Multi-factor authentication — requiring a second form of verification beyond a password when someone logs in — is not new, not complicated, and not expensive. It is also, based on Microsoft's own data, effective at preventing over 99% of credential-based account compromises.
The fact that many small businesses haven't implemented it fully is one of the more frustrating realities of working in IT support.
Why Passwords Alone Aren't Enough
Passwords get stolen constantly. Phishing attacks, data breaches at third-party services (where people reuse passwords), and credential stuffing attacks all yield large volumes of username-password pairs that attackers test against business systems.
The password itself being strong doesn't fully protect you if it was stolen through a phishing email or a breach at a service where you used the same password. The protection fails at the credential level.
MFA adds a second factor — typically a code from an authenticator app or a push notification to your phone. Even if an attacker has your correct username and password, they can't complete the login without also controlling your phone. For remote attacks, this is an extremely effective barrier.
What to Protect First
If you can only do one thing, protect email. Your email account is the master key to almost every other account — password reset emails, account verification, client communications. A compromised email account causes cascading damage across your digital life.
For Microsoft 365 users, enabling MFA for all users takes about 30 minutes in the Microsoft Entra admin centre. Google Workspace users have an equivalent option. Both can be configured to require MFA for sign-ins from outside the office, with lower friction on trusted networks.
After email: VPN access, remote desktop, and financial systems are the next priorities.
Which MFA Method to Use
Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) are the best balance of security and convenience. They work offline, aren't vulnerable to SIM-swapping attacks that affect SMS codes, and the push notification flow is fast enough that most users don't find it disruptive.
SMS codes are better than nothing but are vulnerable to SIM-swapping and interception. If authenticator apps aren't practical, SMS is still a significant security improvement over password-only. Don't let perfect be the enemy of good here.
Hardware keys (YubiKey and similar) offer the strongest protection and are worth considering for privileged accounts — IT administrators, finance directors, executives with access to sensitive systems.
Handling Resistance
The main objection is friction — users find the extra step annoying. In my experience this objection largely disappears after the first week, once MFA becomes habit. The bigger challenge is usually the initial rollout: making sure nobody gets locked out, handling phones changing or being lost, and setting up the fallback options correctly.
Do a pilot with a small group first, document the recovery process clearly, and ensure your IT support is ready to handle login issues for the first week after rollout. That preparation makes the transition significantly smoother.
Conditional Access (The Next Step)
Once basic MFA is in place, conditional access policies let you add nuance — requiring MFA only from outside the office, blocking login from unfamiliar countries, requiring compliant devices for access to sensitive data. This is Microsoft Entra and Google Workspace territory, and it's worth exploring once the MFA baseline is in place.