What Is MFA, and Why You Should Enable It Today

If you do one thing for your cybersecurity this quarter, make it this. Multi-factor authentication - MFA - is the single highest-impact security step a small business can take. It’s usually free, it takes minutes to set up, and it stops the most common kind of attack cold.

What MFA actually is

MFA adds a second step to logging in. After you enter your password, you also need to confirm it’s really you - usually by tapping “approve” on an app on your phone, or by entering a one-time code.

The principle is simple: even if someone steals your password, they can’t log in without that second factor - which is sitting in your pocket. It’s the same idea your bank uses for online banking. It works.

Why passwords on their own aren’t enough

Passwords are the weakest link in almost every breach. People reuse them, choose obvious ones, or get tricked by phishing emails into typing them into a fake login page. Massive breaches at other companies regularly leak millions of passwords, and attackers run automated tools that try those stolen passwords against Microsoft 365, Google Workspace and remote-access systems - looking for one that still works.

A stolen password without MFA is essentially a master key to your business email, files, and systems. With MFA in place, it’s useless.

How effective is it?

Extremely. Microsoft’s own research found that MFA blocks more than 99.9% of account compromise attacks. That’s not a marginal improvement - it’s a step change. For the few seconds it adds to your login, you get a level of protection that’s hard to match with any other single control.

Where to turn it on

At a minimum, MFA should be enabled on anything that:

• Is accessible from the internet
• Contains business data, money, or staff/customer records

For most SMBs, that means:

• Microsoft 365 (email, OneDrive, SharePoint, Teams)
• Any remote access or VPN (virtual private network - a secure connection back to the office)
• Accounting platforms (Xero, MYOB, QuickBooks)
• Your CRM and any other business management platforms
• Banking, payroll and social media accounts

If you’re on Microsoft 365, MFA is included - no extra cost. The Microsoft Authenticator app handles the second factor neatly.

The common objections (and why they don’t hold up)

“It’s annoying.” It adds a few seconds. Most people get used to it within two days and never think about it again.

“What if I lose my phone?” A fair question, and the reason a proper rollout includes backup recovery methods - backup codes, a secondary number, or admin-led recovery. Plan for this before rollout, not after.

“My less tech-savvy staff won’t cope.” In practice they cope fine. The Authenticator app is straightforward and a hands-on walkthrough at setup sorts almost everyone out on the spot.

How to roll it out without drama

Don’t just flip the switch one Monday morning and hope. A short, planned rollout takes the pain out of it:

• Tell your team what’s changing and why, a week ahead
• Provide a simple one-pager with screenshots for installing the Authenticator app
• Have someone available to help in person for the first day or two
• Start with administrators and senior staff, then extend across the team
• Configure recovery options properly so a lost phone doesn’t become a lockout

If you’d rather not handle it yourself, your IT provider should do the whole rollout for you - including the conditional access rules that make MFA stricter for risky logins and friction-free for normal day-to-day work.

MFA is one of the controls covered in the Essential Eight and the foundation of a properly configured Microsoft 365 tenant.