Why a VPN is not enough (and where 2FA/MFA comes in)

Modern VPNs do an excellent job of encrypting your internet connection and hiding your IP address. If you are on a public hotspot, the VPN tunnel makes it far harder for anyone on the same Wi-Fi to see what you are doing.

However, when you log in somewhere, one key thing still stays the same: your account is protected by your password. If that password leaks in a data breach, is reused from another site, or you accidentally type it into a phishing page, an attacker can simply log in – even if you were connected to a VPN the whole time.

That is why every guide on what a VPN actually is and does ends with the same message: pair it with strong authentication. 2FA and MFA make your login a two-step (or multi-step) process, so a stolen password is no longer enough.

2FA vs MFA – quick definitions

When you log in using only a password, you rely on a single factor – something you know. 2FA and MFA add extra factors, such as:

• Something you have – your phone, an authenticator app, a hardware key.
• Something you are – fingerprint, Face ID or other biometrics.

Two-factor authentication (2FA) means logging in with exactly two different factors, for example password + code from an app.

Multi-factor authentication (MFA) is the wider term – it can be two or more factors, such as password + app + hardware key for administrator or finance accounts.

For most people, a good 2FA setup (password + authenticator app) is already a huge upgrade. For critical systems in business, full MFA with extra checks is becoming the norm.

How VPN and 2FA/MFA work together

VPN and 2FA/MFA protect different layers of your online life:

• VPN protects the connection – it encrypts traffic between your device and the VPN server, shielding you on untrusted networks and hiding your IP address.
• 2FA/MFA protects the account itself – even if someone gets your password, they still need your phone, hardware key or biometric approval.

Imagine logging into online banking from a hotel or café. With a VPN, your connection is encrypted, which already helps. With 2FA on top, even if somebody somehow captured or guessed your password, they would still need the code from your phone before they could touch your money.

If you also follow the basics from our guide on remote work and VPN security, you are already ahead of the vast majority of users.

Main 2FA/MFA methods – pros and cons

Not all second factors are equal. Here are the most common options and what they mean in practice.

1. SMS codes

You enter your password, then receive a text message with a one-time code.

Pros: easy to set up, works on almost any phone, widely supported by banks and services.

Cons: text messages can be intercepted or redirected (SIM-swap, malware, SS7 issues). SMS is still better than no 2FA, but treat it as a basic option, not the final destination.

2. Authenticator apps (TOTP)

Apps like Google Authenticator, Microsoft Authenticator or open-source alternatives generate codes that change every 30 seconds.

Pros: codes work offline, are much harder to intercept and can protect many accounts at once.

Cons: you must think about backup. If you lose your phone without recovery codes or a way to restore the app, getting back into your accounts can be painful.

3. Push notifications

After entering your password, you get a push notification asking “Is this you?”. You confirm with one tap, sometimes with an extra biometric check.

Pros: very convenient, good for daily logins, often combined with device trust and location checks.

Cons: users can become “click-happy” and approve everything. Attackers abuse this with so-called fatigue attacks, sending many prompts until you click approve just to get rid of them.

4. Hardware security keys (FIDO2/U2F)

Small USB or NFC devices such as YubiKey that you insert or tap to confirm the login.

Pros: currently the gold standard for sensitive accounts (admin, finance, developers). They are resistant to phishing – if you are on a fake site, the key simply will not confirm the login.

Cons: you need to buy and carry them, and ideally have a spare key stored safely in case you lose the main one.

Where 2FA/MFA is non-negotiable

Not every account is equally valuable, but some should never be left with just a password – even if you always connect through a VPN:

• Main email inbox – whoever owns your primary email can reset passwords to almost everything else.
• Banking and fintech – online banking, Revolut, PayPal and similar services.
• Your VPN provider account – it controls your subscription, invoices and registered devices.
• Work accounts – corporate VPN, SaaS dashboards, admin and cloud panels.
• Social media and creator platforms – a hijacked Facebook, Instagram or YouTube account can destroy a brand or reputation overnight.

Combine this with monitoring for issues like DNS and IP leaks and you will dramatically lower the risk of both network-level and account-level attacks.

Common mistakes that 2FA/MFA and VPN can’t fix

Even with a VPN and strong 2FA, a few bad habits can still put you in danger:

• Reusing the same password across many accounts – if one site leaks, attackers try the same password everywhere.
• Saving backup codes in plain text in cloud storage or email, without encryption.
• No backup plan for your authenticator app – new phone, but no export or recovery codes.
• Blindly approving push prompts – you see “Is this you?” five times in a row and eventually tap “Yes” just to make it stop.
• Ignoring security alerts from your provider about suspicious logins or password resets.

A VPN protects the tunnel, 2FA protects the login – but only you can fix unsafe behaviour. Think of these tools as armour that works best when the person wearing it is paying attention.

Step-by-step: rolling out 2FA/MFA alongside your VPN

1. Start with a password manager. Make sure all important logins have unique, strong passwords. This prevents a single breach from cascading into many accounts.
2. Enable 2FA on your email first. Your inbox is the master key – protect it before anything else.
3. Turn on 2FA for your VPN provider. In the account security section, choose an authenticator app or hardware key over SMS whenever possible.
4. Secure online banking and payment apps. Many already use strong multi-step verification; check whether you can switch from SMS to app-based approvals.
5. Harden your work accounts. Ask your IT team about MFA on remote access, VPN gateways and SaaS tools used for finance or sensitive data.
6. Create and safely store backup options. Write down recovery codes or export your authenticator data and keep it in a secure place (for example inside the password manager’s secure notes).

Once this is done, your daily routine barely changes: you open your VPN, connect, log in with your password and confirm with a second factor. Yet the difficulty of compromising your accounts jumps by orders of magnitude.

FAQ: VPN and 2FA/MFA

Do I still need 2FA if I use a strong password and a VPN?

Yes. Strong passwords and a VPN are essential, but they do not stop database leaks or phishing. 2FA and MFA make sure that a password on its own is not enough to get into your accounts.

Does 2FA slow down logging into my VPN?

Only slightly – adding a few seconds to enter a code or tap a notification. The security benefit is huge compared with the tiny extra effort.

If I enable 2FA everywhere, can I skip using a VPN?

No. 2FA protects the account level, not the contents of your internet traffic. Without a VPN your connection can still be inspected on public Wi-Fi and your IP address remains exposed.

Which 2FA method should I choose for my VPN provider account?

The ideal choice is an authenticator app or, even better, a FIDO2 hardware key. Use SMS only when there is no other option available.

Related guides

• Wi-Fi security: how to protect your home network
• VPN for online banking – safer access to your money
• Wi-Fi security checklist – practical 2025 list
• VPN on public Wi-Fi – how to avoid common traps