Passwords have a bad reputation, but the truth is that they are still the foundation of login in most companies. And they will remain so for a long time. The problem is not that passwords are bad in themselves. The problem starts when we underestimate their strength and the possibilities behind them.
And that is a shame, because even one good, strong password is already a very sensible step forward. It does not solve everything, but it is the absolute minimum and still makes a big difference. The problem begins when a company wants to go one level higher. Because very quickly a question appears: if one password is not enough, then how much login security makes sense?
Two? Three? Five? Eight?
Or maybe it is best to immediately use a fingerprint reader, an SMS code, a push notification on the phone, an access card, and also a determined look into the camera?
It sounds impressive. It just does not always make sense.
One password is the minimum. But really the minimum
A good password still matters. A lot.
If it is long, unique, and does not circulate around the company in a file called “passwords_new_final_v3.xlsx”, then it already gives a significant advantage. For years, NIST has emphasized that passwords alone are not sufficient to protect more sensitive resources and therefore recommends adding additional factors where the risk is higher.
So yes, one password is still a necessary foundation. But on its own, it is less and less often enough where customer data, email, company systems, or access to business applications are involved.
The second layer of protection does the biggest job
And here we reach the point where the real conversation about login security usually begins.
Because while one password is necessary, the second factor very often makes the biggest difference. Microsoft states that MFA can block over 99.2% of account takeover attempts based on identity attacks. This is the moment when we move from “we have a password” to “we already have genuinely stronger protection.”
And this is exactly why, in so many organizations, the second factor is no longer an add-on, but a standard.
But wait a moment.
What second factor?
An additional password?
An SMS code?
A push notification?
A fingerprint?
An RFID card?
Or maybe everything at once, so that the IT department can sleep peacefully and users can wonder whether it might actually be easier to return to paper-based document circulation?
More does not always mean better
In theory, you can add more layers. In practice, you need a bit of good judgment.
Because if someone has to do five things at every login, click three confirmations, rewrite a code, tap a card, and still remember whether this time the application is asking for a PIN, they very quickly stop thinking: “how secure.” Instead, they start thinking something much less elegant, usually mentally directing that message toward the IT department.
And it is hard to blame them.
Well-designed multi-factor authentication is supposed to improve security, but it cannot kill normal work. CISA and NIST point out that the strongest methods are those resistant to phishing, but organizations should still select them according to risk, context, and the real way users work.
So it is not about adding as much as possible. It is about choosing as much as actually makes sense.
Are two factors the best answer?
Most often, yes.
Not because the world of technology has stopped at the number two. Simply because in many scenarios, two well-chosen factors provide the best balance between security and convenience. Password plus push. Password plus mobile app. Password plus card. Password plus biometrics unlocking a device that confirms the login.
This is usually the moment when security clearly increases, while the person on the other side does not yet feel like grabbing a pitchfork and marching to the IT department.
But there are also companies that go one step further. And sometimes they do it very sensibly.
Because not every login has to look the same
This is actually one of the most interesting parts of the whole puzzle.
Not every login attempt has the same level of risk. And not every one needs to be treated identically.
An example? The first login to the system may be secured more strongly. For example, with a password and additional confirmation on the phone. Then, if the user continues working in a known environment, on a trusted device, and for a defined period of time, subsequent logins may be simpler. For example, for a few hours, just the password or a less burdensome confirmation method may be enough.
This is not “letting security go.” This is an attempt to do it intelligently.
A similar approach works based on location or context. A user logging in from the company network may be treated differently than someone trying to access the system from a new location, another country, or an unusual device. In this model, it is not only about the number of methods, but about when and for whom we activate them.
And what about cards, phones, and everything the company already has?
This is where things get really interesting.
Because very often an organization does not have to invent everything from scratch. Some elements already exist. Employees have phones. Often they also have RFID cards that they use to enter the building. And if the solution allows it, such cards can also be used as a login factor for a computer or application.
This is the moment when MFA stops being an abstract project from a presentation and starts being based on something people already have in their pocket or on a lanyard.
And this is exactly why there is no single perfect answer to the question of which methods are “best.” The best methods are those that, on the one hand, genuinely improve security, and on the other hand can be implemented without creating a revolution at every desk.
All right, but how many methods can there be?
Many. Sometimes very many.
For example, OpenText Advanced Authentication, also known to many people as NetIQ Advanced Authentication, supports over 30 authentication methods. This shows how broadly the topic can be approached and how many different scenarios can be built within a single organization.
But the fact that you can use thirty does not mean that you have to.
In practice, the result is usually much more down-to-earth. A company uses what it already has. Or what it plans to have. One organization will choose phones and push notifications. Another will choose cards. A third will use more phishing-resistant methods where protection needs to be stronger. A fourth will combine several approaches, but only for selected groups of users.
And that is a very healthy approach.
The most important thing is not to have “the most”
The most important thing is for it to make sense.
A strong password is already a big step forward.
Two well-chosen factors are very often a real gamechanger.
A larger number of methods can also make sense, but usually only when it results from a specific need, risk level, or work scenario.
Because login security is not about making life equally difficult for everyone. It is about finding the golden mean between protection and convenience. Between risk and everyday work. Between “it has to be secure” and “people actually have to use it.”
And that is where well-structured MFA begins.
And if you want to see how to approach this in practice
At Akademia IP, we show this topic more broadly, also from the perspective of solutions and real scenarios. Because the question “how many factors?” is important, but even more important is how to choose them for the company, the users, and what the organization already has available today.
If you want to talk about your login scenario, contact us. Without any obligation, we will tell you what usually works well, what can be sensibly used, where it is really worth raising the level of security, and where it is better not to complicate users’ lives by force.