The number of logins that have been part of a hack, and the tools available to crack passwords, have reached the point where a password, no matter how complex it is, isn’t really enough:
“If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it’s something as simple as SMS-based one-time passwords, or advanced biometrics solutions.
“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.”
I know there are folks out there who will tell you SMS-based MFA can be hacked, and other MFA tools could be hacked, but it’s so much better than not using one that you should really ignore all of that and do it anyway. It decreases your odds of being hacked enough to be worthwhile.