Two-Factor Authentication for Websites: Why It's No Longer Optional

The Password Problem

Passwords have been the primary authentication mechanism for websites since the 1960s. In 2025, they remain the weakest link in most organisations' security posture. The reasons are well-documented:

• Credential stuffing: Attackers use lists of billions of leaked username/password pairs (from previous breaches) to automatically try logins across thousands of sites. Services like Have I Been Pwned catalogue over 12 billion compromised accounts.
• Phishing: Convincing fake login pages harvest credentials from even security-aware users.
• Password reuse: Despite years of advice, the majority of users reuse passwords across multiple sites.
• Brute force: Short or common passwords can be cracked in seconds with modern hardware.

Microsoft's research found that accounts with multi-factor authentication enabled are 99.9% less likely to be compromised than those relying on passwords alone.

What Is Two-Factor Authentication?

Two-factor authentication (2FA), also called multi-factor authentication (MFA), requires users to provide two separate forms of evidence before gaining access:

1. Something you know — your password
2. Something you have — a phone, hardware key, or authenticator app
3. Something you are — biometrics (fingerprint, face ID)

True 2FA requires factors from at least two different categories. A PIN plus a password are both "something you know" — that is not 2FA.

Types of 2FA: From Weakest to Strongest

For most UK businesses, TOTP authenticator apps strike the right balance of security and usability. SMS 2FA is significantly better than no 2FA but should be considered a stepping stone rather than a final solution.

Where to Enable 2FA Immediately

Prioritise these accounts:

• Website hosting control panel (cPanel, Plesk, Kinsta, WP Engine)
• Domain registrar — a hijacked domain can redirect your entire site
• DNS provider — same risk as domain registrar
• Email accounts — email is the master key to all other accounts
• Cloud platforms (AWS, Google Cloud, Azure)
• CMS admin panels (WordPress, Drupal, Magento)
• Payment processors (Stripe, PayPal, Worldpay)
• GitHub/GitLab — source code access means server access

Implementing 2FA on Your Website

If you are building or managing a web application that has user accounts, you should offer 2FA to your users. Implementation options:

For WordPress: Plugins like WP 2FA, Wordfence Login Security, or miniOrange provide TOTP 2FA with minimal configuration.

For custom applications: Libraries like speakeasy (Node.js) or pyotp (Python) implement TOTP. Pair with a QR code library for the setup flow.

For enterprise: Consider a dedicated identity provider (Auth0, Okta, AWS Cognito) that handles 2FA, SSO, and session management.

WebAuthn/Passkeys: The modern standard. Supported natively in all major browsers and operating systems. Completely phishing-proof because the credential is cryptographically bound to your domain.

UK Regulatory Context

The UK's Financial Conduct Authority (FCA) mandates Strong Customer Authentication (SCA) under the Payment Services Regulations 2017 for online payments — this is effectively mandatory 2FA for financial transactions. The ICO's guidance on UK GDPR also recommends MFA as an appropriate technical measure to protect personal data.

For businesses handling sensitive data, implementing 2FA on admin systems is increasingly considered a baseline expectation — not an optional extra.

Check Your Website's Authentication Security

WebGuard scans for exposed admin panels, default login paths, and missing security headers that affect authentication security. Run a free scan [blocked] to identify authentication-related vulnerabilities on your website.