What Is MFA?
MFA stands for **Multi-Factor Authentication**. It is a security method that requires you to verify your identity in two or more ways before you can log into an account. Instead of just typing a password, you also enter a code from your phone, tap a notification, or use a fingerprint.
The logic is simple: even if someone steals your password, they still cannot get in without the second factor.
Why Passwords Alone Are Not Enough
Passwords are the weakest link in business security. Here is why:
Microsoft reports that MFA blocks **99.9% of account compromise attacks**. That is the single most impactful security measure a business can implement — and it is free.
How MFA Works
MFA combines two or more of these three types of factors:
Something You Know
Your password, PIN, or security question answer. This is the factor you already use.
Something You Have
A physical device — your phone, a hardware security key, or a smart card. The most common is a code sent to your phone or generated by an authenticator app.
Something You Are
A biometric — fingerprint, face scan, or voice recognition. This is increasingly common on phones and laptops.
When you log in with MFA, the flow looks like this:
1. You enter your username and password (something you know)
2. The system prompts for a second factor
3. You open your authenticator app and enter the 6-digit code (something you have)
4. You are logged in
Even if an attacker has your password from a phishing attack or data breach, they cannot complete step 3 without your phone.
Worried about your security?
Get a free security assessment and find out where your vulnerabilities are.
Types of MFA Methods
Not all MFA methods are created equal. Here they are ranked from most secure to least:
Hardware Security Keys (Best)
Physical USB or NFC keys like YubiKey. You plug it in or tap it to authenticate. Immune to phishing because the key verifies the website is legitimate before responding.
Authenticator Apps (Recommended)
Apps like Microsoft Authenticator, Google Authenticator, or Authy generate time-based 6-digit codes that change every 30 seconds. No cellular signal needed — they work offline.
Push Notifications (Good)
Apps like Microsoft Authenticator or Duo send a push notification to your phone. You tap "Approve" to log in. Convenient, but vulnerable to MFA fatigue attacks where attackers spam approve requests hoping you tap one by mistake.
SMS Text Codes (Acceptable)
A code sent via text message to your phone number. Better than no MFA, but vulnerable to SIM swapping — where an attacker convinces your carrier to transfer your number to their SIM card.
Email Codes (Weakest)
A code sent to your email. If an attacker already has your email password, this provides no additional security. Only use this as a last resort.
**Our recommendation:** Use authenticator apps for everything. Hardware keys for high-value accounts (admin accounts, banking, domain registrars).
Where to Enable MFA First
If you are starting from zero, enable MFA on these accounts in this order:
1. **Email (Microsoft 365 or Google Workspace)** — Email is the master key. Password resets, notifications, and business communications all go through email.
2. **Domain registrar** — If someone takes over your domain, they control your website and email.
3. **Banking and financial accounts** — Self-explanatory.
4. **Cloud storage (OneDrive, Google Drive, Dropbox)** — Contains sensitive documents.
5. **VPN and remote access** — The front door to your network.
6. **Line-of-business applications** — Practice management, CRM, EHR, accounting software.
7. **Social media accounts** — Business reputation protection.
Common MFA Objections (and Why They Are Wrong)
"It's too annoying"
Modern MFA takes 5 seconds. Compare that to the weeks of downtime and thousands of dollars lost to a single compromised account.
"My team won't use it"
They will if you make it mandatory. Set a policy, give everyone 48 hours to set up their authenticator app, and offer a 15-minute group training session.
"We're too small to be targeted"
43% of cyberattacks target small businesses. Automated attacks do not check company size — they try every credential in the database.
"We already have antivirus"
Antivirus protects your devices. MFA protects your accounts. They solve different problems. You need both.
MFA for Microsoft 365 (Step-by-Step)
Since most of our clients use Microsoft 365, here is how to enable MFA:
1. Sign in to the **Microsoft 365 admin center**
2. Go to **Users → Active Users**
3. Click **Multi-factor authentication** in the top menu
4. Select all users and click **Enable**
5. Each user will be prompted to set up MFA at their next login
6. They download Microsoft Authenticator, scan a QR code, and they are done
For organizations, we recommend using **Conditional Access policies** instead of per-user MFA. This lets you require MFA only in certain conditions (new device, new location, risky sign-in) while letting low-risk logins pass through smoothly.
How Triangle Tech Handles MFA
MFA is enabled on every account we manage — no exceptions. Here is our approach:
If your business is not using MFA yet, you are one phishing email away from a breach. Contact us and we will get it set up for your team — usually in under an hour.