Passwords, MFA, Smart-ID, and secret codes
What must never be shared, even when the other person sounds convincing.
The employee distinguishes secure authentication from a situation where they are being used as an access gateway.
Threat
Stolen credentials and social engineering remain frequent paths to initial access.
What to know
- Passwords must be unique. If one password is reused, one leak can compromise several accounts.
- MFA is not a magic shield if you approve someone else’s sign-in or read out a code.
- In Smart-ID and mobile authentication prompts, check the action, amount, recipient, and timing.
- Signal, WhatsApp, email, and backup recovery keys should be treated like passwords.
Actions
- Use a password manager, or at least unique passwords for critical accounts.
- Never tell anyone a one-time code, PIN, Smart-ID code, or recovery key.
- If you receive an unexpected MFA request, deny it and report it.
- If in doubt, call a previously known number, not the number included in the message.
Manager note
Managers and finance staff need stricter controls: unique passwords, MFA, and a second-person review for payments.