Local Business

Multi-factor authentication for small business: the twenty-minute setup that stops most account takeovers

Passwords alone stopped being enough years ago. Here is what MFA is, why app-based codes beat SMS, how to roll it out to a small team, and the excuses that keep businesses exposed.

18 juillet 2026 8 min de lecture securitysmall businessMFAMicrosoft 365authentication

Someone emails your bookkeeper a link that looks like the Microsoft 365 sign-in page. They type their password. Nothing seems to happen, so they move on. What happened is that their password is now in a spreadsheet on the other side of the world, and a stranger is reading the company inbox. This is not a rare, sophisticated attack. It is the most common way small businesses get breached, and a password is the only thing standing in the way.

Multi-factor authentication closes that door. It is the single highest-value security change most small businesses can make, it costs nothing beyond a little setup time, and it typically takes about twenty minutes to turn on across a small team. Here is what it is and how to do it properly.

Why passwords alone fail

A password is a single secret. If an attacker learns it — through a phishing page, a reused password leaked from some other breached service, or malware on a home laptop — they have everything. And people reuse passwords constantly, because remembering a unique strong one for forty services is genuinely hard. So the password your employee uses for the company email is often the same one they used for a hobby forum that got breached in 2021.

Attackers know this. They buy lists of leaked email-and-password pairs and try them automatically against Microsoft 365, Google Workspace, and every banking and accounting login they can find. This is called credential stuffing, and it runs day and night against everyone, including businesses far too small to think of themselves as a target. Being small is not cover. It is a reason to be an easier target.

Multi-factor authentication breaks this whole model. Even with the correct password, the attacker is stopped at a second step they cannot complete from their side of the world.

What MFA actually is

The idea is old and simple: prove who you are with more than one kind of evidence. Something you know — your password. And something you have — your phone, or a small physical key. An attacker might steal the thing you know, but they are not holding the thing you have.

In practice that second factor is one of three things, and they are not equally strong.

SMS text codes. The service texts a six-digit code to your phone. Better than nothing, and far better than no MFA at all — but the weakest of the three. Codes can be phished on a fake login page in real time, and phone numbers can be hijacked through SIM-swap fraud, where an attacker convinces your carrier to move your number to their device. Use SMS only where nothing better is offered.

Authenticator apps. An app on your phone — Microsoft Authenticator, Google Authenticator, or similar — generates a rotating code, or shows an approve/deny prompt when you sign in. Nothing is texted, so there is nothing to intercept and no phone number to hijack. This is the sweet spot for most small businesses: free, strong, and already on a phone everyone carries.

Hardware security keys. A small physical device — a YubiKey is the common example — that you tap or plug in. These use a standard called FIDO2 that is resistant even to real-time phishing, because the key checks the actual website address before it responds. This is the strongest option, and worth it for the accounts that matter most: the IT administrator, the finance approver, the owner. A key costs roughly forty to a hundred Canadian dollars depending on the model, and you want two per person so a lost one does not lock anyone out.

A reasonable pattern for a small team: authenticator apps for everyone, hardware keys for the two or three accounts that could do the most damage if taken over.

Rolling it out to a small team

You do not need a project plan. You need an afternoon and a short checklist.

  • Start with the administrator accounts. The account that manages your Microsoft 365 or Google Workspace is the keys to the building. Protect it first, ideally with a hardware key.
  • Turn on MFA at the platform level. In Microsoft 365 and Google Workspace you can require MFA for everyone from the admin console rather than hoping each person opts in. Requiring it is the whole point; optional security is the security you do not have.
  • Walk each person through enrolment once. Sit with them, or share your screen, while they install the authenticator app and scan the setup code. Ten minutes each, done once, and it is over.
  • Save the recovery codes. Every service gives you a set of one-time backup codes for when a phone is lost. Store them somewhere safe and offline — not in the same inbox they protect.
  • Do not forget the shared and service accounts. The generic info@ mailbox, the accounting login, the domain registrar. These are often the least protected and the most valuable.

Then keep going beyond email. Your accounting software, your banking, your domain registrar, your payment processor — anywhere a takeover would hurt, turn on MFA. Email and the domain registrar first, because whoever controls those can reset the passwords on everything else.

The excuses you will hear

Every rollout meets the same objections. They all have answers.

“It slows people down.” By a few seconds, and usually only on a new device, because most services remember a trusted machine for a while. Weigh those seconds against the days of ruin a takeover causes.

“We are too small to be targeted.” The attacks are automated. Nobody chose you; a script found your login and tried a leaked password. Small businesses are targeted precisely because they tend to skip this step.

“What if someone loses their phone?” That is what recovery codes and a second enrolled factor are for. Set them up once and a lost phone is a minor inconvenience, not a lockout.

“We will get to it later.” This is the expensive one. MFA is cheap and fast before an incident and irrelevant after — by then the money has already left the account.

Where this fits

MFA is the floor, not the ceiling. It stops the most common attack, but it works best alongside managed devices, current patching, and a team that can spot a phishing email. If turning this on across your business, your shared accounts, and your vendors sounds like more than an afternoon you can spare, that coordination is a large part of what a managed device practice handles day to day — enforced, documented, and checked rather than left to good intentions.

If you are not sure where your gaps are, a business tech checkup is a straightforward way to find out what is exposed. And if you are hitting more of these do-it-yourself limits than just this one, it may be one of the signs you have outgrown do-it-yourself IT.

Send us two paragraphs about how your team signs in today, and we will reply in writing within one business day.

— Infolettre

Recevez nos écrits par courriel.

Une note occasionnelle de l’équipe — études de cas, nouveaux outils gratuits, essais d’ingénierie. Jamais quotidienne.

Trois champs, aucun suivi. Politique de confidentialité.