10 March 2026 · 4 min read
MFA: why your business needs it, and how to roll it out without a staff revolt
To break into a small business account in 2026 you rarely need to hack anything - you just log in, using a password that leaked somewhere else years ago. Multi-factor authentication is the lock that stops that from working.
So what is MFA, exactly?
MFA means proving who you are with two things instead of one. The first is something you know - your password. The second is something you have - usually a code from an app on your phone, or a prompt you tap to approve.
The point is simple. If someone in another country buys your password off the internet (and stolen passwords are bought and sold in bulk), it is useless to them on its own. They would also need the phone sitting in your pocket. That second step is what shuts them out.
Why is this the single best thing you can do?
You can spend a lot of money on security. Most of it matters far less than this one step.
The vast majority of account takeovers start with a stolen or guessed password. Turn on MFA and you block almost all of them, even when the password has already leaked. No other single change comes close for the money.
There is a business reason too. Cyber insurers now ask whether you have MFA before they will cover you - and some will decline a claim if you said yes and hadn't actually turned it on. The Australian government's Essential Eight, the baseline more and more contracts and grants expect, lists MFA as a core control. This is quietly becoming the price of doing business.
But won't the staff hate it?
Some will grumble at first. The complaints are always the same, and they are all answerable.
"It slows me down." On a device you use every day, you tick "trust this device" and you are rarely asked again - often only once every couple of weeks, or when something looks unusual.
"I don't want work apps on my phone." Fair. An authenticator app is tiny, does not track anything, and does not give the business access to their phone. If someone genuinely refuses, a small physical key or a separate code device solves it.
"Why are we doing this?" This is the real one. People accept a small hassle when they understand it protects their pay, their customers, and their own logins. Explain the why before you flip the switch, not after.
How do you roll it out without a revolt?
Do not turn it on for everyone overnight. Phase it in and start where the risk is highest.
- Start with the crown jewels - email and admin accounts. A hijacked email account is how most fraud starts, because it can reset everything else.
- Use an authenticator app, not text messages. SMS codes can be intercepted or redirected, and mobile reception in some Brisbane offices is patchy anyway. A tap-to-approve app is faster and safer.
- Set up trusted devices so day-to-day logins on known laptops and phones stay quick.
- Roll it out one team at a time. Get the first group comfortable, then use them to reassure the next.
- Tell people first. A two-line message - what is changing, when, and why - heads off most of the pushback.
- Have a plan for lost phones. Decide in advance who someone calls when they get a new phone or leave theirs at home, so nobody is locked out of their work.
Done this way, MFA lands as a minor change to the morning routine rather than a fight.
Where does Microsoft 365 fit in?
If your business runs on Microsoft 365 - email, Teams, SharePoint, the Office apps - the good news is MFA is already built in. There is nothing extra to buy. It is a matter of switching on the right settings, applying them sensibly so people are not prompted every five minutes, and making sure the admin accounts are locked down hardest of all.
That last point matters. The account that manages everyone else's access is the one an attacker wants most, so it is the one that should never be protected by a password alone.
Your move
If you do exactly one thing off the back of this, make it MFA on email - today, starting with whoever has admin rights. Everything else can follow at a civilised pace.
Not sure whether it's already on, or on properly? The free scan will tell you either way.
Want me to check your domain?
Free health check, plain-English action list, yours to keep.