If you do one thing to improve your business's cybersecurity this year, make it multi-factor authentication. The Australian Cyber Security Centre estimates that MFA alone prevents over 99% of automated account takeover attacks β yet a significant proportion of Australian SMBs still haven't fully deployed it.
This guide explains what MFA is, why it matters, and exactly how to enable it on the systems your business relies on most.
What Is Multi-Factor Authentication?
Multi-factor authentication requires a user to verify their identity using two or more independent factors before being granted access. The three categories of factors are:
- Something you know β a password or PIN
- Something you have β a phone, hardware token, or smart card
- Something you are β fingerprint or face recognition
A standard login uses only one factor (your password). MFA requires at least two. So even if an attacker has your password β through a data breach, phishing, or guessing β they still cannot access your account without the second factor.
Why passwords alone aren't enough: Billions of username-and-password combinations from past data breaches are freely available to attackers. Automated tools test these credentials against Microsoft 365, Google Workspace, and other services continuously. If your staff reuse passwords across sites, this is a near-certainty. MFA renders stolen credentials useless.
MFA Methods: What to Use and What to Avoid
Not all MFA methods offer equal protection. Here's how the common options compare:
| Method | Security Level | Notes |
|---|---|---|
| Authenticator app (TOTP) | High | Best balance of security and usability. Microsoft Authenticator or Google Authenticator. Recommended for most businesses. |
| Push notification (app) | High | Slightly more convenient than TOTP. Enable βnumber matchingβ to prevent MFA fatigue attacks. |
| Hardware security key (FIDO2) | Highest | Phishing-resistant. Best for privileged accounts, executives, and finance. Requires a physical key (e.g. YubiKey). |
| SMS one-time code | Medium | Better than nothing, but vulnerable to SIM-swapping. Avoid for admin accounts or any account with financial access. |
| Email one-time code | LowβMedium | Only as secure as the email account itself. Not recommended. |
For most Australian SMBs, the right answer is authenticator app push notifications with number matching enabled. It's secure, familiar, and takes under 30 seconds to approve a login.
How to Enable MFA on Microsoft 365
Microsoft 365 is the primary target for credential attacks against Australian businesses. Enabling MFA here is the highest priority.
Option 1: Security Defaults (simplest β recommended for most SMBs)
- Sign in to the Microsoft Entra admin centre (entra.microsoft.com) as a Global Administrator.
- Go to Overview β Properties.
- Click Manage Security Defaults.
- Set Security Defaults to Enabled and save.
This automatically requires MFA for all users on next sign-in and blocks legacy authentication protocols. It takes about 2 minutes to set up and covers the majority of SMB needs.
Option 2: Conditional Access Policies (Microsoft 365 Business Premium or higher)
For businesses with more complex needs β remote workers, shared devices, or specific app requirements β Conditional Access lets you define exactly when MFA is required (e.g. only when signing in from outside your office network). This requires a Business Premium or Azure AD P1 licence and is best configured with IT support.
Rolling out to staff
Once Security Defaults are enabled, staff will be prompted to set up MFA on their next sign-in. Direct them to install the Microsoft Authenticator app before you turn it on. Give 24β48 hours notice so no one is locked out during a critical work period.
How to Enable MFA on Google Workspace
- Sign in to the Google Admin Console (admin.google.com) as a Super Admin.
- Go to Security β Authentication β 2-step verification.
- Click Allow users to turn on 2-step verification β then set Enforcement to On for all users (or specific organisational units).
- Set a grace period of 1β2 weeks for users to enrol before enforcement kicks in.
- Optionally restrict allowed methods to exclude SMS β set the minimum method to Google prompt or security key.
Other Systems to Prioritise
Email accounts get the most attention, but MFA is equally important across:
- Your accounting software β MYOB, Xero, QuickBooks. Financial data is a primary target. All three support MFA; enable it immediately.
- Remote access tools β any VPN, Remote Desktop, or remote access platform. Exposed RDP without MFA is a direct path for ransomware.
- Password manager β your password manager secures every other account. Protect it with the strongest MFA available (ideally a hardware key).
- Domain registrar and DNS host β an attacker who controls your domain can redirect email and websites. Enable MFA on your registrar account.
- Cloud backups β if an attacker can delete your backups, ransomware becomes catastrophic. Protect your backup console with MFA.
Not sure which of your accounts and systems are protected by MFA? We audit MFA coverage as part of our free security assessment for Sydney businesses.
Book a Free Security Assessment βCommon Mistakes to Avoid
Enabling MFA but allowing legacy authentication
Older email clients (Outlook 2013, some shared printers and scanners) use βbasic authenticationβ protocols that bypass MFA entirely. If you enable MFA but don't block legacy auth, attackers can still use stolen credentials through those pathways. Security Defaults in Microsoft 365 blocks legacy auth automatically. If you use Conditional Access, block legacy auth explicitly.
Not configuring number matching on push notifications
MFA fatigue attacks involve spamming a user with push notifications until they approve one out of frustration or confusion. Without number matching β where the user must enter a code displayed on the login screen into the authenticator app β these attacks can succeed. Enable number matching in your MFA policy.
Excluding admin accounts from MFA
Some businesses enable MFA for regular users but carve out exemptions for admin accounts to avoid friction. This is exactly backwards. Admin accounts have the most access and are the highest-value targets β they require the strongest MFA, not the weakest.
Relying on SMS for financial or admin accounts
SIM-swapping β where an attacker convinces a mobile carrier to transfer your phone number to a SIM they control β is a real and growing attack. For any account with access to money, payroll, or administrative systems, use an authenticator app or hardware key rather than SMS.
How Long Does It Take?
For a business of 10β30 users, a full MFA rollout across Microsoft 365 and Google Workspace typically takes:
- Configuration by IT: 30β60 minutes
- Staff enrolment: 5β10 minutes per person (they set up the app themselves)
- Total elapsed time: 1β2 days with a grace period for enrolment
It is not a large project. The businesses that delay MFA deployment almost always say the same thing afterwards: βI wish we'd done it sooner.β
The Bottom Line
MFA is the highest-return security control available to any business. It is fast to deploy, low-friction for staff once set up, and it stops the vast majority of credential-based attacks cold. The ACSC includes it in the Essential Eight for a reason β it is not optional for any business that holds sensitive data or relies on cloud services.
If your Microsoft 365 or Google Workspace tenants don't have MFA enforced today, that is the single most important thing to fix this week.