2FA or not 2FA
A few weeks ago I received an unsolicited email from the Belgian Center for Cyber Security. It starts with the statement that 80% of cyber attacks could be avoided if 2FA was active and then says literally that If you only use a username and password for your remote logins, you're a sitting duck.
This is not true, username and password are no less secure than 2FA. In a way, they are more secure. I know this is controversial, but please bear with me, and I will explain CCB assumptions, my assumptions, and how it all makes sense.
CCB assumes that people can not be trusted with passwords. Over the years, the most popular passwords have been 123456 and password, closely followed by 12345678 and qwerty. Research has proven time and again that we use weak passwords whenever possible.
But hold on. These same people behave reasonably and optimally. Whenever they start using a new website or app, its value is close to zero, so it it an optimal strategy to use a weak password. More often than not, the interaction is unique or spaced in time so much that it makes no sense to save the password at all. When I visit a website I have not visited for years, my old password usually does not work anymore, and I have to reset it.
I have a workflow for auto-generating passwords and storing them in a password manager, but it is totally reasonable to expect other strategies for occasional users: