Compromised credentials are how small businesses get breached. Not zero-day exploits, not advanced persistent threats — stolen passwords. According to Verizon’s 2024 Data Breach Investigations Report, the human element is involved in 68% of breaches, and stolen credentials remain one of the top initial access vectors year after year. An attacker doesn’t need to hack anything. They buy your password from a credential dump, type it into your Microsoft 365 login, and they’re in your email, your SharePoint, your stored files, and everything connected to that identity.
Multi-factor authentication is the single control that breaks this chain. Username and password alone is one factor — something you know. MFA adds a second factor — something you have, like a phone or a hardware key — so a stolen password by itself isn’t enough to get in. Microsoft has published data showing MFA blocks 99.9% of automated account compromise attempts. That’s not a marketing number; it’s the gap between “your password is on the dark web and that’s a problem” and “your password is on the dark web and nothing happens.”
So turn it on. That’s the easy answer, and it’s the answer most coverage stops at. The harder answer — the one that matters if you actually want the protection — is that not all MFA works equally well. The method you choose, where you enforce it, and how you handle the exceptions determine whether MFA is genuinely stopping attackers or just making you feel safer while leaving the door cracked open.
How MFA Actually Works
When you log into a system with MFA enabled, the password check happens the way it always has. After that succeeds, the system pauses and demands a second proof that you are who you claim to be. Until that second proof arrives, the login doesn’t complete and no session is created. That pause is the entire point. An attacker with your password sits at the pause indefinitely because they can’t produce the second factor.
The second factor takes one of several forms. A six-digit code generated by an app on your phone. A push notification you tap to approve. A code texted to you. A physical security key you plug into a USB port and touch. A fingerprint or face scan on your device. Each of these is a different mechanism with different strengths and different ways of being defeated.
The thing they have in common — the reason MFA works at all — is that the second factor is bound to something an attacker on the other side of the internet doesn’t have. They have your password. They don’t have your phone, your authenticator app, or your hardware key. That’s the wall.
Whether the wall holds depends entirely on how high you build it.
The Spectrum: Strong MFA, Weak MFA, and Why the Difference Matters
On the strong end of the spectrum are hardware security keys (YubiKey is the best-known brand) and passkeys, which use the FIDO2 standard. These work through cryptographic challenge-response. When you authenticate, your device and the website exchange a cryptographic proof that’s tied to the actual domain you’re logging into. If you’re on a fake login page, the cryptography refuses to complete. The phishing site can’t relay the credential because the credential is mathematically bound to the real site’s domain. This is what “phishing-resistant” means — the method physically cannot be tricked into authenticating to the wrong place.
One step down are authenticator apps — Microsoft Authenticator, Google Authenticator, Authy, Duo. These generate a rotating six-digit code every 30 seconds, or they send a push notification to your phone that you approve or deny. The code or approval is bound to your device, which is much harder to steal remotely than a password. These are good. They stop almost every automated attack and most opportunistic credential abuse.
At the bottom of the spectrum is SMS — text-message codes sent to your phone. SMS-based MFA is better than no MFA. It’s also defeatable by attacks that are cheap, documented, and increasingly common.
Why SMS Codes Aren’t Enough Anymore
Two specific attacks defeat SMS-based MFA.
The first is SIM swapping. An attacker calls your mobile carrier, impersonates you using personal information they’ve gathered (often from data breaches or social media), and convinces the carrier to port your phone number to a SIM card they control. Within minutes, every text message intended for you — including your MFA codes — goes to the attacker’s device. Your phone stops working; theirs starts receiving your authentication codes. The FBI’s Internet Crime Complaint Center has been tracking SIM swap fraud for years; a 2022 public service announcement reported $68 million in SIM swapping losses in 2021 alone, more than triple the prior three years combined.
The second is exploitation of SS7, the aging signaling protocol that telecom networks use to route calls and text messages. SS7 was designed in the 1970s with no real authentication between carriers. Attackers with access to the network — and there’s a thriving market for that access — can intercept text messages in transit without ever touching your phone or your account. CISA’s mobile communications guidance warns explicitly that “do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.”
You might never be SIM-swapped. The point isn’t that every business owner is being targeted by sophisticated attackers — it’s that SMS is the only common MFA method where the attacker doesn’t need anything on your device. They need your phone number and a willingness to commit fraud, both of which are abundantly available.
There’s also a subtler problem with SMS, push approvals, and even authenticator app codes: they can be phished. An attacker sets up a convincing fake Microsoft 365 login page. You enter your password. The fake page passes it through to the real Microsoft login in real time. Microsoft sends your MFA code to your phone. You type it into the fake page. The attacker captures it and types it into the real Microsoft login within the 30-second window. They’re in. This is called an adversary-in-the-middle phishing kit, and they’re commercially available and widely deployed. Authenticator apps stop automated attacks. They do not stop a human attacker running a phishing campaign with the right tooling.
Hardware keys and passkeys stop both. That’s the entire reason they exist.
Where to Turn MFA On First
You probably don’t have time to roll MFA out everywhere at once, and you don’t need to. Some accounts are far more damaging to lose than others. Start with the ones that, if compromised, give an attacker access to everything else.
