Passwords alone no longer provide adequate protection for business accounts. Data breaches expose hundreds of millions of credentials every year. Phishing attacks harvest them directly. Password reuse means one compromised account becomes many. Multi-factor authentication (MFA) addresses all of these problems at once, and enabling it is one of the highest-impact security actions available to any business.
What MFA Is
Multi-factor authentication requires users to provide two or more forms of verification when logging in. The factors are typically categorised as:
- Something you know — a password or PIN
- Something you have — a phone, a hardware token, or a smartcard
- Something you are — a fingerprint or face recognition
MFA combines at least two of these. The most common implementation for business accounts is a password (something you know) plus a code from an authenticator app or SMS (something you have).
The security benefit is straightforward: even if an attacker obtains your password (through a data breach, phishing, or guessing) they can’t log in without also having access to the second factor. This has saved me a number of times, I remember receiving a LinkedIn prompt a few years back, I hadn’t been logging in, and changed that password right away.
Types of MFA
Authenticator Apps
An app on your phone generates a time-based six-digit code (TOTP — Time-based One-Time Password) that changes every 30 seconds. When you log in, you enter your password and then the current code from the app.
Common authenticator apps include Microsoft Authenticator, Google Authenticator, and Authy. Microsoft Authenticator also supports push notifications — instead of typing a code, you receive a prompt on your phone to approve or deny the login attempt.
Authenticator apps are the recommended MFA method for most business accounts. They’re more secure than SMS and work without a phone signal or data connection.
SMS Codes
A one-time code sent to your phone via text message. You enter the code alongside your password.
SMS MFA is better than no MFA, but it’s the weakest of the common methods. SIM swapping attacks, where an attacker convinces a mobile carrier to transfer your number to their device, can intercept SMS codes. For most SMEs this is a lower-risk threat than account takeover via compromised passwords, so SMS MFA is still worthwhile as a fallback. Where possible, prefer an authenticator app.
Hardware Tokens
A physical device (such as a YubiKey) that generates codes or provides cryptographic authentication. Hardware tokens are highly secure and resistant to phishing, but have a cost per device and require management when staff join or leave.
For high-value accounts — privileged IT administrators, finance staff with access to payment systems — hardware tokens are worth considering. For general staff accounts, authenticator apps strike a better balance.
Push Notifications
Some platforms send a push notification to the Microsoft Authenticator or similar app rather than requiring a code to be typed. You see a prompt asking if you’re trying to log in from a specific location and approve it with a tap.
Be aware of MFA fatigue attacks — where an attacker with a stolen password repeatedly sends push notification requests hoping the user will approve one out of frustration or confusion. Modern implementations address this with number matching (you must enter a number displayed on the login screen into the app) or additional context. Enable these features where available.
Where to Enable MFA
Microsoft 365
MFA is configured in the Microsoft 365 admin centre under Users > Active Users > Multi-factor authentication, or via Azure Active Directory (now Entra ID) Conditional Access policies for more granular control.
Microsoft’s Security Defaults — available to all Microsoft 365 tenants — enable MFA enforcement for all users with a single setting. For businesses without an IT team managing granular policies, enabling Security Defaults is the simplest path to organisation-wide MFA.
Google Workspace
Enable MFA under Admin Console > Security > 2-step verification. You can enforce it for all users or specific groups.
Other Business Accounts
Any business-critical account should have MFA enabled — banking and financial services, domain registrar, DNS provider, cloud hosting, line-of-business applications. Most platforms support MFA under security or account settings. Where the option exists, prioritise it.
MFA on VPN
VPNs without MFA are a known attack vector. Compromised VPN credentials — obtained through phishing or dark web purchase — are frequently used to establish remote access to business networks. Enable MFA on your VPN login. This is one of the most important controls for any business running remote access.
Handling MFA Recovery
MFA introduces a new operational consideration: what happens when a staff member loses access to their second factor — a new phone, a lost device, or a departing employee?
- Backup codes: Most platforms generate one-time backup codes at setup. Store these securely — in a password manager or a physically secure location.
- Admin override: Administrators can disable or reset MFA for a user via the management console. Document this process before you need it.
- Offboarding: When a staff member leaves, disabling their account promptly is essential. MFA tied to a personal device doesn’t protect an account that’s still active.
Common Objections
“It’s inconvenient.” On trusted devices, many platforms only require MFA once per session or once per device. Day-to-day friction is minimal once configured. The inconvenience of MFA is small compared to the inconvenience of an account takeover.
“We’re too small to be a target.” Credential stuffing attacks are automated and non-discriminatory. If your email address and a reused password appear in a data breach, it will be tested against your business accounts. Size is not a protection.
“We already have a strong password policy.” Strong passwords help. They don’t protect against phishing, where the user hands over their credentials directly. MFA does.