Multi-factor authentication for small business hero graphic

What Is MFA and Why Your ‘Strong Password’ Isn’t Enough Anymore

You have heard the advice a thousand times. Use a strong password. Mix in uppercase, lowercase, numbers, and symbols. Do not reuse it, and change it often. That advice is fine, as far as it goes. But here is what nobody tells you: even a perfect password is no longer enough on its own. For a business, that gap is dangerous, and the fix is multi-factor authentication.

Why Passwords Fail, Even Good Ones

Passwords fail for reasons that have nothing to do with how clever they are. Here are the three most common:

  • Data breaches. Companies get hacked constantly. When a site you use is breached, your password can land in a public list of stolen credentials. Attackers then run that list against every major platform automatically.
  • Phishing. A convincing fake login page tricks you into typing your real password into the wrong site. Because you handed it over yourself, complexity does not save you.
  • Password reuse. Most people reuse passwords. So if your “strong” password matches one from a forum breached in 2018, attackers will try it on your email and your bank within minutes. This is called credential stuffing, and it is fully automated.

Notice the pattern. In none of these cases did anyone brute-force the password. Instead, they got it some other way. That is exactly why a second factor changes everything.

What Multi-Factor Authentication Actually Is

Multi-factor authentication (MFA), sometimes called two-factor authentication or 2FA, simply means logging in takes two separate things. First, something you know, like your password. Second, something you have, like a code on your phone or a tap on a push notification.

Diagram of how multi-factor authentication works using two separate login factors
Two locks on the door: a stolen password alone never gets in.

Think of it like a door with both a key lock and a deadbolt. A thief who steals your key still cannot get in without the deadbolt code. In the same way, an attacker with your password still hits a wall without your phone.

The Four Types of MFA

Not all multi-factor authentication is equal, though. Here are the common types, ranked from weakest to strongest:

The four types of multi-factor authentication ranked by security strength
Any MFA beats none, but the gap between SMS and a hardware key is real.
  • SMS text codes. A code is texted to you. It is better than nothing, but it is the weakest option, because phone numbers can be stolen through a SIM-swap attack.
  • Push notifications. Your phone asks “Did you just sign in?” and you tap Approve. It is fast and simple.
  • Authenticator apps. Apps like Microsoft or Google Authenticator generate a six-digit code that changes every 30 seconds. For most business accounts, this is the gold standard.
  • Hardware keys. A physical key such as a YubiKey. You plug it in or tap it. It is the strongest option, and it is what high-value targets rely on.

How Big a Difference Does MFA Make?

The numbers are not subtle. Microsoft found that turning on MFA blocks 99.9% of automated account-compromise attacks, a figure you can read in Microsoft’s own write-up. Not half. Not most. Nearly all of them.

That is because most attacks are automated and opportunistic. Bots run stolen credential lists against millions of accounts at once. The moment you add MFA, the bot hits a wall it cannot pass without your physical phone. So it gives up and moves to an easier target. Just like that, you are out of the easy-pickings pile.

Where to Turn On MFA First

You do not have to do everything at once. Instead, start with the accounts that matter most:

  • Email first. It is the master key, because anyone who controls your inbox can reset every other password. Microsoft 365 and Google Workspace both support MFA, so make it mandatory.
  • Banking and financial accounts. These are non-negotiable.
  • Your domain registrar. Whoever controls your domain controls your website and email, so lock it down.
  • Cloud storage. Google Drive, OneDrive, and Dropbox hold your files and client data.
  • Any VPN or remote-access tool. It is the front door to your network.
  • Your password manager. If you use one, and you should, protect it with the strongest MFA you have.

Email deserves special attention here. A single compromised inbox is how most business email compromise scams begin, which is exactly the trap we broke down in the six-figure wire-fraud story. And if you want to tighten email further, our look at six months of DMARC reports goes a layer deeper.

But Isn’t MFA a Hassle?

This is the objection I hear most. “It is too inconvenient. It will slow everyone down.” That is fair, and MFA does add one step. In practice, though, a modern push notification takes about three seconds. It is a buzz and a tap. Most platforms also let you trust your own devices, so you are not re-authenticating every single day.

Now weigh those three seconds against the alternative. The average business email compromise complaint costs about $129,000, according to the FBI’s latest Internet Crime Report. Add the client trust you cannot put a price on, and it is not a close call.

How to Turn It On

Setup is straightforward on both major platforms. For Microsoft 365, MFA lives in the Microsoft 365 admin center under your security settings. For Google Workspace, you will find it under Admin console, then Security, then 2-Step Verification. Importantly, both let an administrator enforce MFA for everyone, so no one can quietly opt out.

And enforcing it for everyone is the right call. Optional MFA means one person skips it, and that is the exact account that gets compromised.

If you run Microsoft 365 and have not enabled MFA yet, or you have but are not sure it is set up correctly, we can walk through it together. We do this for clients regularly, and it usually takes under an hour to protect an entire team. Let us get it done.