What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

Beyond the Password: Understanding 2FA, MFA, and Passkeys

If your password was stolen today, would the attacker be able to walk straight into your email, your banking app, or your business tools? For most people, the honest answer is yes. Passwords alone have never been a robust line of defence, and in 2025 they are less reliable than ever. Data breaches, phishing attacks, and credential stuffing have made password-only security a liability rather than a safeguard.

The good news is that the tools to protect yourself and your business are more accessible than ever. Two-factor authentication, multi-factor authentication, and passkeys are no longer niche concerns for security teams - they are practical steps that anyone can take today. This post explains what each one is, how they differ, why they matter, and how to put them to use.

What Is Two-Factor Authentication (2FA)?

Two-factor authentication adds a second verification step on top of your password when you log in. The idea is straightforward: even if someone knows your password, they cannot access your account without also passing that second check. Think of it like a door with two separate locks. A thief who copies one key still cannot get in without the other.

The second factor is typically something from a different category to a password. Security professionals group authentication factors into three categories: something you know (a password or PIN), something you have (a phone, a hardware key, or a one-time code), and something you are (a fingerprint or face scan). Two-factor authentication combines any two of these.

In practice, 2FA most commonly looks like one of the following. An SMS code sent to your mobile number whenever you log in. A six-digit code generated by an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy. A push notification on your phone asking you to approve the login. Or a physical hardware security key, such as a YubiKey, that you plug in or tap.

Not all of these are equal. SMS codes are the most widely supported but also the weakest. They can be intercepted via SS7 vulnerabilities in the phone network, and phone numbers can be hijacked through SIM-swapping fraud, where an attacker convinces your mobile carrier to transfer your number to a SIM card they control. If your only 2FA method is a text message, you are in a better position than having no 2FA at all, but you should aim to upgrade.

Authenticator apps are meaningfully more secure. The codes they generate are time-based, expiring after thirty seconds, and they never travel over the phone network. Push notifications add convenience but introduce their own risk: MFA fatigue attacks, where an attacker who already has your password repeatedly sends approval requests to your phone until you accidentally or frustratedly tap "approve". If you use push-based 2FA, ensure your app requires number matching - you confirm a code shown on-screen rather than simply tapping yes.

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication is the broader term that 2FA sits within. All 2FA is MFA, but not all MFA is 2FA. The distinction is simply the number of factors required. 2FA uses exactly two; MFA can use two, three, or more. In everyday conversation the terms are often used interchangeably, and for most individual users the practical difference is minimal. For businesses operating in regulated industries or handling sensitive data, the distinction matters more because compliance frameworks may specify the number and type of factors required.

The principle underlying both is the same: layer your authentication so that compromising one factor does not automatically compromise your account. A password breach at a third-party service is a near-daily occurrence. When you add a second or third factor, that breach becomes far less dangerous because the stolen password alone is useless to an attacker.

What Are Passkeys?

Passkeys represent a different approach entirely. Rather than adding an extra step on top of a password, passkeys replace the password altogether. They are based on a cryptographic standard called WebAuthn, developed by the FIDO Alliance and now supported by Apple, Google, Microsoft, and the majority of modern browsers and operating systems.

When you create a passkey for a website or app, your device generates a pair of cryptographic keys. The public key is stored on the service's servers. The private key never leaves your device. When you log in, the service sends a challenge that only your private key can answer. You prove it is you by unlocking the private key using your device's built-in authentication - typically Face ID, Touch ID, Windows Hello, or a device PIN. The login happens in seconds, and at no point does a password travel across the internet that could be stolen.

This design has a significant security advantage: passkeys are inherently phishing-resistant. A fake website cannot steal your passkey because the key is cryptographically bound to the legitimate domain it was created for. It simply will not work anywhere else. SMS codes and TOTP codes, by contrast, can be captured in real time by sophisticated phishing kits that relay your credentials to the real site the moment you type them.

Major platforms have moved quickly to support passkeys. Google, Apple, Microsoft, PayPal, Amazon, WhatsApp, and a growing number of banks and services now offer passkey login. Research from organisations that have deployed them at scale found a 73% reduction in login time and a 30% improvement in sign-in success rates compared to traditional MFA. Security without friction is a rare combination, and passkeys deliver it.

Passkeys can be stored on your device directly or synced across your devices via a password manager or your platform's keychain - iCloud Keychain for Apple devices, Google Password Manager, or third-party tools such as 1Password and Bitwarden. Synced passkeys are convenient but introduce a small additional risk: if someone gains access to your keychain, they gain access to your passkeys. This is why your password manager itself should be protected with the strongest available authentication.

Why This Matters More Than Ever

The scale of credential theft is difficult to overstate. Microsoft's Digital Defence Report identifies identity as the top attack vector across the threat landscape. AI-powered phishing tools have made attacks more convincing and faster to execute. In early 2025, credential stuffing attacks against Australian superannuation funds resulted in half a million Australian dollars being drained from member accounts - because those funds lacked any form of MFA. The attackers used previously breached username and password combinations and simply tried them at scale until some worked.

