What Is Multi-Factor Authentication and Why Every Business Needs It

The Password Problem

Passwords alone do not provide adequate security for business accounts. The reasons are well-documented: people reuse passwords across multiple services, data breaches expose millions of credentials every year, and attackers use automated tools to try stolen or guessed passwords at scale.

If a criminal obtains your email password — through a phishing attack, a data breach at another service, or simply guessing a weak password — they can access your email, your contacts, your stored documents, and potentially everything connected to that account. With access to your email, they can also reset passwords on your accounting software, banking, and other services.

Multi-factor authentication (MFA) is the most effective single measure to prevent this.

What MFA Actually Does

MFA requires a second form of verification in addition to your password before granting access to an account. The most common form for business accounts is an authenticator app — Microsoft Authenticator or Google Authenticator — that generates a six-digit code that changes every 30 seconds.

When you log in with MFA enabled: 1. You enter your username and password as normal 2. You are then prompted to enter the six-digit code from your authenticator app, or to approve a push notification on your phone

Even if a criminal has your password, they cannot access the account without also having your phone. This alone stops the vast majority of account takeover attempts.

The Different Types of MFA

Authenticator app (recommended). An app on your phone that generates time-based codes. This is the most secure common option and the one most businesses should use for email and cloud accounts.

SMS code. A code sent to your mobile number by text. Better than no MFA, but less secure than an authenticator app — phone numbers can be hijacked through SIM-swapping attacks.

Hardware security key. A physical USB or NFC device (like a YubiKey) that must be present to log in. Extremely secure and the right choice for high-value accounts like domain admin or accounting system admin.

Push notification. A prompt sent to your phone asking you to approve the login. Convenient, but vulnerable to "MFA fatigue" attacks where criminals send repeated push notifications hoping you will approve one accidentally.

Which Accounts Should Have MFA

In priority order:

1. Email accounts (Microsoft 365 or Google Workspace) — highest priority 2. Accounting software (Xero, MYOB, QuickBooks) 3. Cloud storage (OneDrive, SharePoint, Google Drive) 4. Business banking portals 5. Any platform containing customer or patient data 6. Remote access tools (VPN, remote desktop) 7. Domain registrar and DNS management

If MFA is not yet enabled on your Microsoft 365 accounts, this is the single highest-impact security action your business can take today.

Common Objections to MFA

"It slows people down." Authenticator apps on modern phones add about five seconds to the login process. Most accounts also offer a "trusted device" option so you are only prompted on unfamiliar devices.

"Our staff will find it confusing." MFA setup takes about five minutes per person. Staff adapt within a day or two.

"We are too small to be targeted." Credential-stuffing attacks are automated and target millions of accounts indiscriminately. Small businesses are included.

How MFA Actually Gets Bypassed: What to Know

MFA is highly effective, but not impenetrable. Understanding the ways it gets bypassed helps design more resilient authentication.

MFA fatigue attacks. An attacker with stolen credentials logs in repeatedly, triggering push notification MFA prompts on the victim's phone. The attacker sends 20, 30, or 40 push notifications over several hours — or in the middle of the night — hoping the victim approves one out of confusion or frustration. This is a real attack pattern that has compromised large organisations. The countermeasure: switch from push notifications to number-matching (where the app shows a number that must match what is displayed on the login screen) or use an authenticator app code rather than push approval.

SIM-swapping. An attacker contacts the victim's mobile carrier, impersonates them, and convinces the carrier to transfer the phone number to a SIM card they control. Incoming SMS codes then go to the attacker. This is why SMS-based MFA is less secure than an authenticator app — the phone number can be hijacked while the authenticator app requires physical possession of the registered device.

Phishing for MFA codes. Sophisticated phishing sites act as a real-time proxy between the victim and the legitimate service. The victim enters their credentials and MFA code on the phishing site; the site passes them to the real service simultaneously. The attacker uses the authenticated session before the MFA code expires. Countermeasure: phishing-resistant MFA using hardware security keys (FIDO2) eliminates this attack vector — the key is domain-bound and will not authenticate to a phishing site.

For most Gold Coast and Brisbane small businesses, an authenticator app with number-matching enabled provides strong protection. Hardware security keys are appropriate for high-value accounts (admin accounts, banking access, accounts controlling large financial transactions).

Configuring MFA Across Microsoft 365: The Practical Steps

If your business uses Microsoft 365 and MFA is not yet fully enabled, here is the sequence:

Step 1: Enable Security Defaults or Conditional Access. In the Microsoft 365 Admin Centre, Security Defaults is the fastest way to require MFA for all users. For more granular control — requiring MFA only from outside the office network, for example — Conditional Access (available in Business Premium) provides more sophisticated policy options.

Step 2: Communicate to staff. Before enforcing MFA, let staff know what to expect. "When you next log in to your Microsoft account, you will be prompted to set up an authenticator app. Here is how to do it." A short explainer video or instruction sheet reduces help desk calls.

Step 3: Deploy authenticator apps. Microsoft Authenticator is the recommended app for Microsoft 365. Google Authenticator also works. Staff install the app on their personal or company phone and scan the QR code shown during account setup. This takes under five minutes per user.

Step 4: Handle exceptions carefully. Service accounts (accounts used by software or integrations, not people) often cannot use interactive MFA. Ensure these accounts use very strong, unique passwords and are explicitly excluded from MFA policies only where technically necessary.

Step 5: Set trusted devices. Once enrolled, Microsoft 365 can be configured to trust registered devices — staff are only prompted for MFA when logging in from an unrecognised device. This reduces daily friction significantly while maintaining security.

MFA for Non-Microsoft Systems

The Microsoft 365 context is the most common, but MFA should be enabled wherever it is available:

Xero and accounting platforms. Xero supports authenticator app MFA. Enable it — accounting systems contain financial records that are both valuable and regulated.

Banking. Most Australian business banking platforms support SMS or app-based MFA. If your banking provider supports it, enable it and prefer the app-based option over SMS.

Domain registrar. Your domain registrar controls your business domain — the address of your website and email. Losing control of your domain to an attacker is catastrophic. Enable MFA on the registrar account.

PRODA (Medicare Online). PRODA uses myGovID for authentication, which supports and requires strong verification. Ensure the myGovID linked to practice accounts uses the Strong identity strength level.

Netluma IT configures MFA across all accounts as part of managed IT onboarding for SE Queensland businesses. Call 1300 521 162 to get started.

Netluma IT configures and enforces MFA across all accounts as part of managed IT for SE Queensland businesses. Call 1300 521 162 to get started.