MFA for SMB: you need to secure your key business accounts with MFA and manage those logins.

What is MFA?

MFA is multi-factor authentication. Instead of providing only a user name and password, you also have to provide a third piece of information to log into an account. More information about What is multi-factor authentication?

If you really want to secure your accounts, MFA is more important than passwords as it is harder to hack.

Key business accounts you should have MFA on :

  • banking
  • web site
  • domain registrar
  • social media accounts
  • Microsoft 365/Google Workspace
  • any accounts with personal information
  • payroll

Managing MFA and employees

Has one of your employees put MFA on a mission critical account? Did they tie the MFA to their personal cellphone? What happens if that employee leaves suddenly?

This happened to a client some time back. I had warned them not to have only one employee with admin access to their Microsoft 365 account. This employee had tied not just Microsoft 365 admin but numerous other mission critical accounts to her phone. As the client didn’t have a list of those accounts and no exit plan for when this employee left, they ended locked out several of their accounts.

The business owner should have multi factor authenticated access to key accounts not just employees.

You should keep a spreadsheet of which accounts have MFA on them and what cell number they are tied to. I recommend track if contractors have access to any mission critical accounts and their level of access.

Can MFA be hacked?

Yes, MFA can be hacked. One way is a hacker gets access to your phone or phone sim card. Once they clone the SIM or srteal the SIM card or actual phone they can receive authentication keys for your accounts. More info on SIM swapping and cloning here.

Hackers usually reserve this tactic for high profile targets like celebrities or politicians.

The other way is hackers install infostealers on your computer that take use logon cookies from your browser to access your accounts. More information on infostealers here.

Rollover MFA, move onto Passkeys

Most vendors like Microsoft and Google enforce MFA on business accounts. Already Google and Microsoft support the next phase in security, Passkeys. Passkeys get rid of passwords completely (no more naming the dog Rover123456) and replace the password with a PIN or biological identifier (fingerprint or face for example). Find out more about Passkeys here.


Secure your key business accounts with MFA and track the cellphones used.