Closer to home, UK businesses face the same threat. The National Cyber Security Centre consistently lists weak authentication as one of the leading causes of successful cyber incidents. Regulatory frameworks including Cyber Essentials - the UK government-backed scheme - require organisations to implement MFA for remote access and cloud services. GDPR obligations around data protection also make authentication practices a compliance consideration, not just a technical one.

The cost of a breach extends well beyond any immediate financial loss. Customer trust, reputational damage, regulatory fines, and the operational disruption of recovering from an incident can far outweigh the investment in getting authentication right in the first place.

Best Practices for Personal Use

For your personal accounts, the most important step is simply to start. Enable some form of 2FA on every account that supports it, prioritising email and any account tied to financial information. Your email account deserves particular attention because it is the recovery mechanism for almost everything else - an attacker who controls your email can reset your passwords across dozens of services.

Use an authenticator app rather than SMS wherever the option exists. Google Authenticator, Microsoft Authenticator, Authy, and others are free and take minutes to set up. If a service offers passkeys, enable them - they are the most secure and often the most convenient option once set up. For your most critical accounts, a hardware security key such as a YubiKey provides the strongest available protection and costs less than most people expect.

Store your backup codes. When you enable 2FA, most services provide a set of one-time recovery codes. These exist for the scenario where you lose access to your authenticator device. Print them or save them somewhere secure and offline. Losing access to your authenticator without backup codes can lock you out of your own account permanently.

Use a password manager. Strong, unique passwords for every account, combined with 2FA, dramatically reduce your exposure. Password managers such as 1Password, Bitwarden, and others also increasingly support passkey storage, making them the natural hub for modern authentication.

Best Practices for Businesses

For businesses, MFA should be treated as a baseline control rather than an optional enhancement. Any account with access to business systems, customer data, or financial tools should require MFA as a condition of access, without exception.

Start with the accounts at highest risk: administrators, finance and payroll access, email, remote access tools, and any cloud services holding customer or business-critical data. These are the accounts attackers target first, and the compromise of a single privileged account can cascade into a full breach.

Avoid relying solely on SMS-based MFA for your workforce. While it is better than nothing, it leaves you exposed to SIM-swapping and real-time phishing attacks. Move staff to authenticator apps as a minimum, and consider hardware security keys for your most privileged users. If you use Microsoft 365 or Google Workspace, both platforms support passkeys and phishing-resistant MFA natively - there is no additional cost to enabling them.

Single sign-on (SSO) is worth considering for businesses managing multiple applications. Rather than employees maintaining separate credentials for each tool, SSO allows them to authenticate once with a single strong credential protected by MFA, and then access everything they need. This reduces the number of attack surfaces and makes it easier to enforce consistent authentication policies centrally.

Plan for what happens when someone loses their authenticator device. Without a clear recovery process, employees get locked out and IT teams face pressure to bypass security controls to restore access quickly. That pressure is a social engineering opportunity. Define your recovery procedures before you need them: backup codes, secondary registered devices, or a formal identity verification process through your IT team.

Train your team. MFA fatigue attacks succeed because employees do not know they are possible. A short briefing explaining that they should never approve an authentication request they did not initiate, and that they should report unexpected prompts immediately, can prevent a serious incident. Security awareness is not a one-time exercise; it should be part of your regular operational culture.

The Hierarchy of Authentication Security

To summarise the security landscape clearly: no MFA is the worst position to be in. SMS-based 2FA is better. Authenticator app TOTP codes are better still. Push notifications with number-matching are comparable. Hardware security keys and passkeys sit at the top as the strongest available options, offering phishing-resistant authentication that eliminates entire categories of attack.

The UK's National Cyber Security Centre and CISA in the US have both been explicit: organisations should be moving towards phishing-resistant MFA as a priority, treating passkeys and hardware security keys as the target state. The path there does not have to be immediate. Moving from no MFA to authenticator apps is a substantial improvement. Moving from authenticator apps to passkeys where services support them is the next step. Progress matters more than perfection.

Getting Started Today

The barrier to getting started has never been lower. Authenticator apps are free. Most services support them. Passkeys are built into every modern smartphone and laptop. The time investment to enable better authentication across your most critical accounts is an hour at most, and that hour could save your business from a very expensive, very disruptive incident.

If you run a business and you are unsure where your authentication posture currently stands, start by auditing what MFA methods are in use across your key systems. Identify any accounts - particularly administrative ones - that have no MFA enabled. Then work systematically to close those gaps, starting with the highest-risk accounts first.

Passwords are not going away entirely, but they should no longer be the only thing standing between an attacker and your business. 2FA, MFA, and passkeys exist precisely to solve this problem, and they are ready to use today.