MFA: What To Enable First

A CFO at a Destin boat dealership wired $47,000 to a fraudulent account. The attacker had compromised her email — she used the same password on her email and a breach three years ago. Once in her email, the attacker found an invoice, sent a follow-up "payment reminder" from her address, and changed the routing number.

The bank wouldn't cover the loss. The email compromise was the entry point.

If she had MFA on her email, this wouldn't have happened. The attacker would have needed her phone, not just her password.

What this solves (in real business terms)

MFA (multi-factor authentication) requires two or more "factors" to log in:

• Something you know (password)
• Something you have (phone, security key)
• Something you are (fingerprint, face)

Passwords are compromised constantly — through breaches, phishing, reused passwords. MFA adds a second layer: even if an attacker has your password, they need your phone too.

Microsoft's research shows MFA blocks 99.9% of automated attacks on accounts. One setting change, near-total protection against the most common attack vector.

What can go wrong

Choosing weak MFA methods. SMS text messages (codes sent to your phone) are better than nothing, but attackers can intercept them through SIM swapping. Push notification fatigue — approving a push you didn't initiate — has also become a real attack vector.

MFA on only some accounts. You enable MFA everywhere except your backup email. Attacker compromises backup email, uses it to reset MFA on your main account.

No backup recovery path. Employee loses phone with authenticator app. Can't log in. You spend hours recovering the account. If this happens to an owner during a crisis, it can be days before you regain access.

MFA fatigue attacks. Attacker tries to log in repeatedly, sending push notifications to your phone. If your team is conditioned to "just approve it" to make the notifications stop, they'll approve fraudulent requests.

What it costs (honest ranges)

• Authenticator apps (Microsoft Authenticator, Google Authenticator): Free
• Hardware security keys (YubiKey): $20-$50 each
• Microsoft 365 Business Premium: $22/user/month includes MFA for all users
• Google Workspace: Included in Business Standard and above
• Managed security provider: Usually $10-$30/user/month includes MFA deployment and management

For most Gulf Coast SMBs: use the free authenticator apps. Hardware keys are worth it for owners and admins with access to critical systems.

Vendor questions (copy/paste)

1. "Which accounts do we currently have MFA enabled on? Are there any gaps?"
2. "Do we have MFA on our backup/secondary email accounts?"
3. "What MFA method do you recommend — authenticator app, SMS, or hardware keys? Why?"
4. "Do we have a break-glass recovery process if someone loses their MFA device?"
5. "Are we protected against MFA push notification fatigue attacks?"

Minimum viable implementation

Priority 1: Email accounts (do this first)

Email is the keys to the kingdom. If someone gets into your email, they can reset every other password.

Microsoft 365:

1. Admin Center > Users > Active users
2. Select each user > Manage multi-factor authentication
3. Enable for all users
4. Enforce per-user MFA or use Security Defaults

Google Workspace:

1. Admin Console > Security > 2-Step Verification
2. Make it required for everyone
3. Set enforcement date (gives users time to enroll)

Priority 2: Admin accounts and owners

Enable MFA on every admin account before touching anything else. These are the highest-value targets.

Priority 3: Everything else

Work through your list:

• Banking and financial accounts
• Cloud storage (OneDrive, Google Drive)
• Accounting software (QuickBooks, Xero)
• CRM
• VPN access
• Any tool with sensitive customer data

Priority 4: Set up backup authentication

1. Register a second authentication method on every account (a second phone, backup codes)
2. Store backup codes in a secure location (password manager, not the same device)
3. Create break-glass accounts (see our separate guide)

Step by step for Microsoft 365:

1. Go to Microsoft 365 Admin Center > Settings > Org Settings > Security & Privacy
2. Under "Multifactor authentication," select "Manage MFA settings"
3. Enable MFA for all users
4. In "Multi-factor authentication settings," under "Service settings," allow users to remember MFA on trusted devices for 90 days
5. Enable "Require users to provide contact methods for account verification" so everyone registers a backup

Step by step for Google Workspace:

1. Admin Console > Security > 2-Step Verification
2. Click "Allow users to turn on 2-Step Verification" (let them opt in first)
3. After a week, change to "Enforce 2-Step Verification" for all users
4. Set a grace period (7 days) so users can set it up
5. Under "Advanced settings," consider disabling SMS as an option (authenticator app only)

When to hire help

Do it yourself if:

• You have fewer than 20 users
• Your team is comfortable setting up authenticator apps
• You can walk around and help people enroll

Get help if:

• You have resistant employees who won't enroll
• You have non-technical staff who struggle with authentication apps
• You want someone to enforce MFA policies automatically
• You've already had an account compromise and need to audit and secure all access
• You're using a mix of services (Microsoft, Google, AWS, Salesforce) and want one provider to manage MFA across all of them