Passwords Alone Are Not Enough
Passwords are the weakest link in business security. Staff reuse passwords across personal and work accounts, choose predictable combinations, and share credentials when they should not. According to the ACSC, compromised credentials are involved in more than 60 per cent of data breaches affecting Australian organisations.
Multi-factor authentication (MFA) adds a second layer of verification beyond the password. Even if an attacker obtains a password through phishing or a data breach, they cannot access the account without the second factor.
How MFA Works
MFA requires two or more of the following: something you know (password or PIN), something you have (phone, hardware key, or smart card), and something you are (fingerprint or facial recognition).
The most common implementation for businesses is a password plus a one-time code from an authenticator app or a push notification to a registered device. This is simple for staff to use and dramatically increases security.
Types of MFA
Authenticator Apps
Microsoft Authenticator, Google Authenticator, and Duo generate time-based one-time passwords (TOTP) that change every 30 seconds. Microsoft Authenticator also supports push notifications — staff simply approve or deny a login attempt on their phone. This is the recommended baseline for most businesses.
Hardware Security Keys
Physical keys like YubiKey plug into a USB port or tap via NFC. They are phishing-resistant because the key cryptographically verifies the website it is authenticating to — a fake login page cannot intercept the authentication. Hardware keys are recommended for high-value accounts such as administrators, finance staff, and executives.
SMS-Based MFA
A code sent via text message. While better than no MFA at all, SMS is the weakest option. SIM-swapping attacks allow attackers to intercept SMS codes by porting the victim’s phone number. The ASD Essential Eight recommends against SMS as a sole MFA method. Use it only as a fallback if authenticator apps or hardware keys are not feasible.
Biometrics
Fingerprint and facial recognition on modern devices provide a convenient second factor. Windows Hello for Business integrates biometric authentication with Active Directory and Azure AD, making it seamless for staff using company laptops.
Where to Enable MFA
Prioritise MFA deployment in this order: email accounts (the most common target and the gateway to password resets for other services), remote access including VPN and Remote Desktop, cloud services such as Microsoft 365, accounting software, and CRM, privileged accounts including domain administrators and service accounts, and line-of-business applications that contain client or financial data.
The goal is MFA on every account that accesses business data. Start with the highest-risk accounts and expand from there.
MFA and the Essential Eight
MFA is one of the ASD Essential Eight mitigation strategies. At Maturity Level 1, MFA is required for internet-facing services and privileged accounts. At Maturity Level 2, it extends to all users. At Maturity Level 3, phishing-resistant methods (hardware keys) are required.
Implementing MFA is one of the most impactful steps you can take toward Essential Eight compliance.
Common Objections and Responses
“It slows people down.” Modern MFA adds 5 to 10 seconds to a login. With features like “remember this device” for trusted workstations and biometric authentication, the friction is minimal. Compare that to the days or weeks of disruption following an account compromise.
“Our staff are not tech-savvy.” Authenticator apps are designed for simplicity. Setup takes five minutes per user, and the daily experience is tapping “approve” on a phone notification. Provide a brief training session and written instructions, and most staff adapt within a day.
“We do not have the budget.” MFA through Microsoft 365 Business Premium is included in the licence cost. Free authenticator apps work with almost every service. The cost of MFA is negligible compared to the cost of a breach.
Rolling Out MFA
A phased rollout reduces disruption. Start with IT and admin accounts first, then extend to management and finance, follow with all staff on email and cloud services, and finally cover remaining applications. Communicate the change clearly: explain why MFA is being implemented, provide step-by-step setup guides, and offer in-person or remote support during the rollout period.
MFA Fatigue Attacks
Be aware of MFA fatigue — a technique where attackers repeatedly trigger push notifications, hoping the user will approve one out of frustration. Countermeasures include number matching (the user must enter a code displayed on the login screen), requiring interaction such as a specific gesture, and setting limits on the number of MFA prompts in a short period. Microsoft Authenticator now requires number matching by default, which largely eliminates this attack.
Take Action
If your business has not implemented MFA, you are leaving the door open. It is the single most effective control against credential theft. Contact TechAssist to plan your MFA rollout.
