Downloads
Blog
Who we are
Our customers
Contact
Software
Advice
Training & E-learning

Do I need Two-Factor-Authentication (2FA)?

September 28, 2025
Blog overview
/
Do I need Two-Factor-Authentication (2FA)?
Chances are you do. Any human-made obstacle can be overcome by a human. It just takes time and effort. There is a race between the development of security measures and hackers who want to overcome these security hurdles. The hackers are often close to succeeding (or have already succeeded). This pushes the development of new security measures. With 2FA you can leave hackers far behind in this race.

What is 2FA?

2FA (Two-Factor-Authentication), also called multifactor authentication (MFA), is a way to authenticate yourself. For example when you log in to your online banking account. First, you need to provide something that you know, like your password. Second, you need to provide something that you have, like a token that creates a one-time password or an authenticator app that you need to approve/confirm the log in.

Are traditional passwords not enough?

In the beginning stages of password appliance, simple passwords like “password01” or “hello123” were used. The most common passwords allowed access to 10% of all websites that needed a password. In this way hackers could easily get access to a private or an organization’s website. The race between hackers and security measures started and led to the need of more complexity in passwords, such as small/capital letters, numbers or special characters. Hackers understood the challenge and the new competition was between creating complex passwords and hackers developing new smart brute force methods, which are (automated) ways of trying out all possible options until a password succeeds. The increase of computational power supported this attempt. In addition, data breaches that leaked passwords and usernames helped hackers get ahead in this race.

On average, passwords of every resident in the world had been leaked multiple times.1 Also, no one wants or can remember 30 or more different complex passwords and update them regularly. This could lead to the unfortunate appliance of simple and similar passwords for different services, unless you switch to a password manager that allows you to create and store complex passwords that are not (yet) leaked.

But I'm not a target, am I?

You might think, well, I am not a target because I am not interesting. But you are wrong. Hackers don’t necessarily look out for a specific victim that is interesting. Instead, hackers apply tools that perform automated processes. For example, if you have your own servers, you may have thousands of random hacking attempts every day. If you don’t have a good password policy, you will be hacked as a matter of time, regardless of who you are. Once hacked, the hackers can send out phishing emails/SMS or the automated software will search further for other log in details.

Why 2FA came into play

If a password was hacked through a brute force attempt or a data breach leak, there should be an extra layer of security: a second authentication factor, namely the what you have-factor. This was the starting point to think beyond the traditional password as the only security layer.

Already in 1986, the Dutch ING bank sent their customers sheets with “tan-codes”, which is a list that only the receiver has (the what you have-factor). Upon transaction, you would need to use one of these codes and use it as the second factor to authenticate yourself for a transaction. The means for the what you have-factor have developed since then:

• there are tokens that automatically generate one-time passwords;

• apps that are linked to your mobile phone device that can be used to confirm/approve a transaction;

• and there is a solution with secure storage of cryptographic certificates, like smartcards or for example YubiKeys. When you plug them in your computer, they verify a pin you enter and then use the secured certificate to log you in.

Is 2FA a stronger security measure?

You could think that if a hacker is able to overcome your password layer, they will also overcome the second factor layer. However, the nature of the second layer is different from the first one. The second layer is the what you have-factor. This is something that you have physically with you. There is no option for an automated tool to access it randomly. To hack you on the second layer, a hacker would need to target you directly. That requires often time, a lot of resources, and strategic planning. In general, the outcome may not be worth the effort – if you don’t boast about being a billionaire on cryptocurrencies, are a verry important person or subject to intelligence authorities’ investigations. Therefore, the second layer as such must be seen as very effective to minimize the risk of hacking.

However, there is one problem that should be considered. While 2FA is a very effective method and it is not weak as such, a vulnerability could occur in the way it is used. For example:

• The classical “tan-codes”-letter sent via regular post, could be easily stolen by a post office worker and abused for 2FA access.

• 2FA via SMS tokens, where you receive a code via SMS upon login, could be subject to “sim swapping” attacks, where hackers target the telecom provider to change your sim card.

Therefore, it is important to use 2FA with strong security procedures, like:

• a first time log in at the office;

• confirmation via an authorized email address;

• proof of ID cards;

• freeze time periods.

While 2FA is not an absolute perfect security measure, which does not exist anyway, it nevertheless boosts your security level notably. It is comparable with fire-safety measures in buildings, where fire extinguishers are not the only measure, but part of additional security layers. If one layer fails, the next layer provides additional security. Imagine 2FA as a very strong security layer. Some organisations disabled 2FA and got hacked on their passwords. The results can quickly cause a lot of damage to your organization and your clients.

Does 2FA affect Data Protection?

If you are a victim to unauthorized access to your environment and it includes personal data, you will have to deal with a personal data breach that needs swift handling under the GDPR. 2FA is therefore not an isolated information security aspect but will necessarily affect your privacy/personal data protection compliance. Applying 2FA will definitely decrease the likelihood of data breaches.

Stronger together

This blog has been written by a privacy expert from Privacy Company and a security expert from PuraSec. Since April 2025, Privacy Company and PuraSec have joined forces to support organisations in a pragmatic way with compliance in information security and data protection. Please feel free to contact us if you need any assistance.

1. On a world population of 8.2 billion, the site https://haveibeenpwned.com/ holds 15 billion passwords from 896 leaks, the real number of leaked passwords is much higher, but not all leaks are registered by ‘have I been pwned’.

Download
Mateus
Consultant
The Hague
Maanweg 174
2516 AB Den Haag
+31 708209690
info@privacycompany.nl
Berlin
Friedrichstrasse 68
10117 Berlin
+49 16098404354
info@privacycompany.nl
© Privacy Company
ImpressumPrivacy StatementCookie Statement