Email and productivity platforms. Microsoft 365 and Google Workspace are the top priority. Your email account is where password resets go for every other system you use. If an attacker controls your email, they control your banking, your vendor portals, your social media, and anywhere else “forgot password” is an option. Microsoft 365 and Google Workspace both support authenticator apps and hardware keys natively. Turn it on for every user, including the owner and any administrator accounts. Especially administrator accounts — admin compromise is how attackers escalate from one inbox to your entire tenant.
Remote access and VPN. Anything that lets someone log in from outside your office network — VPN, remote desktop, RMM tools — needs MFA without exception. These are the systems attackers look for after harvesting credentials.
Banking and financial accounts. Business banking, payroll services, accounting software with payment capability. Use the strongest MFA your bank supports. If your bank only offers SMS, push them to add authenticator app support or consider whether the relationship is worth the risk.
Password managers. If you use a business password manager — and you should — its master account is the master key to everything else. Use a hardware key here if you can. The whole point of the password manager is to be the strongest link in the chain. If you haven’t rolled one out yet, see our guide on deploying a password manager to a small team without the chaos.
After those four categories, work outward to line-of-business applications, vendor portals, social media accounts associated with the business, and any cloud service holding client data. Anywhere a stolen credential could damage your business or your clients gets MFA.
The Implementation Mistakes That Undo Everything
Turning MFA on isn’t the same as having MFA. A handful of common mistakes leave businesses thinking they’re protected when they’re not.
Leaving recovery channels unprotected. Many systems let users recover access by answering security questions, receiving a code at a backup email, or calling support. If an attacker can take over the recovery path, the MFA on the front door doesn’t matter. Lock down recovery options. Use a backup email account that itself has strong MFA. Be deeply skeptical of any system where a phone call to support bypasses MFA.
Optional enrollment. Some businesses “encourage” employees to enroll in MFA but don’t enforce it. The result is that the people most likely to fall for a phishing attack — the ones least security-conscious — are also the ones who skipped enrollment. Your attack surface is the weakest account. One employee on password-only login is the door the attacker walks through. MFA needs to be mandatory and enforced at the policy level, not requested.
Exempting the owner or executives. Senior people complain about MFA friction more than anyone else, and they often have the broadest access to financial and client data. They are the highest-value targets. Exempting them isn’t a courtesy; it’s the breach waiting to happen.
Treating MFA as set-and-forget. People leave the company. Devices get replaced. Phone numbers change. New systems get adopted. MFA enrollment drifts out of sync with reality unless someone is maintaining it. A former employee whose MFA is still tied to their personal phone is a problem. A new system added to the stack with no MFA enabled is a problem. This is operational hygiene, not a project.
Using SMS as the only option. Even when stronger methods are available, businesses default to SMS because it’s familiar and doesn’t require installing anything. The result is MFA that stops opportunistic password reuse but fails against any motivated attacker. If you’ve already done the work of rolling out MFA, use a method that actually holds.
“I Already Have MFA” — The Honest Self-Check
If you’re reading this thinking your business already has MFA covered, run through these questions before moving on.
- Is MFA enforced for every user in your Microsoft 365 or Google Workspace tenant, including the owner and any administrator accounts?
- What method is each user enrolled with? If you don’t know, the answer for most users is probably SMS.
- Do you have MFA on your VPN, your remote desktop tools, and your RMM software?
- What happens if a user loses their phone? Is the recovery path itself protected, or is it a soft spot?
- When was the last time someone audited who’s enrolled, what method they’re using, and whether former employees are fully de-provisioned?
- Does your business banking, your payroll service, and your password manager all have MFA — and what method?
If you can answer all of those with confidence, your MFA posture is in good shape and you should focus your security attention elsewhere. If you can’t, you have gaps — and the gaps are probably where you assumed someone else had already handled it.
Where a Managed IT Partner Comes In
MFA is a high-leverage control, but the leverage only shows up when it’s deployed consistently across every system, every user, and every change to the business over time. That’s not difficult work — it’s continuous work, and it’s the kind of operational discipline that small businesses rarely have the bandwidth to maintain alongside running the business itself.
ForeverOn handles MFA as part of managed IT services for small businesses across Hagerstown, Frederick, and the surrounding Maryland communities. That means choosing the right methods for each system, enrolling every user, locking down recovery paths, integrating MFA with conditional access policies in Microsoft 365, keeping enrollment current as people and devices change, and watching for the authentication anomalies that indicate someone is trying the door even with MFA in the way. It’s part of the broader cybersecurity services stack — endpoint protection, cloud monitoring, backups, security awareness training — rather than a one-time project that gets done and forgotten.
If you’re not sure where your MFA gaps are right now, that’s the place to start. ForeverOn offers a free security assessment that includes a review of how MFA is deployed across your environment — which accounts have it, which methods are in use, and where the exposures are. The assessment is free, there’s no obligation, and you’ll walk away knowing exactly where you stand. Call (301) 739-7311 and a real person will answer — no phone tree, no menu — or schedule directly through the assessment page. The goal is for you to know what you’re working with, whether or not we end up working together.