TL;DR:

  • MFA blocks 99.9% of automated account attacks — it’s the single most impactful security step you can take
  • Use an authenticator app rather than SMS codes wherever possible
  • Protect email and banking first, then work outward to every other business account

Multi-factor authentication (MFA) means logging in with two things: something you know (your password) and something you have (your phone). Even if your password is stolen in a data breach, an attacker can’t get in without the second factor. Microsoft’s research across hundreds of millions of accounts shows MFA blocks 99.9% of automated attacks. For a 30-minute setup, that’s an extraordinary return.

Why password-only accounts are an open door

Every major data breach — LinkedIn, Adobe, Dropbox — releases hundreds of millions of username-and-password combinations onto the dark web. Attackers run automated tools that test stolen credentials across thousands of websites simultaneously. This is called credential stuffing, and it works because most people reuse passwords.

Your business email password might be the same one that leaked from a site you signed up to years ago. Without MFA, that’s all an attacker needs to reset your other accounts, read your email, and potentially access your banking. The NCSC has made MFA one of its core recommendations for UK small businesses for exactly this reason.

A password manager solves the reuse problem. MFA solves the breach problem. You want both.

Types of MFA: SMS, apps, and hardware keys

SMS text message codes are the most common form of MFA and the weakest. They’re far better than nothing, but codes sent by text can be intercepted through SIM-swapping attacks — where a fraudster convinces your mobile carrier to transfer your number. For banking and critical accounts, move beyond SMS if you can.

Authenticator apps generate a 6-digit code on your phone that refreshes every 30 seconds. The code is generated locally — it never travels over the network — making it resistant to interception. This is the right default for most small business accounts.

Hardware security keys (like a YubiKey) are a physical device that plugs into a USB port or taps to your phone. They’re the most phishing-resistant option and are worth considering for your highest-risk accounts — primarily email and anything with financial access.

Which app should you use? Google Authenticator is simple, free, and works everywhere. It now supports account backup to your Google account. Microsoft Authenticator is a better choice for Microsoft 365 users and supports push notifications instead of manual code entry. Authy adds encrypted cloud backup and works across multiple devices — good if you’re worried about losing access when you change phones. All three are free. Pick one and use it consistently across your team.

Which accounts to protect first

Not all accounts carry equal risk. Prioritise in this order:

Business email is the master key. Whoever controls your inbox can reset passwords for every other account. Google Workspace and Microsoft 365 both have straightforward MFA setup in their admin consoles. Do this today — before you read any further.

Banking and payment processors come next. Your bank almost certainly supports MFA; check under security settings. Payment processors like Stripe, Square, and SumUp all support authenticator apps.

Accounting software — Xero, QuickBooks, FreshBooks, Sage — all support MFA. Your accounts system holds payment details for clients and suppliers.

Cloud storage and file sharing — Google Drive, Dropbox, OneDrive, SharePoint. These often hold contracts, employee records, and financial documents.

Domain registrar and web hosting — an attacker who controls your domain can redirect your website and intercept your email. GoDaddy, Namecheap, Cloudflare, and similar registrars all support MFA.

After those, work through everything else over a week — CRM, project management, HR software, social media accounts.

Setting up MFA: a quick walkthrough

Google Workspace: Admin console → Security → 2-step verification → Enforce for your organisation

Microsoft 365: Admin centre → Users → Active users → Multi-factor authentication → Select users → Enable

For individual accounts, look for “Security” or “Account settings” → “Two-factor authentication” or “Authenticator app” → scan the QR code with your chosen app. When you set up MFA, you’ll see a QR code on screen. Open your authenticator app, tap the ”+” button, select “Scan QR code,” and point your camera at the screen.

Save your backup codes. Every service generates one-time backup codes when you enable MFA. Print them and store them securely — they’re your lifeline if you lose your phone.

Rolling MFA out across your team

The hardest part of MFA isn’t the technology — it’s the change management. Fair enough.

Give a week’s notice before enforcing MFA so employees can set it up on their own schedule. Hold a 15-minute walkthrough over a video call to do it together — it removes the intimidation factor considerably. Make sure you have a way to help team members back in if they get locked out. And use your email platform’s enforcement tool — Google Workspace and Microsoft 365 both let you mandate MFA for all users, which removes the opt-out problem entirely.

Bottom line

MFA on your business email takes under 30 minutes to set up and eliminates the most common attack path into your business. Start with email, then banking, then work outward. Use an authenticator app rather than SMS wherever you have the choice, and require MFA for every person in your organisation — not just yourself.