Weak algorithms (e.g. your name and and a shared secret) used to “seed” new systems are another area where two-factor authentication (TFA) can really help improve security.
Here’s a story from the San Francisco Chronicle that illustrates how things might happen now if unique and random passwords, let alone TFA, are not planned for the system launch:
“The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.
Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward.
The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox.”