What Is MFA and Why It Matters

Your password is not enough.

This isn't fear-mongering. It's math.

Passwords get breached constantly. The 2025 Verizon Data Breach Investigations Report found that 86% of breaches involve stolen credentials. Your password might be in a breached database right now—probably from some other company's breach, but it works on your account too.

Multi-factor authentication (MFA) adds a second check. Even if an attacker has your password, they need your phone (or your fingerprint, or your hardware key) too. This stops the vast majority of credential-based attacks.

What MFA Actually Is

MFA requires two or more of these categories:

Something you know

• Password
• Security questions (insecurity questions, really—these are weak)

Something you have

• Phone (authenticator app or text)
• Hardware key (YubiKey, Google Titan)
• Smart card

Something you are

• Fingerprint
• Face recognition
• Iris scan

Somewhere you are

• Recognized device
• Trusted location

Breaking into an MFA-protected account requires compromising multiple categories. Phishing gets the password. But do they have your phone too? Your fingerprint? Your hardware key?

Why This Matters for Gulf Coast SMBs

Phishing is your biggest threat Gulf Coast businesses—construction, marine services, seafood, hospitality—are heavily targeted by phishing. These industries handle valuable transactions (equipment purchases, charter payments, vendor invoices) that attackers want to redirect.

Passwords are weak by design People pick passwords they can remember. Those passwords are also guessable: CompanyName2024!, your kid's birthday, your wedding anniversary. Attackers have tools that try millions of combinations per second.

Credential stuffing works People reuse passwords. You might use Summer2024! for your email and for some random website that gets breached. Attackers take those breached credentials and try them everywhere—your email, your bank, your accounting software.

MFA stops all of this Even with a perfect password, attackers can't get in without the second factor. Most phishing attacks become useless.

Types of MFA (Ranked by Security)

Best: Hardware Keys (FIDO2/WebAuthn)

What: A physical device you plug in or tap (YubiKey, Google Titan) Security: Near unhackable for most attack scenarios Cost: $20-$80 per key Best for: Admin accounts, anyone handling sensitive data

Hardware keys use public-key cryptography. The server stores a public key; the key has the private key. Even if someone steals the key design, they can't clone it. Even if they run a perfect phishing attack, they can't use the key remotely.

Very Good: Authenticator Apps (TOTP)

What: Apps like Microsoft Authenticator, Google Authenticator, Authy that generate time-based codes Security: High, if properly configured Cost: Free Best for: Everyone. Enable this on all accounts that support it.

TOTP codes change every 30 seconds. Even if an attacker sees the code, it's useless 30 seconds later. This stops most phishing and interception attacks.

Good: Push Notifications

What: "Someone is trying to log in. Did you approve this?" Push to your phone. Security: Good, but vulnerable to "push bombing" attacks Cost: Free Best for: General users, if configured with number matching

Push notifications are convenient but can be exploited. Attackers spam you with login attempts until you approve one out of frustration. Use "number matching" (Microsoft 365 supports this) to require entering a specific number instead of just approving.

Weak: SMS/Text Message

What: Code sent to your phone via text Security: Weak—SIM swap attacks, SMS interception Cost: Free Best for: Last resort only. Use app-based MFA instead.

Attackers can call your carrier, pretend to be you, and transfer your number to their SIM. Now they receive your SMS codes. This happens. Use authenticator apps instead.

Avoid: Security Questions

What: "What was your first car?" "What street did you grow up on?" Security: Terrible—answers are in public records, social media, or easily guessed Cost: Free Best for: Nothing. These are legacy security that creates risk.

Security questions are no better than passwords—and often worse. Your mother's maiden name is on your LinkedIn profile. Your first pet's name is in your Facebook photos.

What Can Go Wrong

"The team disabled MFA because it was annoying" Someone found MFA inconvenient. They turned it off. Two weeks later, their account was compromised. All your security is only as strong as your weakest enforcement.

"SMS was their only option" A vendor only supported SMS MFA. Attacker called T-Mobile, convinced them to transfer the phone number. Received the SMS codes. Logged in. No other security controls existed.

"Push bombing worked" Attacker had the password. Kept triggering login attempts. Employee got 50 push notifications over 10 minutes. Frustrated, they approved one. Attacker logged in.

"The backup codes were in an email" Backup codes stored in the same email account they protect. Phished the email, phished the backup codes. Defeated MFA entirely.

What It Costs

Authenticator app: Free

• Microsoft Authenticator
• Google Authenticator
• Authy

Hardware keys: $20-$80 per key

• YubiKey 5 Series: $20-$55
• Google Titan: $30-$70
• Buy 2 per person (backup key required)

MFA management:

• Built into Microsoft 365 and Google Workspace: Free
• Third-party MFA management: $3-$6/user/month (Duo, Okta)

Recovery costs (if MFA fails or isn't used):

• Account takeover recovery: $5,000-$50,000+
• Business email compromise losses: $10,000-$250,000
• Data breach notification: $1,000-$50,000

Minimum Viable Implementation

Today

1. Enable MFA on all admin accounts. No exceptions. Start with the highest-privilege accounts.

2. Use authenticator app, not SMS. Microsoft Authenticator or Google Authenticator. Both free. Much more secure than SMS.

3. Generate backup codes. Print them. Store them in a safe place (home safe, safe deposit box). This is your "I lost my phone" recovery.

This Week

4. Enable MFA for all email users. Every person in your organization who accesses business email.

5. Disable SMS and phone call MFA. If your systems allow it, remove these weaker options. Force authenticator app usage.

6. Set up number matching. In Microsoft 365: Enable "Additional verification" > "Show number preview and match on device." This prevents push bombing.

This Month

7. Purchase hardware keys for admin accounts. $50-$100 per admin is cheap insurance against account takeover.

8. Block legacy authentication. Disable POP/IMAP access so attackers can't bypass MFA with old protocols.

9. Test backup access. Can you recover an account if the primary MFA method is lost? Test it before you need it.

10. Document the recovery process. What happens if an employee loses their phone and backup codes? Write it down. Make sure someone knows what to do.

Vendor Questions (Copy/Paste)

1. "What MFA methods do you support? Do you support authenticator apps and hardware keys?"

2. "Can we disable SMS-based MFA and require app-based authentication?"

3. "What happens if a user loses their MFA device? What's the recovery process?"

4. "Can we enable number matching or phishing-resistant MFA like FIDO2?"

5. "Do you block legacy authentication (IMAP/POP) which can bypass MFA?"

6. "What's your false-positive rate for MFA? How often do legitimate users get locked out?"

When to Hire Help

DIY-friendly if:

• Under 25 users
• Basic Microsoft 365 or Google Workspace setup
• One person can manage enrollment

Get professional help if:

• Over 50 users
• Multiple applications requiring MFA configuration
• Legacy systems that don't support modern MFA
• Previous account takeover incidents
• Need help with hardware key deployment

Warning signs you need help now:

• Any admin account without MFA
• Users sharing credentials
• Previous phishing incident in the last 6 months
• No backup method for MFA
• Legacy authentication enabled for email