A few days ago, my wife received an email from a rather large airline. And there’s a good chance you, or someone you know, has received a similar email. It usually sounds something like this:
"We've been hacked… so that also means that you’ve been hacked. Because we were negligent (we take no legal responsibility, by the way), hackers now have all your private, personal, information. We are sorry. But we’re probably not gonna do much to stop this in the future. Okay Bye!"
Of course, my wife was rather upset by this. But she also knew this was my bag. So she texted me: "What do I do now?" Yes. What do you do when you know all your info is in the hands of a nefarious actor?
So what do you do? Call your congressperson and complain? Call a lawyer and sue? Cry?
It's a huge question, and one that, really, we shouldn’t have to answer. It really shouldn’t be up to us to deal with this. It should be on the companies to secure your data so hackers don't get it.
So what do you do? Call your congressperson and complain? Call a lawyer and sue? Cry? These are all legitimate reactions, so yes. Do all of them. But, when you’re done, there is a very simple, yet effective, step you can take to help keep yourself safe now that your info is all over the dark web.
It takes a bit of time and effort, but it's worth it: Just put MFA everywhere. For the love of God please.
To help her (and you) with this, I compiled a list of the top 100 most popular services used and how to find your MFA settings for every single one of them. Find the services you use, and implement MFA ASAP.
It's a boring statistic that most people don't pay attention to but adding multifactor authentication MASSIVELY reduces your risk. It makes account takeovers 96% less likely to happen. It makes it harder but passkeys are going to make things a little easier.
A secondary recommendation is to have Gemini or another AI, search your email and give you a summary list of the all services that you use. From there you can ensure that you have MFA set up everywhere. I know… This takes some work. But again, not that much considering the consequences.
So here are over 100 services that most everyone uses and how to enable MFA on your accounts. Below the table you find a nice glossary that explains exactly what each type of MFA is and does. Enjoy!
Top 100+ Services with MFA Settings
If you can't find your service here, there is a fantastic crowdsourced directory called https://2fa.directory/us/
And finally here is a simple glossary of all the different types of Multifactor Authentication you can use on your accounts.
Glossary:
MFA - The most important thing in this article! This stands for Multi-Factor Authentication and is used to provide extra protection to online accounts. This is often considered a secondary factor after using a password to protect an account.
SMS Code - The service will send you a text message with a 6 digit code or link that you can click to verify it's actually you accessing the service. This is secure because it's difficult to guess a 6 digit code and it's difficult to spoof a cellphone via sms number (but unfortunately not THAT difficult).
Email Code - The service will send you an email with a 6 digit code or a "magic link" that will allow you to login. This is secure because as long as you keep your email safe the login link is secure.
Authenticator App - This is actually one of the most secure ways to add Multi-factor protection. The app will generate a 6 digit code that typically changes every 30 seconds. Your application needs to be in sync with the service you are trying to log into. This is also called TOTP.
TOTP Code - This is the same as the above. There are many different Authenticator apps but most of them support Time-Based One Time Passwords.
App Verification or App Push Notification - This is also a very secure way to do MFA. This mode usually occurs by the service sending a notification to your phone within the app they control. Thus they know if you receive and confirm the push that it is in fact you trying to access the service.
Passkey - A passkey is a newer very cool way to create a handshake between your browser and your device. A service can send you a passkey link or when you try to go to a website the website will ask the browser to ask your device to ask you (phew) to identify yourself to the device. This often happens with TouchID or FaceID or a pin or other biometric method.
WebAuthn - This is another term for passkeys but also relates to FIDO keys. See below.
Fido Key - This is a hardware device that often connects via USB or another mechanism that can generate a secure token on your behalf. It is similar to a passkey in that it will connected with your device which in turn connects to the service you are trying to access.
Voice call - Sometimes services will support calling a phone number and delivering you a 6 digit code that you can say or enter into the login portal when you are trying to access a service.
All told, there are plenty of ways to secure accounts, but not all are equal. If you want to cut through the noise, we recommend TOTP and Passkeys as they are the most secure. SMS and email are fallback options.
MFA, though, is only the first line of defense. For individuals, it can mean the difference between a breach and a block. For organizations, it has to scale across help desks, PSAs, and chat platforms where attackers are most aggressive. At the organizational level, the same protections have to be enforced inside the systems where work actually happens. Traceless provides that layer by making sure security checks and safe exchanges are built into everyday workflows. In practice, that means:
- Identity verification directly inside tickets and chats
- Secure file transfers of up to 200GB
- Ephemeral messaging so sensitive data never lingers in logs
- MFA push notifications triggered right from help desks and PSAs
- Password resets with automatic audit trails created in the system of record
- SOC 2 certification for compliance assurance
- A setup process that takes less than 10 minutes, with integrations for the tools you already use
- A free, unlimited 30-day trial, then simple month-to-month billing with no contract
So yes, MFA everywhere. Start with the list, check your accounts, and build the habit. And if you run an organization, extend the same discipline into your daily workflows with systems that make identity checks and secure exchanges unavoidable.
If your organization handles sensitive approvals or system access, those interactions are now prime targets for AI-driven impersonation. Traceless integrates with your existing tools in under 10 minutes, adding identity verification and ephemeral messaging that make these attacks significantly harder to pull off. Book a demo to see how it works.