About one in three businesses I visit has MFA turned off for at least some users. Usually because someone found it inconvenient six months ago and asked IT to disable it for them, and nobody turned it back on. That decision has cost some of those businesses dearly.
Multi-factor authentication (requiring a second form of verification beyond a password when someone logs in) blocks over 99% of credential-based account compromises, according to Microsoft's own published data. It takes under an hour to configure for a team of 20. There is no good reason for a business with any IT dependency to not have it running.
Why stolen passwords are so common and so dangerous
Passwords get stolen through phishing attacks, through data breaches at third-party websites where people reused passwords, and through credential stuffing, where attackers take email/password combinations from one breach and systematically test them against business systems. The password being strong doesn't help you if someone obtained it through a phishing email last month.
MFA adds a second factor, typically a code from an app or a push notification to a phone. An attacker with your correct username and password still can't get in without also controlling your phone. For the vast majority of remote attacks, that's a complete barrier.
Start with email, because it's the master key to everything else
Your email account is the master key to every other account. Password resets, account verification, client communications, access to financial systems: all of it flows through email. A compromised email account causes damage far beyond the inbox.
For Microsoft 365 users, enabling MFA for all accounts takes about 30 minutes in the Entra admin centre. Google Workspace has equivalent options. Both can be configured to prompt for MFA only when logging in from outside the office, which reduces friction considerably for staff who don't move around much.
After email: VPN access, remote desktop tools, and your accounting or financial systems are the next priorities.
Authenticator apps, not SMS
SMS codes are better than nothing. They're also vulnerable to SIM-swapping attacks, where someone convinces a mobile carrier to transfer your number to a SIM they control. It's not common but it happens, and the targets tend to be people with access to business finances.
Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) work offline, aren't exposed to that risk, and the push notification experience is quick enough that most users stop noticing it within a week. For privileged accounts (IT administrators, finance directors, anyone with access to payment systems) hardware security keys such as YubiKey, around £40-60 each, are worth considering.
Turning it on without locking everyone out
The main objection is always friction. In practice it fades after the first week once it becomes habit. What doesn't fade is getting the rollout wrong: users locked out because they set up MFA on an old phone, no fallback method configured, phones getting lost or changed without anyone updating the account.
Pilot with five to ten users first. Document the recovery process before you go live. Make sure your IT support team is available for the first week after rollout. A managed rollout takes a day. The cleanup from a poorly planned one takes considerably longer.