Password Managers, MFA and Account Recovery

Protect identity and recovery together

An account is only as secure as its sign-in, recovery routes, administrators and connected services. A strong password does not compensate for a weak reset process, an unprotected mailbox or an approval request that any user can accept.

Quick answer

Use a reputable password manager to create a unique password for each service, enable the strongest practical MFA on important accounts and document recovery before it is needed. Prioritise email, cloud administration, domain management, finance, backups and the password vault itself.

  • Applies worldwide
  • Reviewed by Attach Planet
  • Last reviewed: 16 July 2026

Protect accounts in dependency order

Recovery authorities

Email, identity platforms, telephone numbers and help desks may reset access elsewhere. Treat them as high-consequence systems.

Administrative control

Cloud, domain, DNS, website, finance, backup and security administrators can change services or conceal malicious activity.

Information and reputation

Customer records, shared drives, messaging and social accounts can expose information or impersonate the organisation.

Choose and operate a password manager

  • Fit: Confirm supported devices, browsers, accessibility, sharing, offline needs and business administration.
  • Protection: Review encryption design, account recovery, MFA options, security updates and independent evidence in scope.
  • Ownership: Use organisation-controlled accounts, named administrators and a leaver process rather than a personal vault.
  • Sharing: Share through managed vault permissions, not messages, documents or repeated passwords.
  • Recovery: Protect recovery codes and emergency access separately from the device and account they recover.
  • Adoption: Import carefully, remove unsafe copies, train users and check that high-value accounts are actually unique.

Match MFA strength to consequence

Method Practical position Important limitation
Passkey or hardware security key Prefer for high-consequence accounts where the service and user workflow support phishing-resistant authentication. Plan device loss, spare authenticators, supported platforms and offboarding.
Authenticator application code or protected push A useful improvement for many services and stronger than password-only access. Manually entered codes and careless push approvals can still be captured or relayed.
SMS or voice code Use when it is the best available option rather than leaving an important account password-only. Telephone-number takeover, interception, availability and social-engineering risks make it weaker for high-consequence use.
Email code or link May add a step where the mailbox is independently protected. It offers little separation if the same compromised mailbox controls recovery.

Design recovery before rollout

  • At least two appropriate people can recover a critical organisational service.
  • Emergency administrators are limited, monitored and not used for ordinary work.
  • Recovery codes or spare authenticators are protected offline or in a separately controlled location.
  • A lost, broken or replaced telephone does not make the organisation permanently dependent on one person.
  • Help-desk recovery requires evidence and resists urgent impersonation.
  • Leavers, extended absence and role changes are covered.
  • The recovery process is tested without weakening normal controls.
  • Sign-in and recovery alerts reach a monitored, protected channel.

Authentication guidance

NIST SP 800-63B-4 explains password, authenticator, lifecycle and phishing-resistance considerations, and recognises password managers as a way to maintain distinct passwords. CISA’s small and medium-sized business resources prioritise strong passwords and MFA. Apply the guidance to the real service, users and recovery constraints rather than treating one method as universally suitable.

Password manager, MFA and recovery FAQs

Is a password manager safer than remembering passwords?

A well-chosen and well-operated password manager can make unique credentials practical and reduce password reuse. It becomes an important system, so protect its administrators, recovery, devices and MFA and review the provider’s evidence.

Is any MFA better than no MFA?

For most password-based accounts, adding a second factor reduces common risk. The methods are not equivalent: prefer phishing-resistant options for high-consequence accounts and never treat an MFA prompt as safe merely because it appeared.

Should several people share one administrator login?

Avoid shared identities where individual accounts and roles are available. Named access improves revocation, accountability and monitoring. Use a controlled emergency route only for genuine recovery or continuity needs.

Continue your cybersecurity decision

Use the next guide that matches the exposure, control or recovery question you still need to resolve.