Two-Factor Authentication Is Not Optional Anymore: Here Is the Data — Herarx Blog
Account Security Security

Two-Factor Authentication Is Not Optional Anymore: Here Is the Data

Accounts with multi-factor authentication enabled are 99.9% less likely to be compromised. The professional case for enabling it is now unanswerable.

May 26, 2026 Updated Jun 04, 2026
Two-Factor Authentication Is Not Optional Anymore: Here Is the Data
Back to blog

In 2023, the UK Information Commissioner published enforcement action against twelve organisations for data breaches directly attributable to compromised credentials. In ten of those twelve cases, multi-factor authentication had not been enabled on the accounts that were accessed.

The pattern is not new. It has been consistent for the better part of a decade. Stolen or guessed passwords are still the single most common entry point for unauthorised access to professional systems — and 2FA stops the overwhelming majority of those attacks dead.

What the Data Actually Says

Microsoft published research finding that accounts with multi-factor authentication enabled are 99.9% less likely to be compromised by automated credential attacks. Google research on hardware security keys found they block 100% of automated phishing attacks in controlled testing.

These are not marginal improvements. They are categorical differences in security posture.

The "It Will Not Happen to Me" Problem

Most professionals who have not enabled 2FA are not reckless. They are busy, and they have made a reasonable-feeling bet: that their account is not interesting enough to be targeted. This reasoning has two flaws.

First, most credential attacks are not targeted. They are automated — lists of email addresses from previous breaches, run through password combinations at scale. Whether your account is interesting is irrelevant to an automated attacker.

Second, for professionals handling client data, the question is not just whether you will be attacked, but what your liability is if you are. A solicitor, investigator, or property manager whose client data is accessed because they did not enable a free security feature faces difficult questions.

What You Should Enable, in Order of Priority

  1. Authenticator app 2FA — better than SMS, free, takes two minutes to set up
  2. Hardware security key — the strongest available option; phishing-resistant by design

The Regulatory Dimension

Under GDPR, a personal data breach caused by failure to implement appropriate technical measures carries a potential fine of up to 4% of global annual turnover. For small practices that ceiling is rarely reached — but the reputational damage and mandatory client notification that follows a breach are significant regardless of the financial penalty.

2FA is free. It takes minutes to enable. It stops the vast majority of credential-based attacks. There is no professional justification for not having it on.

All articles
Herarx

Secure case management for investigators, legal teams, and landlords. Always free to get started.

Security
2FA on every account Full audit trail Role-based access TLS encrypted

© 2024–2026 Herarx. Built carefully, shipped honestly.

Herarx is not yet independently audited or certified for regulated environments. All connections are TLS encrypted. Files are encrypted at rest and stored on separate infrastructure from the database.