Article · 5 min · For Owners
The math
Microsoft has published the same finding for years: MFA stops the overwhelming majority of automated account-compromise attacks. Even basic SMS-based MFA — the weakest version — defeats the bulk of credential-stuffing and phishing-driven sign-ins. Stronger versions raise the bar further. The point is that no MFA is functionally an open door.
The five-minute setup most owners delay for years
Microsoft 365 makes MFA enforcement a single tenant-wide setting. Conditional Access policies refine it — block sign-ins from foreign geographies, require MFA on every new device, exempt office IPs if you must. The setup takes minutes per user. The benefit compounds for the life of the tenant.
The phishing-resistant version (when MFA isn't enough)
The weakest MFA — codes texted to your phone — is bypassable by attackers who have the patience to social-engineer the user. Phishing-resistant methods (hardware keys, passkeys, Windows Hello) close that gap. For executives, finance staff, and IT admins, those should be the default.
"We don't need it, we're small" is the wrong instinct
Attackers don't aim at companies; they aim at credentials. Small businesses get caught in the same automated nets that catch large ones. The shop with no IT department is exactly the demographic with the least MFA — which is exactly why it's targeted.
Frequently asked questions
Which MFA method should we use: SMS, authenticator app, or hardware key?
In order of strength: hardware security keys (or passkeys / Windows Hello) > authenticator app with number-matching > push notification > SMS or email code. Use authenticator app as the default for everyone; use hardware keys or passkeys for finance, IT admins, and executives. Avoid SMS as the only factor for any account that matters.
Should MFA be required on every app, or just email?
Every app that touches business data, ideally enforced through single sign-on (Microsoft Entra ID, Okta, Google). The high-priority list: Microsoft 365 or Google Workspace, the VPN, remote-desktop gateways, the accounting platform, the banking portals, the payroll system, the dispensing or EHR or POS application, and any administrative console.
What is Conditional Access and do we need it?
Conditional Access (Entra ID) and the Google Workspace equivalent let you set rules like "require MFA on sign-ins from outside the office network" or "block sign-ins from countries we don't operate in." It's where MFA goes from a checkbox to a layered policy. Most small businesses can get most of the benefit with three or four well-chosen policies.
What happens if a user loses their phone or hardware key?
The recovery path needs to be documented before it's needed: a backup method registered at enrollment (often a second authenticator app or a Microsoft-provided recovery code), a process for admin-initiated MFA reset that verifies identity out-of-band (not via the lost device), and temporary access passes for emergency sign-in. Don't disable MFA "just for now" — that's where every breach starts.
Related reading
