Multi-factor authentication without the headaches

Multi-factor authentication is the single most effective control you can put on a Microsoft 365 or Google Workspace account. Microsoft's own data puts it at blocking more than 99% of automated account compromise attempts.

So why do so many small organisations still not have it on every account? Usually because the first rollout went badly, somebody got locked out at a bad moment, and the project quietly stalled.

Done in the right order, with the right method, it doesn't have to be that way.

Pick the right second factor

Not all MFA is equal. In rough order, best to worst:

1. Passkeys or hardware keys (FIDO2, YubiKey). Phishing-resistant, fast, no codes to type. Best for owners, finance and admin accounts. 2. Authenticator app with number matching (Microsoft Authenticator, Google Authenticator). Solid for everyday staff. 3. Authenticator app with a six-digit code. Fine, but vulnerable to a determined phishing attack. 4. SMS codes. Better than nothing, but SIM-swap attacks are real. Use only as a fallback. 5. Email codes. Avoid. If the email account is compromised, so is the second factor.

For most small teams, the authenticator app with number matching is the sweet spot.

The rollout order that works

1. Enrol yourself and one or two friendly colleagues first. Iron out the wrinkles before anyone else sees it. 2. Write a one-page guide with screenshots for the exact app and steps your team will use. 3. Set up a recovery method for every account before enforcement, a backup phone number, a second device, or a printed recovery code stored safely. 4. Enforce in waves, not all at once. A handful of users per day means support requests stay manageable. 5. Be available the morning after each wave. Most issues surface on the first login of the next day.

The common pain points, and the fix

• "I lost my phone." With a recovery method in place, this is a five-minute reset, not a crisis.
• "It keeps asking me every time." Usually a browser in private mode, or cookies being cleared. Easy fix.
• Shared mailboxes and generic accounts. Convert these to proper shared mailboxes with no sign-in, accessed through a real user account that has its own MFA.
• Older line-of-business apps that don't support modern auth. Either upgrade them, isolate them, or use app-specific passwords with tight scope.

What good looks like

Within a fortnight, MFA should be on every account, with no exceptions for "the boss" or "the bookkeeper", those are exactly the accounts attackers target. After the first week, prompts drop to once every few days on trusted devices, and the team stops noticing it.

If you'd like a hand rolling MFA out across your organisation cleanly, get in touch.