Why you are at risk
Cyber criminals are trying their best to find new attack vectors and whatever the attack vector most of the time the goal is to steal your identity. This in turn means that they will try and impersonate you by stealing your account credentials.
There are different ways to accomplish this, and one common way it so to use phishing attacks by sending an email impersonating a legitimate enterprises (e.g., your university, your bank, your Internet service provider or a social media site you are daily using) which directs you to a spoofed website or portal. If you are fooled and enter your credentials, the cybercriminal in the other end will receive them and you wouldn’t even notice.
Most of the time they will send bulk emails or messages not targeting a single individual which is less dangerous. But the targeted attacks which is known as spear phishing are very dangerous as the cyber criminal will observe an individual and their behavior, interests and habits and craft an attack based on those observations. These attacks are so sophisticated that even trained personnel will have problems detecting them.
Or the cyber criminal will try social engineering to make you install a software which is attached with a back door giving them direct access to your system. Cracked or pirated software copies often comes bundled with this type of malware, which is another good reason to only download from trusted sources or third parties.
As an example, if you are using a free VPN application most of the time the owner of the VPN server will be able to harvest all your credentials and account data if the encryption mechanism is not properly engineered.
If you manage to avoid these traps, the cyber criminals will still try to guess your password which is surprisingly easy. According to Microsoft, an RDP brute-force attacks last on average 2-3 days.
the magic bullet
But luckily there is an easy and efficient way of protecting yourself from these types of attacks.
Two-factor authentication is a form of MFA. Technically, it is in use any time two authentication factors are required to gain access to a system or service.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online service providers are increasingly using 2FA to protect their users accounts from being breached.
Instead of only entering your password to access an account, you need to enter an additional identifier from either an SMS or more securely from an authentication app like Google or Microsoft Authenticator. This means a cyber criminal would need to steal your password and somehow intercept your identifier on SMS or app.
Considering this is a free and in most cases an easy add on security feature, it should be mandatory for every company. Its not a magic bullet but provides a huge leap in account security.