Your staff hate multi-factor authentication. They will tell you it is annoying, it slows them down, and they do not understand why they need it. They are right that it adds a few seconds to their login. They are wrong about everything else.
MFA, also called two-factor authentication or 2FA, is the single most effective security control you can put in place. Microsoft’s own data shows it blocks over 99 per cent of automated account attacks. If your business uses Microsoft 365 and MFA is not turned on for every user, you have a problem that needs fixing this week, not next quarter.
Here is what MFA actually does, why it matters, and how to roll it out without starting a staff revolt.
What MFA Is in Plain English
MFA means needing two things to log in instead of one. The first thing is your password. The second thing is a verification step, usually a push notification or code from an app on your phone.
Think of it like your front door. A password is the key. MFA is the deadbolt. If someone copies your key (steals your password), they still cannot get through the deadbolt (the second factor on your phone).
The most common setup for small businesses is Microsoft Authenticator, a free app that sends a push notification to your phone when you log in. You tap “approve” and you are in. It takes about three seconds.
What MFA Actually Stops
The attacks MFA prevents are not theoretical. They are happening to Australian businesses every week.
Password spraying. Attackers try common passwords (Password1, Summer2026, your company name plus 123) across thousands of accounts. If one of your staff has a weak password, the attacker gets in. With MFA, a correct password is not enough. They also need access to the staff member’s phone.
Credential stuffing. Your staff reuse passwords. They know they should not, but they do. When a password is leaked in a data breach from another service, attackers try that same email and password combination against Microsoft 365, banking portals, and anything else they can find. MFA stops them at the door.
Phishing. An employee clicks a link in a convincing email and types their password into a fake login page. Without MFA, the attacker now has full access to that mailbox. With MFA, the attacker has a password but cannot complete the login without the second factor.
These are not exotic attacks. They are the bread and butter of cybercrime, and MFA neutralises all three.
The Objections You Will Hear (and How to Handle Them)
“It is too slow.” An Authenticator push notification adds three to five seconds. Across a full workday, that is less than a minute. Your staff spend more time making coffee.
“I do not have a work phone.” MFA does not require a work phone. The Authenticator app runs on personal phones and does not give your business access to anything else on the device. It does not read messages, track location, or monitor usage. If a staff member genuinely cannot use their phone, hardware security keys are an alternative.
“I keep getting locked out.” This usually means the setup was rushed or the Authenticator app was not configured correctly. A proper rollout includes one-on-one setup for any staff member who needs it, backup recovery codes, and a clear process for when something goes wrong.
“We are too small to be a target.” Small businesses are the primary target. Attackers do not manually choose victims. They run automated tools that try millions of accounts. Your business is not too small to be found. It is too small to recover easily if an account is compromised.
How to Roll Out MFA Without a Revolt
The businesses that struggle with MFA rollouts are the ones that turn it on without warning and leave staff to figure it out.
Here is what a smooth rollout looks like:
Communicate first. Tell your team what is happening, why it matters, and when it starts. Give them a week’s notice. Frame it as protecting the business and protecting them personally. If their work account is compromised, it creates problems for everyone.
Set up in small groups. Do not switch on MFA for the entire business at 9am on a Monday. Roll it out team by team. Start with the people who are comfortable with technology. Let them become informal guides for the rest.
Provide hands-on setup support. Walk each person through installing the Authenticator app and registering their device. This takes five minutes per person. It prevents 90 per cent of the “it is not working” calls that come later.
Have a backup plan. Make sure every user has backup recovery codes stored securely. Designate someone (your IT provider or an internal contact) who can help with lockouts. The first week will generate a few support requests. That is normal.
Set the expectation that this is permanent. MFA is not a trial. It is not optional. It is a baseline security requirement, the same as locking the office door. Once staff understand it is not going away, the complaints stop within a week.
MFA Is a Baseline, Not a Finish Line
MFA is one control. It is the most impactful single change you can make, but it does not cover everything. It does not patch your software, back up your data, or stop a staff member from downloading malware. It is one layer in a security stack that works together.
If you want to know where MFA fits into your broader security picture, and what else needs attention, take our free IT Maturity Assessment. It takes five minutes and gives you a clear view of where your business stands across the Essential Eight controls. No jargon, no sales pitch, just a practical starting point.
