Day 14

Set Up Two Factor Authentication / MFA / Passkeys

 
 
support my work
 

DAY 14: Set Up Two Factor Authentication / MFA / Passkeys

Welcome back to Day 14 of my 30 Day Security Challenge!

We’ve already built strong passwords and added a password manager to your toolkit but now, we’re going to add another layer of armor: multi-factor authentication, or the newest - passkeys.

What’s up S’mores! I’m Shannon Morse, and this is the series where we make your digital life smarter, safer, and way more secure.

Today, we’re going to make sure that even if someone steals those passwords to your online accounts, they still can’t get in.

If you’re following along, make sure to subscribe so you don’t miss the next video. You can grab the full 30-Day Challenge checklist and notes over at ShannonRMorse.com.

In line with today’s topic is the sponsor of today’s video, Yubico!

They recently released their 2025 Global State of Authentication Report, and some of the stats are... honestly a wake-up call. So let’s dig in.

Why It Matters

Passwords alone just aren’t enough anymore.

Attackers phish them, steal them in breaches, or buy them on the dark web for pocket change.

According to Yubico’s 2025 survey, 62% of companies still rely mostly on usernames and passwords, even though we’ve known for years that’s the weakest link. Another 44% still depend on SMS one-time codes, which can be hijacked with SIM swapping or spoofing attacks.

Multi-factor authentication (MFA) adds a second lock (or more locks) on the door - something you have or something you are - so even if someone knows your password, they can’t get in without those extra factors.

But here’s the kicker: 40% of employees have never received cybersecurity training, and half of them use personal accounts on work devices. That’s a hacker’s dream.

So yeah, MFA isn’t optional anymore… it’s survival of the fittest.

Step 1: What Is Multi-Factor Authentication (MFA)?

You’ve probably used MFA without even realizing it.

It’s a way to confirm that you are the one logging into your account - not someone who just guessed your password.

MFA is based on two or more things:

  1. Something you know (your password)

  2. Something you have (like your phone or a hardware key)

  3. Something you are (like your fingerprint or face)

  4. It could even be based on location, too.

A classic real-world example? Using an ATM.

Your card is something you have, and your PIN is something you know.

Online, it works the same way: you type in your username and password, then confirm with a code, app notification, or security key before logging in.

Even if a hacker steals your password, they can’t get into your account without those extra factors.

Step 2: MFA vs 2FA

MFA just means two or more layers of verification - like a mix of your password, your phone or key, and biometrics like your fingerprint or face scan. 2FA specifically just means authentication that uses exactly two factors. So MFA is the broad terminology we use to explain all these different options, and 2FA is one of those types of MFA. Sometimes we use 2FA and MFA interchangeably when referring to multiple factors of authentication, and to be honest, I don’t care which terminology you use, as long as you’re adding- something on top of your username and password.

For example, Clear at airports uses MFA - your ID (something you have), your boarding pass (something you know), and your fingerprint or iris scan (something you are).

You might already use MFA on websites and not even know it.

Online, it usually means you enter your password, then a temporary code or touch your security key to confirm it’s really you.

These codes, no matter how they’re generated, usually only last for 30 seconds or a minute before they expire. Because they change so quickly and are tied to something you have or are, it makes them much harder to crack.

Now that we know what it is and why it’s so important…

Step 3: Your MFA Options (Pros & Cons)

Let’s break down your choices:

SMS Text Messages - The easiest to set up, but least secure. Attackers can hijack your phone number using SIM swapping. Avoid this if you can. These are codes that are sent to your phone as a text message, and the message will usually say something like “Best Buy: Here is your code to log in. 123456. Don’t share this cod e with anyone.” It’s good, but not best, because an attacker could still social engineer your cellphone carrier by saying “my phone is lost, I need to activate my phone number on a new phone” then get your number transferred to a new phone. People overwhelmingly choose SMS because it’s convenient and looks secure.

And it’s not just me saying that. Yubico’s data found that 41% of people think SMS is the most secure MFA method, when it’s actually one of the weakest. Big yikes.

Authenticator Apps - Like Yubico Authenticator. These generate time-based codes that change every 30 seconds or so. They’re simple, reliable, and a lot stronger than SMS.

But they’re not perfect… 33% of users believe app-based codes are the safest, even though they can still be phished or stolen if someone gets access to your phone.

Plenty of apps exist for this and they’re free. I like Yubico Authenticator because I can lock the APP with a hardware key. So you can’t even see the codes that get shown within the app unless you have my key to plug into the device.

