The obstacle with Multi-Factor Authentication (MFA) is also its strength; inconvenience. Luckily, the evolution of MFA that it’s practically available for any entry point. Due to high-profile security breaches and the real threat of ransomware, MFA is at the forefront of stopping these cold.
WordPress is an effective example because adding a simple plug-in like Two-Factor makes it easy for a user to self-register their YubiKey or another device. When the user logs on with their password, a prompt appears which asks for the second factor.
Other web apps, like Nextcloud starting with version 13, have their own MFA mechanism included natively and just needs to be enabled. The complexity with this type of software is that your phone may be legitimately fetching data every hour, like getting email or calendar updates, and it doesn’t make sense to re-authenticate throughout the day – the solution is to issue an ‘app password’ from inside your user security settings, where a one-time complex password is issued specifically for that application. You enter it into the app during setup connection and that’s it!
Background on MFA
Even in the early days, security researchers identified the risk of a password-only approach, even before that became common with Internet-exposed data. Smart Cards (security token devices) were issued to government and corporations with deep pockets and dedicated security teams. The premise of Multi-factor Authentication is that you add (not replace) a regular password (first factor, something you know) with a device that you carry with you (second factor, something you have). A quick note that using your cell phone as the second factor is not the most secure when using calling or SMS text messages because they can be spoofed during a targeted attack.