Multi-Factor Authentication: The One Setting That Could Save Your Business

A password alone is no longer an adequate defence for any account that matters. Passwords get stolen through phishing, leaked in data breaches, guessed by automated tools, or reused across multiple services until one weak link exposes everything. Multi-factor authentication (MFA) addresses all of these weaknesses at once, and the evidence for its effectiveness is clear: Microsoft’s own research found that MFA blocks over 99.9% of automated account attacks. If there’s one security measure a small business should implement this week, this is it.

What MFA Is and How It Works

Multi-factor authentication requires users to verify their identity using two or more of the following:

• Something you know — a password or PIN
• Something you have — a phone, hardware key, or authentication device
• Something you are — a fingerprint or face scan

The principle is simple: even if an attacker obtains your password, they cannot access your account without also having your phone or hardware key. The two pieces of information are held separately, making the attack exponentially harder to complete.

Why Passwords Alone Fail

The scale of credential compromise is difficult to overstate. There are billions of stolen username and password combinations freely available on the dark web, accumulated from years of data breaches at major services. Automated tools can try these combinations against new targets at speed — a technique called credential stuffing. If any of your staff reuse passwords across personal and professional accounts (and many do, despite best intentions), they are exposed.

Phishing campaigns frequently target credentials directly. An employee who enters their password on a convincing fake login page has handed that password directly to an attacker. Without MFA, that’s game over. With MFA, the attacker has something that’s only half useful.

Types of MFA: Pros and Cons

SMS-based MFA sends a one-time code to your mobile number. It’s easy to set up and widely understood, which makes it a reasonable starting point. The limitation is that phone numbers can be hijacked through a technique called SIM swapping, and SMS codes can be intercepted or phished. For most small business accounts, SMS MFA is significantly better than no MFA — but it’s not the gold standard.

Authenticator apps (such as Microsoft Authenticator, Google Authenticator, or Authy) generate time-limited codes that refresh every 30 seconds. They don’t rely on your mobile network, they work offline, and they’re resistant to SIM-swapping attacks. This is the recommended approach for most business accounts and represents a good balance between security and convenience.

Hardware security keys (such as YubiKey) are physical devices that plug into a USB port or tap against a phone to authenticate. They provide the highest level of protection and are essentially immune to phishing — a fake website cannot capture a hardware key’s output in a useful way. They’re the right choice for high-value accounts, administrators, or anyone who handles particularly sensitive data.

How to Roll It Out

Start with your most critical accounts. Email is the highest priority — an attacker who controls your email can reset the password to almost every other service you use. Cloud storage (OneDrive, Google Drive, Dropbox) often contains sensitive documents and should be protected immediately. Banking and payment platforms are obvious targets. Your domain registrar and web hosting are often overlooked but provide significant leverage to an attacker.

Once critical accounts are protected, extend MFA to all staff accounts systematically. Most cloud platforms — Microsoft 365, Google Workspace, and others — allow administrators to enforce MFA organisation-wide, so that it cannot be bypassed or turned off by individual users.

Communicate the change clearly before rolling it out. Explain why it matters, show staff how to set up an authenticator app, and make the process straightforward. A brief one-page guide or a 10-minute walkthrough goes a long way towards reducing friction.

Common Objections — Answered

“It slows us down.” Most MFA implementations add around 10–15 seconds to a login. Modern systems support features like “trusted devices”, where users are only prompted for the second factor periodically rather than every single login. The inconvenience is real but minor.

“My staff won’t do it.” If MFA is optional, take-up will be inconsistent. Enforce it at the administrator level. Once staff have set it up and used it a few times, it becomes habitual.

“We’ve never had an issue before.” Account compromise often goes unnoticed. Attackers routinely access accounts quietly — reading emails, gathering intelligence, waiting for the right moment — before taking visible action. Absence of a detected incident is not the same as absence of a problem.

MFA is one of the simplest, highest-return security measures available. DreamThieves can identify which accounts need it most urgently and get it configured correctly for you.