Other apps exist and can be locked with a PIN or biometrics, increasing the security of the app. These are convenient because they can be synced across devices, so you have access to your codes anywhere, but that can also increase the chances of your codes being stolen.

Push Prompts - Those “Approve Login” notifications you get on your phone or via an email. It’ll generally say “is this you?” with an Approve or Deny set of buttons. They’re convenient but prone to “MFA / notification / alert fatigue” attacks, where a hacker just keeps sending prompts until you hit “Yes” out of annoyance.

Hardware Keys - Like YubiKeys from Yubico.com. These are the gold standard.

They’re phishing resistant because they require physical possession of the key. Even if someone has your password, they can’t do anything without your hardware key.

These are physical devices you plug in or tap via NFC. They’re nearly impossible to phish. I use mine for my email and financial accounts, social media, basically anywhere and everywhere I can. once you’ve registered a hardware key with your online accounts, it’s really easy to use. That’s because you don’t need to memorize or copy / paste a code, you don’t need your phone on you, and you don’t need to type anything in.

Plus, you can set up your accounts to authenticate with multiple hardware keys. So you could have a primary one on your keychain, but have another one that you keep at your desk at home. And since your phone apps and your desktop will generally keep you signed in until you restart or get a new device or your devices login is forgotten, that means you really don’t need to keep these on you 24/7. I keep one on me for traveling, but it’s very rare that I actually need to pull it out to re-authenticate on my phone unless I’m actively resetting all my logins.

Even if you just use a hardware key for your MOST CRUCIAL apps and services, but then rely on codes for the rest of ‘em, that’ll still save you from dealing with a ton of headaches if someone was able to steal a password.

Yubico’s report found that hardware keys are the most effective defense against modern phishing, but only 17% of companies actually use them, even though they stop account takeovers cold.

Meanwhile, device-bound passkeys like the ones stored on a YubiKey are only seen as “most secure” by 30% of employees, which shows how much education is still needed.

Step 4: How To Choose the Best MFA Method

Not all factors are created equal, so screenshot this chart as a reference:

Method How it works Security level

SMS codes Texted to your phone ❌ Weak – can be SIM-swapped

Authenticator apps Generate time-based codes ✅ Strong

Push prompts Tap “Yes” in your auth app ✅ Strong (but beware fatigue attacks)

Hardware keys (YubiKey) Plug in or tap to verify 🔒 Strongest option

You don’t have to use the same method across the board for all of your accounts. Some websites only support one or two of these options. My method is to check over my online accounts like once a year to see if they’d upgraded their security protocols to anything new (like passkeys). If they haven’t, I’ll just choose whichever option has the best security.

If a site still doesn’t accept hardware keys or passkeys, I’ll choose the code method, but then I’ll have those codes get generated in my Yubico Authenticator app, and I’ll lock that app with my hardware key. So really, at the end of the day I’m still protecting everything with something I own and have - a physical key.

If you can use a hardware key, do it. They’re phishing resistant and work offline.

Yubico is sponsoring this video and I’ve been using YubiKeys to protect my accounts long before I created my own youtube channel to talk about cybersecurity.

I use Yubico’s YubiKeys for everything from email to cloud storage. They’re tiny, tough, and make MFA nearly bulletproof. Grab one at Yubico.com/ for $5 off. (SHOULD WE SET UP A NEW CODE HERE? LIKE YUBICO.COM/SHANNONMORSE for $5 OFF A KEY?)

Better yet, now you can find a YubiKey in Best Buy! Keys are now available at Best Buy stores across the United States, and they come in this beautiful packaging. They’re the perfect size to give your friends or family as stocking stuffers, and you can send ‘em to this video to learn about why I love them so much.

I’m thrilled that YubiKeys are now on retail shelves because that brings them closer to consumers, and when it comes down to it, the people I want to protect the most in my life are not working in cybersecurity, but they are shopping at Best Buy.

Thank you to Yubico for partnering with me on this video!

Step 5: Turn On MFA for Your Key Accounts

Start with the big ones:

  • Email (Gmail, Proton Mail, Outlook)

  • Social media (X, Instagram, YouTube)

  • Banking and shopping apps

  • Your password manager itself

Here’s the scary part: Yubico found that 29% of people don’t use MFA at all on their personal email, even though that’s the key to everything else you log into.

The reasons? They don’t understand it (40%), think it’s too complicated (24%), don’t have time (22%), or believe it’s too expensive (9%).

That’s why awareness and education matter just as much as the tools themselves.

Want to know which of your accounts even have 2FA/MFA? Check out 2fa.directory : it’s a searchable list of popular sites and instructions for how to enable it. And if a company you use doesn’t offer 2FA… What did I say on the last episode? There’s nothing wrong with a little bit of public shaming and a quick tweet.

