We’ve made a decision: multi-factor authentication (MFA) is now required for all Rewind accounts. No opt-in, no “we recommend it,” no gentle nudge. If you access Rewind, you use MFA.
We know mandatory security controls can feel like friction. But the data on credential-based attacks is impossible to ignore, and when your Rewind account protects the backups of your most critical business data, the stakes are too high to leave this optional.
Here’s why this is the right call, and what it means for you.
Passwords alone are already broken
The threat isn’t hypothetical. CyberNews reports that over 16 billion credentials have been exposed through data leaks and malware campaigns, a massive, constantly refreshed trove that attackers run automated attacks against every day. The 2025 Verizon Data Breach Investigations Report found that credential abuse remains the single most common attack vector for initial access, with 60% of breaches still involving the human element: phishing, social engineering, and errors.
If someone on your team reuses a password, falls for a phishing link, or has credentials sitting in a leaked database, a password alone is already compromised before you know it happened.
MFA changes that equation entirely.
What MFA actually does
Multi-factor authentication requires users to present two or more verification factors to access an account. Beyond something you know (a password), MFA adds:
- Something you have — a mobile authenticator app or a physical security key
- Something you are — biometrics like fingerprints or facial recognition
Even if an attacker has your password, they can’t get in without the second factor.
The efficacy isn’t debated. Microsoft’s analysis of millions of login attempts found that MFA blocks over 99% of account compromise attacks, even when passwords are stolen. Google’s research with NYU and UCSD found that hardware security keys blocked 100% of automated bot attacks, 99% of bulk phishing attempts, and 90% of targeted attacks.
That’s not a marginal improvement. That’s a fundamentally different security posture.
Why we made it mandatory — not just recommended
Rewind backups are your safety net. If your Shopify store gets corrupted, your Jira data gets wiped, your QuickBooks records are destroyed, Rewind is what you fall back on. That makes your Rewind account one of the highest-value targets an attacker could choose.
We’ve long recommended MFA and offered it as an option. But “recommended” doesn’t protect accounts where users haven’t gotten around to it yet. The CISA’s position is clear: MFA should be required by default, not left to individual discretion. It’s the first commitment in the Secure by Design Pledge that Rewind has signed.
Making MFA mandatory is us closing the gap between best practice and actual practice, for every account, every time.
MFA options: from zero effort to maximum protection
We’ve kept the setup fast and the options strong. Every Rewind account gets a baseline level of MFA automatically, with a clear upgrade path for teams that want stronger protection.
Email verification (default, nothing to configure): At login, we’ll send a verification code to your registered email address. This is active for every account automatically. No setup required.
Time-based One-Time Passwords (TOTP): Apps like Google Authenticator or Authy generate a time-sensitive code that’s more phishing-resistant than email. Quick to set up, works on any smartphone.
FIDO2/WebAuthn hardware security keys: Devices like YubiKey are the gold standard and the method that blocked 100% of automated attacks in Google’s research. The strongest option available, and the one we recommend for admins and anyone managing multiple accounts.
What this means for your team
Starting now, every Rewind account requires MFA to log in, with no path around it.
For most users, nothing to configure: we’ll send a verification code to your email automatically at login. That’s your baseline, and it’s already active.
If you want stronger protection, such as a TOTP authenticator app or a hardware security key, the MFA setup guide walks you through it in under two minutes. We recommend it, especially for admins and anyone with access to multiple accounts.
Part of a bigger commitment
This isn’t a one-time change. Mandatory MFA is one layer of a defense-in-depth approach to protecting your data, alongside Rewind’s ISO/IEC 27001:2022 certification and the full transparency we maintain at security.rewind.com.
The CISA strongly recommends MFA as a foundational security control. We agree, which is why it’s no longer a recommendation. It’s a requirement.
The bottom line
Your backups are only as secure as the account protecting them. With 16 billion+ leaked credentials in circulation and credential abuse as the leading attack vector, leaving MFA optional was a gap we weren’t willing to leave open.
MFA is mandatory now. It will stay mandatory. And your data is better protected because of it.
Dave North">
