The Business Owner's Guide to Multi-Factor Authentication

If there is one security measure that delivers more protection per dollar and per hour of effort than any other, it's multi-factor authentication. Security researchers consistently estimate that MFA blocks over 99% of automated account compromise attacks. Yet most small businesses either haven't deployed it, or have deployed it inconsistently — covering some accounts and leaving others wide open. Here's what you need to know.

What multi-factor authentication actually is

Authentication is the process of proving you are who you claim to be. Traditionally, businesses rely on a single factor — a password. Multi-factor authentication requires a second (or third) form of verification before access is granted. The three factor categories are:

• Something you know

  Password, PIN, security question

• Something you have

  Authenticator app, hardware token, SMS code

• Something you are

  Fingerprint, face ID, retina scan

The most common business MFA setup combines a password (something you know) with an authenticator app code (something you have). Even if an attacker steals your password, they can't log in without the second factor — which is only available on your physical device.

Why passwords alone aren't enough

Passwords get compromised constantly — through phishing, data breaches at other websites, credential stuffing attacks, and malware. The average person reuses passwords across multiple accounts, which means a breach at one site can open accounts at dozens of others. No matter how strong your password policy is, a leaked credential is a leaked credential. MFA means a compromised password alone gets an attacker nothing.

What accounts need MFA — in order of priority

• Business email (Microsoft 365, Google Workspace) — email is the master key to everything else, including password resets
• Banking and financial accounts
• Your CRM, ERP, or any system with customer data
• Cloud storage (SharePoint, OneDrive, Google Drive, Dropbox)
• Remote access tools (VPN, RDP, remote desktop solutions)
• Your domain registrar and DNS provider
• Any admin accounts — IT systems, billing portals, payroll

Authenticator app vs. SMS — which should you use?

SMS-based MFA — where a code is texted to your phone — is better than nothing but is the weakest form of MFA. It's vulnerable to SIM-swapping attacks, where an attacker convinces your carrier to transfer your phone number to their device. Authenticator apps (Microsoft Authenticator, Google Authenticator, Duo) generate codes locally on your device and are significantly more secure. Hardware tokens (YubiKey) are the most secure option for high-value accounts.

For most businesses: deploy an authenticator app for all critical accounts, use SMS only as a fallback, and consider hardware keys for IT admins and executives.

How to roll it out without disrupting your team

• Start with admins and executives

  Roll out to high-privilege accounts first. These are the most valuable targets and the best place to learn your deployment process before going company-wide.

• Use a managed deployment

  In Microsoft 365 and Google Workspace, MFA can be enforced through policy for all users simultaneously. This is cleaner than asking employees to opt in individually.

• Communicate before you enable

  Give employees 1–2 weeks notice, a simple guide on setting up the authenticator app, and a contact for questions. Most resistance to MFA comes from surprise, not the extra step itself.

• Plan for account recovery

  Define your process for when an employee loses their phone or gets locked out. Backup codes and recovery procedures need to be documented before you need them.