Multi-Factor Authentication for Small Business: Passkeys, Apps, and What Works in 2026
Passwords alone cannot protect your business. Learn why multi-factor authentication is essential, which methods are strongest, and how to implement MFA across your organisation.
The Problem
Passwords are no longer sufficient to protect business accounts. Attackers routinely obtain credentials through data breaches, phishing, and credential stuffing—they do not need to “hack” their way in when they can simply log in with stolen details.
For small and medium businesses, a single compromised account can lead to business email compromise, ransomware deployment, or theft of customer data. The ACSC Essential Eight explicitly requires multi-factor authentication for all users accessing sensitive systems.
Why This Matters
Without MFA, your business accounts are protected only by something an attacker can steal, guess, or phish. Multi-factor authentication requires a second verification method—something the attacker does not have—making stolen passwords far less useful.
According to Microsoft research, MFA blocks over 99% of automated account attacks. For most SMBs, implementing MFA is the single highest-impact security control available.
What Good Looks Like
A well-protected organisation enforces MFA on all user accounts, prioritises phishing-resistant methods for privileged access, and has documented procedures for account recovery that do not bypass MFA protections.
How to Implement It
Understand MFA Strength Levels
Not all MFA methods provide equal protection. NIST SP 800-63B classifies authentication methods by assurance level, and the Essential Eight requires phishing-resistant MFA for administrative accounts.
SMS Codes (Restricted)
SMS-based codes are classified as “restricted” under NIST guidelines. Attackers use SIM swapping to redirect text messages to their own devices. Use SMS only when no stronger option is available.
Authenticator Apps (Recommended)
Applications such as Microsoft Authenticator or Google Authenticator generate time-based codes on your device. These codes cannot be intercepted via SIM swapping.
Modern authenticator apps support number matching, which defeats MFA fatigue attacks. When prompted to approve a login, the user must enter a number displayed on the login screen—preventing blind approval of malicious requests.
Passkeys and Hardware Keys (Strongest)
Passkeys (FIDO2/WebAuthn) and hardware security keys such as YubiKeys are phishing-resistant by design. A passkey is bound to the legitimate website—if you land on a fake login page, the passkey simply will not work. This makes them the gold standard for protecting high-value accounts.
Enforce Number Matching for Push Notifications
If your organisation uses Microsoft 365, enable number matching in the Entra ID (Azure AD) authentication settings. This prevents MFA fatigue attacks where attackers spam approval requests hoping users will tap “approve” to stop the notifications.
If you receive an MFA prompt you did not initiate, deny it and report the incident to your IT administrator. This may indicate your password has been compromised.
Implement Phishing-Resistant MFA for Privileged Accounts
For administrative accounts (Global Admins, finance systems, domain registrars), passkeys or hardware keys should be mandatory. These accounts present the highest risk if compromised and warrant the strongest protection.
Ensure at least two administrators have hardware keys registered as a “break glass” recovery mechanism. If your primary identity provider experiences an outage, these physical keys provide a secure path back into your systems.
For related guidance on managing administrative access, see The Principle of Least Privilege.
Roll Out MFA to All Users
Begin with the highest-risk accounts (administrators, finance, executives), then extend MFA to all staff. Modern identity providers make this straightforward—most offer conditional access policies that enforce MFA based on user role or sign-in risk.
If your organisation uses password managers, these can coexist with MFA to address both password hygiene and second-factor protection.
Recognising MFA Fatigue Attacks
Attackers who have obtained a password may attempt to wear down users by sending repeated MFA prompts. If you receive unexpected approval requests—particularly outside business hours—do not approve them.
Report any suspicious MFA prompts immediately. This is often the first indicator that credentials have been compromised.
Action Item: Review your MFA enforcement policy this week. Confirm that all administrative accounts require phishing-resistant MFA (passkeys or hardware keys), and that number matching is enabled for push-based authentication.