Why your password is still important – even if you use multi-factor authentication

Just because you have two factor authentication doesn’t mean you can afford to be sloppy with password security.

Bob covello
Bob Covello


Multi-factor authentication is steadily becoming a more mainstream login protection mechanism, with it being adopted for use in many organizations as well as many popular websites such as Twitter, Facebook, Gmail and Amazon.

The use of multi-factor authentication or any other type of two-step verification (2SV) adds an additional layer of security to your login process. This is an excellent way to further protect your information.

In some cases, it could be surmised that the use of multi-factor authentication negates the need to use a strong password since the attackers would not have access to that secondary “something you have” vehicle that completes your login process.

Sign up to our free newsletter.
Security news, advice, and tips.

Unfortunately, the need for strong passwords is still important – even when using multi-factor authentication.

Security researcher Beau Bullock at Black Hills Information Security recently discovered a flaw in Microsoft’s Outlook Web Access and Office 365 that bypasses multi-factor authentication, enabling a full search of mailboxes with the knowledge of only a person’s username and password.

You can read the technical description of the exploit if you’re interested in more information, or watch a video demonstration.

O365 MFA Bypass Information

It should be noted that at least one product vendor has been experimenting with this flaw to enhance its penetration test and defense capabilities. The technical description includes an explanation of why the flaw cannot simply be turned off.

The important lesson here is to not fall into a mindset that using multi-factor authentication allows you to use poor passwords, or worse, reuse the same passwords on multiple sites.

The multi-factor token might change on every login, but as long as there are methods to bypass multi-factor authentication, the vigilance to have good strong and unique passwords remains. Now would be an excellent time to check out the many password manager programs that are available for your protection.

Remember that security is approached best by using a layered defense, and allowing a weakness in any of those layers just makes the job of an attacker that much easier.

Read more about two-step verification:

Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.

3 comments on “Why your password is still important – even if you use multi-factor authentication”

  1. Hitoshi Kokumai

    Nice article. I fully agree.

  2. Richard

    Informative article; thank you.

    However, this does depend on the website even allowing for 2SV. or even more than 12 characters (including special characters like %$%"! )

  3. furriephillips

    Given the opportunity to use actually strong passwords (banks as the worst culpritshere, IMHO), I always let LastPass generate my passwords (sometimes I add a space, just to be a BOFH), but essentially I only know my LastPass password, not any others – they're so complicated & random.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.