HomeTrainingPasswords, MFA, Smart-ID, and secret codes
Module 3 · 7 min

Passwords, MFA, Smart-ID, and secret codes

What must never be shared, even when the other person sounds convincing.

The employee distinguishes secure authentication from a situation where they are being used as an access gateway.

Threat

Stolen credentials and social engineering remain frequent paths to initial access.

What to know

  • Passwords must be unique. If one password is reused, one leak can compromise several accounts.
  • MFA is not a magic shield if you approve someone else’s sign-in or read out a code.
  • In Smart-ID and mobile authentication prompts, check the action, amount, recipient, and timing.
  • Signal, WhatsApp, email, and backup recovery keys should be treated like passwords.

Actions

  • Use a password manager, or at least unique passwords for critical accounts.
  • Never tell anyone a one-time code, PIN, Smart-ID code, or recovery key.
  • If you receive an unexpected MFA request, deny it and report it.
  • If in doubt, call a previously known number, not the number included in the message.

Manager note

Managers and finance staff need stricter controls: unique passwords, MFA, and a second-person review for payments.

Sources