swap, but is relayable in real time by reverse-proxy phishing kits like Evilginx. Still better than SMS. **Push notifications (Microsoft Authenticator, Duo)**: same security as TOTP, but adds MFA-fatigue vulnerability where an attacker spams prompts until you tap approve. **FIDO2 / passkeys**: cryptographically bound to the legitimate URL — the attacker's proxy domain doesn't match, so the protocol fails. This is the only method that defeats all the major 2026 attack patterns including AiTM, MFA fatigue, and SIM-swap. The four attack patterns to defend against: password-only (defeated by any MFA), SIM-swap (defeated by anything except SMS), real-time relay / AiTM (defeated only by FIDO2/passkeys), MFA fatigue (defeated by FIDO2 or by removing push prompts).

What to watch for

Any account you sign into that doesn't have MFA — enable it immediately, especially email, financial, and identity-provider accounts
Reused passwords across accounts — a single breach compromises every account sharing that password
SMS-based MFA on high-value accounts (bank, primary email) — upgrade to TOTP or passkeys
Unsolicited MFA prompts on your phone — someone has your password and is trying to log in
MFA-fatigue patterns — multiple push prompts in quick succession

What to do

Install a password manager today — Bitwarden, 1Password, KeePassXC are good starting pointsGenerate a unique 16+ character password per account. The master password is the only one you need to remember.
Enable MFA on every account that supports it — start with email and financialYour email is the recovery channel for every other account. Protect it first.
Upgrade SMS-based MFA to TOTP or passkeys where supportedMicrosoft, Google, Apple all support passkeys in 2026. So do most banks and major SaaS providers.
If you see an unsolicited MFA prompt: reject it, change your password from a clean device, and reportRejection alone isn't enough — the attacker has your password and will try again.
Check Have I Been Pwned for every email address you useFree service: haveibeenpwned.com. Rotate any password that appears in a breach.

Defenses to deploy

Technical controls

Phishing-resistant MFA (FIDO2/passkeys) enforced via conditional access for all employees
Password manager rolled out as a managed company tool (Bitwarden Teams, 1Password Business)
Continuous-access evaluation revoking sessions on risk events
Sign-in anomaly alerting on the IdP

Policy controls

Written policy: no reused passwords, no shared passwords, no password-in-email
Onboarding workflow includes password-manager + MFA enrolment on day one
Quarterly review of MFA method coverage — drive 100% phishing-resistant adoption

Training cadence

Lesson once. Reinforce with a quarterly 'is your MFA still SMS?' nudge until everyone is on passkeys.

Quick check

Five questions. Answers and rationale appear after submission.

Q1.
What is the single highest-leverage personal cyber-hygiene change you can make today?
Q2.
Why is FIDO2 / passkey MFA categorically stronger than TOTP or SMS?
Q3.
You receive an MFA push prompt at 2 AM. You are not signing in. Correct response?
Q4.
Is a 16-character random password generated by a password manager 'secure'?
Q5.
Which MFA method does NOT defend against SIM-swap attacks?

Sources & further reading

NIST SP 800-63B — Authenticator guidance[primary]
NCSC-NL — Wachtwoorden en MFA[primary]
FIDO Alliance — Passkeys[primary]
Have I Been Pwned[secondary]
Krebs on Security — SIM-swap and MFA bypass case studies[secondary]