How to actually lock down your accounts before someone else does it for you.
Somewhere right now, a credential stuffing bot is testing your old password against 50 different platforms. It's not dramatic — it's just Tuesday. Account breaches have become so routine that most engineers have either been affected, know someone who has, or are currently being targeted without knowing it.
| Stat | Figure |
|---|---|
| Breaches involving stolen or weak passwords | 81% |
| Credentials available on dark web markets | 15B+ |
| Automated attacks blocked by MFA | 99.9% |
Passwords were designed for a simpler time — when your threat model was your nosy sibling, not automated bots running millions of attempts per second. A strong password is still a baseline requirement, but it has never been sufficient on its own. If your account security strategy is "use a long password," you're bringing a padlock to a lock-picking competition.
What Is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication — or MFA, also commonly called 2FA (Two-Factor Authentication) — is the practice of requiring more than one form of verification before granting access to an account. The core idea is simple: even if an attacker steals your password, they still cannot log in without the second factor.
Think of it like your bank vault: knowing the combination gets you to the door, but you still need the physical key. One without the other is useless.
Authentication factors are generally grouped into three categories:
- Something you know — your password
- Something you have — a phone or hardware token
- Something you are — biometrics (fingerprint, face)
MFA combines at least two of these, dramatically raising the bar for attackers.
Common MFA Methods, Ranked from "Fine" to "Actually Great"
SMS Codes
Better than nothing — but vulnerable to SIM-swapping attacks. Use it if it's all that's available, but don't stop there.
Authenticator Apps (TOTP)
Apps like Google Authenticator, Authy, or 1Password generate time-based one-time codes every 30 seconds. Codes live on your device, not in transit — much harder to intercept.
Passkeys
The new gold standard. Passkeys use public-key cryptography tied to your device — no shared secret, no phishable code. You authenticate with Face ID, a fingerprint, or a PIN. Even if the server is breached, your private key never left your device.
Hardware Security Keys (FIDO2/WebAuthn)
Physical devices like YubiKey. Near-impossible to phish. The standard recommendation for high-value accounts and threat-conscious engineers.
Why Authenticator Apps Are the Practical Sweet Spot
For most engineers and teams, authenticator apps hit the right balance. They're free, work offline, aren't tied to your phone number, and integrate with almost every platform. If you're not already using one, the setup takes about two minutes — significantly less time than recovering a compromised account.
When you enable MFA via an authenticator app, the service gives you a QR code encoding a shared secret. Your app uses that secret, combined with the current timestamp, to generate a 6-digit code that rotates every 30 seconds. Even if someone intercepts a code, it expires almost immediately. It's not perfect, but it renders the vast majority of credential-based attacks useless.
PipeOps Has This Covered — Go Enable It Now
If you're using PipeOps to manage your deployments and infrastructure, your account security is worth taking seriously. Production environments, server access, and team permissions are high-value targets. The good news: the platform ships with the security features you actually need, and they're one click away.
| Feature | Status |
|---|---|
| Multi-Factor Authentication (MFA) | Available |
| Passkeys (passwordless sign-in) | Available |
| OAuth via GitHub, GitLab, Bitbucket, Google | Available |
Head to your Profile page, and scroll down to the Security section. MFA is listed as "Disabled" by default — which is honestly a choice, but not a good one. Hit "Enable," scan the QR code with your authenticator app, and you're done. While you're there, consider setting up a passkey — it removes the password from the equation entirely, and the "Sign in without a password" option is already wired up on the login screen.
Your servers don't take vacations. Attackers certainly don't. Spending two minutes now to enable MFA is a far better use of your time than explaining to your team why the deployment pipeline was compromised at 2am on a Friday.
Account security isn't glamorous. It's also not optional.