MFA: The One Upgrade That Stops Most Account Takeovers — and How to Roll It Out Without the Pushback
Part of our guide: Phishing, scams & account security
Here’s an uncomfortable truth: at some point, one of your team’s passwords will be stolen, guessed, or leaked in a breach somewhere else. You can’t fully prevent it. What you can do is make a stolen password useless on its own — and that’s exactly what multi-factor authentication (MFA) does.
MFA is widely regarded as the single most effective step a business can take against account takeover. So why doesn’t every business have it everywhere? Usually one reason: the fear that staff will find it annoying. Here’s how to roll it out so they don’t.
What MFA is, in one minute
MFA simply means proving who you are with more than one type of factor:
- Something you know — your password.
- Something you have — a phone with an authenticator app, or a hardware key.
- Something you are — a fingerprint or face scan.
A password alone is a single point of failure. Add a second factor and an attacker who steals the password still can’t get in, because they don’t have your phone or your fingerprint.
Why passwords fail on their own
Passwords leak constantly — and not usually because of anything your business did. Billions of credentials sit in breach dumps from other companies, and because people reuse passwords, a leak from an unrelated site can hand attackers a working login to your systems. They then run automated credential-stuffing attacks, trying those username-password pairs across many services at once. Phishing does the same job more directly, tricking someone into typing their password into a fake page. In every case, MFA is the wall the stolen password runs into.
Where to turn it on first
Don’t try to enable MFA everywhere overnight. Work in priority order:
- Email accounts — the master key; password resets for everything else land here.
- Remote access — VPNs and remote desktop, a favourite target.
- Administrator accounts — the keys to the kingdom.
- Financial and banking tools — anything that moves money.
- Everything else — your remaining business applications.
Choose the right method
Not all MFA is equal:
- Authenticator apps (a code or prompt on a phone) are a solid default.
- Passkeys or hardware security keys are the strongest option and resist phishing.
- SMS text codes are better than nothing, but the weakest choice — they can be intercepted or SIM-swapped, so avoid them for sensitive accounts.
Where your platform supports it, turn on number matching (you type a number shown on screen into the app) rather than simple “approve/deny” prompts. It’s a small change that defeats one of the most common ways attackers beat MFA.
MFA isn’t bulletproof — close the remaining gaps
MFA stops the vast majority of attacks, but determined attackers have two workarounds worth knowing:
- MFA fatigue. They spam approval prompts hoping a tired user taps “approve” just to make it stop. The same social-engineering pressure drives bank impersonator scams. Number matching and staff awareness shut this down.
- Adversary-in-the-middle. A fake login page relays your credentials and your code in real time to steal the session. Only phishing-resistant methods — passkeys and hardware keys — reliably stop this, which is why they’re the gold standard for admins and finance staff.
The takeaway isn’t “MFA doesn’t work” — it’s “choose strong methods for your most sensitive accounts.”
Rolling it out without the groans
This is where the friction is won or lost:
- Phase it. Roll out team by team, not all at once.
- Start at the top. When leadership and IT go first, it signals this isn’t optional busywork.
- Explain the why. A two-minute explanation — “this stops criminals using stolen passwords” — turns a chore into something that makes sense.
- Give a simple how-to. A one-page guide with screenshots removes most of the support tickets.
- Pair it with a password manager. A password manager makes the password half stronger and the whole experience smoother.
- Use “remember this device” sensibly. On trusted company devices, staff won’t be prompted every single time — which removes the biggest complaint.
- Plan for lost phones. Have a clear, secure recovery process in place before someone needs it.
Handling the common objections
- “It slows me down.” On a trusted device, it’s a tap every few weeks — not every login.
- “I don’t have my phone.” Provide backup codes or a second method during setup.
- “We’re too small to need this.” Automated attacks don’t check your size — see is your business too small to be a target?. MFA is exactly the kind of low-cost, high-impact control a small business should prioritize.
One more reason it’s no longer optional: cyber-insurance applications now routinely require MFA, especially on email and remote access. Not having it can raise your premium or sink the application — see cyber-insurance requirements in Canada.
The bottom line
MFA is rarely the thing people are excited about — and almost always the thing that would have stopped the incident. A short, well-communicated rollout pays for itself the first time a stolen password hits a wall.
If you’d like help rolling out MFA across your business properly, get in touch — it’s one of the first things we put in place.