It is the single most effective thing you can do to stop account takeover — and it takes about ten minutes per person. Here is how it works and why it matters.
What MFA is
MFA combines something you know (your password) with something you have (your phone or a security key). Even if an attacker steals or guesses your password, they cannot get in without that second factor. Microsoft has stated that MFA blocks more than 99.9% of automated account-compromise attacks — a number that is hard to ignore for a control that costs nothing on most business plans.
Why passwords alone are finished
Billions of passwords have leaked in past breaches, and attackers replay them automatically. The ASD continues to rank credential compromise among the most common causes of incidents reported by Australian businesses. A password is a single point of failure. MFA turns a stolen password from a disaster into a non-event, because the password on its own is no longer enough.
Not all MFA is equal
SMS codes are better than nothing, but they can be intercepted or SIM-swapped. App-based approval through Microsoft Authenticator is stronger. Best of all is number-matching, where you type a number shown on screen into the app — this defeats the MFA-fatigue attacks where criminals spam you with approval prompts at 3am hoping you will tap Approve just to make it stop. For the highest-risk accounts, hardware keys are stronger still.
Where to turn it on first
Start with email and administrator accounts today — they are the master keys to everything else. Email in particular is the recovery path for almost every other service, so protecting it protects the lot. From there, extend MFA to every business application. With Microsoft 365 we can enforce it tenant-wide using Conditional Access, including rules that only prompt for a second factor in risky situations so it stays out of the way day to day.
The bottom line
MFA is rare in security: cheap, fast to deploy, and overwhelmingly effective. It is one of the ACSC Essential Eight controls, and it is the first thing we enable for any new managed client. If your business is not running MFA on every mailbox yet, that is the single most valuable hour of IT work you could schedule this month.
What the attack data shows
The case for MFA is not theoretical. Microsoft, which sees a vast slice of global sign-in traffic, has reported that the overwhelming majority of compromised accounts did not have MFA enabled — and that enabling it blocks more than 99.9% of automated attacks. The Australian Signals Directorate places MFA among its Essential Eight mitigation strategies for exactly this reason. In the incidents we are called to investigate at Elevate, the pattern is depressingly consistent: the breached account almost never had MFA, and the neighbouring accounts that did were untouched. It is the closest thing to a silver bullet that exists in everyday security, which is why it is non-negotiable in every managed agreement we run. If you do one thing after reading this, switch it on for your email today.