Step 6: Passkeys: The Future of Login Security

Alright, now let’s talk about passkeys, because this is the next big thing.

Passkeys replace passwords entirely: no more memorizing, no more typing, no more phishing.

Yubico found that 45% of people haven’t even heard of passkeys, and just a small number actually use them. But the U.S. is ahead of the curve: 33% of Americans who use passkeys are already using the safer, device-bound kind.

They use public-key cryptography built into your devices, so your actual credentials never leave your phone or computer or your physical key. The point of this public-key cryptography is to replace passwords entirely. When you log in, your device proves you’re you with a secure key pair stored locally. No password to steal, no phishing possible.

You simply confirm your identity using your fingerprint, Face ID, or PIN, and the device handles the rest. You’ve probably already seen them on Google, Apple, PayPal, and Amazon too, and might've gotten asked while signing in if you’d like to setup a passkey for future signins. That’s because these sites have already added passkey support for signins.

And for passkey storage, they’re already supported by Apple, Google, Microsoft, and major password managers like 1Password and Dashlane, and you can even add passkeys to your YubiKey (this is the safest option!). These can act as your passkey vault and do the heavy lifting for you, so all you have to do is authenticate via biometrics or a PIN whenever you sign in.

So if you ever see the option to “Sign in with a Passkey,” do it!

They’re fast, secure, and phishing-proof. You just authenticate with your fingerprint, Face ID, or PIN, and boom, you’re in.

For now, most people will still use a mix of MFA and passkeys. But this is where we’re headed.

Step 7: Backup Codes & Safety Nets

If your phone breaks or you lose your key, you don’t want to get locked out forever.

When you enable 2FA or MFA, many sites give you backup codes. Print them or write them down and keep them somewhere safe, like a fireproof box or a locked drawer.

Treat these like the spare keys to your house - you don’t want them lying around for anyone to find. Keep them secret, keep them safe.

Pro tip: register a second hardware key as a backup, that’s a pro move a lot of security folks swear by.

Also: If your MFA is app-based, make sure to export or back up your codes before switching phones.

Apps like Authy offer encrypted cloud backups, and offers multi-device syncing, and this is heckin’ convenient but it’s not as secure. So if you want total control, choose one that stores codes locally only.

If you’re questioning this process or suspicious about how secure it actually makes your accounts, I suggest watching some of the videos I have in my hardware key playlist. This series gives you answers to a ton of common questions and has multiple walkthroughs.

If you’re finding this video helpful, a subscribe would me a lot to me. Subscribing is a simple and free way to support creators on youtube!

So if you’re following along with the challenge, hit that subscribe button and turn on notifications so you don’t miss tomorrow’s video. You can grab the full checklist and daily recap at ShannonRMorse.com.

BIG Patreon shoutout to to my smores! You can join them and support my channel by going to patreon.com/shannonmorse for perks like early video access and my private discord!

As usual, all the videos on my channel are free to watch, and I thank my youtube members and patrons for making that possible.

2025 Update: Modern Threats & Best Practices

Yes, setting up 2FA or MFA can take a little time. But the payoff? Massive. Even if a hacker gets your password, that extra step stops them in their tracks.

This single layer of protection can block a huge percentage of automated account breaches.

So if you only do one thing from this entire challenge, even if you look at this 30 day challenge and think it’s too much - make this the one thing you do. Just make it this.

Phishing attacks have gone full AI. Yubico’s report says 76% of people are now worried about AI-powered hacking, up 18% from last year.

And for good reason: AI makes phishing emails look painfully real. In tests, only 30% of people could tell a human-written message from AI, and 34% admitted they fell for phishing because it looked like it came from someone they trusted.

Hardware keys and passkeys shut that down completely. They’re immune to AI-crafted phishing attempts because they require real-world verification: your physical key or your biometrics.

💜 Outro / Call to Action

And that’s it for Day 14!

You now know how to lock your accounts down with 2FA, understand the difference between MFA and passkeys, and have the tools to choose the setup that works best for your lifestyle.

If this episode helped you secure your logins, hit that subscribe button and ring the bell so you don’t miss tomorrow’s video.

And don’t forget to grab your Yubikey to upgrade your multi-factor authentication — because if 2025 has shown us anything, it’s that outdated logins are no match for modern threats.

For tomorrow, I’ll give you an easy day. This one was one of the most important days, so tomorrow we’ll take a bit of a breather and chat about something a little easier.

I’ll see you tomorrow for Day 15. Bye y’all!

 
Continue to day 15