Multi-factor authentication, explained — and why turning it on is not the finish line
MFA stops most stolen-password attacks cold. But 'turned on' and 'properly configured' are not the same thing, and the gap between them is where accounts still get compromised.
Multi-factor authentication — MFA for short — is the extra step your phone or an app asks for after you type your password. A six-digit code, a tap to approve, a fingerprint. You've seen it. You've probably used it on your bank account.
It's also the single most effective thing a small business can do to stop account takeovers. But there's a common gap between "we have MFA" and "MFA is actually protecting us" — and that gap is where a lot of breaches happen.
What MFA actually does
A password is a secret. The problem is that secrets get stolen — in data breaches, through phishing emails, or by people reusing the same password on 10 different sites. Attackers buy and sell lists of stolen passwords. If your password is on a list from a 2022 breach, someone has it right now.
MFA means that knowing your password isn't enough. An attacker also needs the second factor — the code or the app — which they almost certainly don't have. That's why turning on MFA is such a big deal. It makes a stolen password mostly useless.
Not all second factors are equal
Here's where it gets a little more nuanced. There are different kinds of second factors, and they don't all offer the same protection.
- Texted codes (SMS) are better than nothing, but they can be intercepted through a technique called SIM swapping, where an attacker convinces your phone carrier to hand your number to a device they control. For most small businesses, this isn't the highest-risk scenario, but it's worth knowing.
- Authenticator apps — like Microsoft Authenticator or Google Authenticator — generate codes on your phone directly, with no phone-carrier involvement. They're meaningfully harder to intercept. This is the level most small businesses should be aiming for.
- Hardware security keys and passkeys are the strongest option: physical keys you plug in or tap, or device-based credentials that are tied to a specific website. They're resistant to phishing in a way that codes — even app-generated ones — are not. They're becoming more common, and worth knowing about.
For a 20-person business, authenticator apps are the practical target. Hardware keys and passkeys are a sensible upgrade if you're handling financial data or have admin accounts with broad access.
The gaps that undermine everything
This is the part people miss. MFA can be technically "turned on" and still have holes.
Legacy authentication is the most common one. Older email clients and mail protocols — the kind of connection a mail app from 2014 uses — often route around MFA entirely. They don't know how to handle it, so they skip it. Attackers know this. When someone gets a leaked password, one of the first things they try is connecting via one of these older paths. If your Microsoft 365 tenant still allows them, MFA doesn't help for those connections.
Partial rollout is another one. MFA might be on for most staff, but not for a contractor who got set up in a rush, or a shared account nobody thinks to check, or an admin account that someone assumed was already covered. One unprotected account is enough.
App passwords are old workarounds that some systems still allow — they let legacy apps connect without going through MFA at all. They should be audited and removed where they aren't needed.
The practical setup for a small business
If you're starting from scratch or doing a health check, the goal is straightforward:
- Require MFA for every account — no exceptions, including admins and shared mailboxes.
- Use an authenticator app as the method, not just SMS.
- Block legacy authentication methods so those older paths can't be used to bypass MFA.
- Consider passkeys for admin accounts if your setup supports them — Microsoft 365 does.
None of this requires deep technical expertise to ask for. If someone manages your Microsoft 365, these are four direct questions you can put to them today.
One more thing
MFA isn't the finish line — it's the foundation. It eliminates the "stolen password" risk almost entirely, but it doesn't protect against someone approving a malicious app, or clicking a link that captures a session token. Those are real but separate problems.
Think of MFA as locking the front door. A big improvement. And a starting point.
Tenant Strike connects to your Microsoft 365 in read-only mode and checks whether MFA is actually required for all accounts, whether legacy authentication is blocked, and a range of related identity settings — then shows you in plain English what's open and how to fix it. Takes about five minutes to find out where things stand.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.