// Cybersecurity

Why every small business needs MFA — and what happens without it

By Taylor Lockhart9 min read
VERIFYAPPROVESOMETHING YOU HAVEHARDWARE KEY

MFA is the lock that does most of the work

Multi-factor authentication — MFA — is what makes someone prove they are who they say they are with more than just a password. You give something you know (your password) plus something you have (a code on your phone, a tap on a security key, a fingerprint).

It matters more than most other security work a small business can do. Two facts are worth knowing up front.

First, about 65% of employees reuse passwords across accounts. That means every leaked password from another service — a forum, an old shopping site, a random newsletter from years ago — is a key the attacker tries next on Microsoft 365, the bank, and the CRM. The leaks happen constantly, and the password-reuse pattern means a breach at one service quietly becomes exposure at every other service the same person used.

Second, the U.S. Cybersecurity and Infrastructure Security Agency recommends every organization enable phishing-resistant MFA. Not "consider." Not "evaluate." Recommend. That's a federal recommendation pointed at your business specifically, regardless of size or industry.

Those two facts together explain why this post exists. The second factor is the lock. Most attacks try the password and stop there.

What actually goes wrong without it

Three patterns account for most account takeovers at small businesses. None of them are exotic, and once you see how they work, the value of the second factor becomes obvious.

Credential stuffing — leaked passwords get reused everywhere

A website you used in 2019 had a breach. The attacker now has your email and your password from that site. They write a script that tries that email-and-password pair against every service worth trying: Microsoft 365, your business bank, your payroll provider, your CRM, your accounting software, your file storage.

Without MFA, the script gets in on whichever services share that password. The attacker doesn't have to guess anything. They're not breaking encryption. They're matching pairs that are already public on data-breach forums. With about 65% of people reusing passwords across accounts, the success rate is meaningful even when the original breach was small.

MFA breaks the chain at step two. The script has the password, but the prompt for a code on your phone returns nothing.

Phishing — the email that looks legitimate enough

An email arrives that asks you to log in. Maybe to "review a shared file" or "verify your identity for a Microsoft policy update." The link goes to a page that looks correct — same logo, same color, same login form, sometimes even the same URL structure with a single character changed. You enter your email and password.

Without MFA, the attacker is in.

With MFA, the same login attempt prompts for a second factor — a code, a key, a tap. The attacker doesn't have your phone. They don't have your security key. The login fails.

This is where the type of MFA starts to matter. Some phishing kits in 2024–2025 — EvilProxy, Tycoon, Caffeine — are built specifically to defeat weaker MFA factors by relaying the codes in real time between the victim and the legitimate site. Phishing-resistant factors like passkeys and hardware security keys (FIDO2) shut even those kits out, because the cryptographic challenge is bound to the legitimate site's domain. The phishing site can't complete the handshake even with the password in hand.

Business email compromise — what happens after the takeover

Once an attacker is inside someone's email — usually through one of the two patterns above — they read for two or three weeks before doing anything. They learn how invoices look at this company. They learn who pays them. They learn which customers send wires and roughly how often. They learn the tone of voice the owner uses with the bookkeeper.

Then, at the right moment, they send a message from inside the inbox: "Heads up — we changed bank accounts; please send the next wire to the new account." The email looks correct because it is correct. It came from the actual person's actual email account.

The FBI's Internet Crime Complaint Center tracked $2.77 billion in business email compromise (BEC) losses across 21,442 reports in 2024. BEC is the most expensive cyber threat to U.S. businesses. None of it requires malware. It requires one inbox.

MFA on every mailbox makes the first step — getting in — far harder.

"We have MFA" — three reasons it might not be enough

This is the honest part. Most owners who say "we have MFA" are correct, partly. Here are the three reliable gaps an attacker looks for first.

Some accounts skipped the rollout

MFA is on for the people who set it up. The shared mailbox that nobody actually owns — info@, sales@, billing@ — frequently doesn't have it. The service account that runs payroll integrations or syncs data between two systems often doesn't have it. The contractor's account from last year, still active, still authenticated, doesn't have it.

Attackers look for those exact accounts. Less attention from the team, more surface area to try, and the same access to the data.

Legacy authentication is still on

Microsoft 365 and similar email systems support older sign-in protocols — IMAP, POP3, SMTP AUTH, Exchange ActiveSync — that predate MFA. If those protocols are still enabled at the tenant level, attackers can sign in using just the password and skip MFA entirely. It's a side door, and the front-door MFA prompt never sees the attempt.

Microsoft started disabling legacy authentication by default for new tenants in October 2022. Tenants set up before that date, or that have ever turned legacy auth back on for compatibility with an old phone or app, may still be exposed. The fix is a tenant-level policy change — one toggle, no software, no downtime.

Not all MFA is equal

The factor type matters more than most owners are told. From weakest to strongest:

  • SMS codes — the weakest common factor. They can be intercepted via SIM swap (the attacker tricks the carrier into porting the number to a phone they control) or via real-time relay during phishing.
  • Push notifications ("approve this sign-in?") — stronger, but vulnerable to "MFA fatigue." The attacker triggers prompt after prompt at 2 a.m. until someone taps "Approve" just to make it stop.
  • Authenticator-app codes (Microsoft Authenticator, Google Authenticator, 1Password) — stronger again, especially when configured with number matching that requires the user to type a code shown on the sign-in screen.
  • Phishing-resistant MFA — hardware security keys (YubiKey, Titan) and passkeys built on FIDO2. The cryptographic challenge is tied to the legitimate website's domain, so a phishing site can't complete the handshake even with the password.

CISA's phishing-resistant MFA fact sheet recommends the strongest factor available for any account that controls money, customer data, or administrative access. An M365 audit catches all three of these gaps in a couple of weeks — that's the work the Microsoft 365 Security Sprint covers.

What good MFA actually looks like

If "we have MFA" was the question, here's the answer in six lines. None of these are advanced. All of them are missing in the average small-business tenant.

  • MFA enabled on every account, including service accounts and shared mailboxes — not just the people who set it up themselves.
  • Legacy authentication blocked at the tenant level so older protocols can't be used as a side door.
  • Phishing-resistant factors (passkeys, hardware keys, or authenticator-app number matching) enabled wherever possible — and required for any account with administrative access.
  • Conditional Access policies that match the risk: extra scrutiny for sign-ins from unusual locations, unmanaged devices, or impossible-travel patterns.
  • Sign-in logs that someone actually reviews, with alerts for suspicious patterns rather than just an audit trail nobody reads.
  • A documented breakglass account with strong MFA, stored offline, so a lockout doesn't strand the business when the primary admin is unavailable.

Each of those is a tenant-level setting or a one-time configuration. None of them require buying new software.

What this looks like as a project, not a panic

Most small businesses don't need a security overhaul. They need a tenant audit, a few policy changes, and someone watching the configuration once a quarter so it doesn't drift back to the unsafe defaults.

That's the work the Microsoft 365 Security Sprint covers. Two weeks. Fixed price. We audit your M365 tenant for the gaps above, fix the configurations, and document what's set so the next IT person — yours or ours — can see what's in place. No long contract. No software to buy. No ongoing retainer required, and no pressure to add one.

If you want broader context on how this fits into the rest of the security work a small business should do, that's our cybersecurity work in one sentence: practical fixes for the businesses that don't have a security team and shouldn't need one.

If you're not sure whether the MFA you have is the MFA you need, that's exactly what the Sprint answers.

Sources and further reading