Why MFA is so important
A large proportion of cyber risk now centres around identity. If an attacker gains access to an email account, cloud platform or privileged admin account, the consequences can spread quickly across the rest of the organisation.
MFA adds an additional verification layer that makes unauthorised access much harder even when a password has already been exposed. For many businesses, this is one of the simplest security improvements with the highest impact.
"Account protection that doesn't depend on passwords alone — applied everywhere it counts."
Where MFA should be applied
MFA should not be limited to a few high-level admin accounts. It should be considered across the systems that matter most, especially those connected to email, cloud files, password management, remote access and business-critical platforms.
- Microsoft 365 and Exchange Online.
- Google Workspace.
- Password managers such as Keeper.
- Administrative and privileged accounts.
- Remote access and other high-value business systems.
A strong MFA strategy also involves thinking about recovery methods, user adoption and avoiding weaker fallback options where possible.
More than a switch to turn on
Although MFA is often described as a simple setting, businesses can still implement it poorly. Common issues include inconsistent coverage, insecure recovery methods, overreliance on weak factors, limited user education and administrative accounts being treated differently from the rest of the organisation.
We help businesses approach MFA properly — both technical setup and the practical realities of rollout.
How EduCom IT helps with MFA
- Review
- Current MFA coverage, gaps and weak factors across all platforms.
- Configure
- Microsoft 365 conditional access, Google Workspace 2-Step Verification, and per-platform policies.
- Strengthen
- Authenticator apps as baseline, hardware keys for admins, phishing-resistant factors where it counts.
- Recover
- Sensible recovery paths so a lost phone doesn't lock anyone out — or open a back door.
- Adopt
- Staff onboarding and rollout planning so MFA actually sticks.
- Forms a core control in the Essential Eight.
- Pairs with email security against business email compromise.
- Often deployed alongside Keeper for credential hygiene.
Frequently asked questions
What is multi-factor authentication?
MFA requires more than just a password — typically a second factor like an authenticator app code, push notification, hardware key or biometric. Even if a password is leaked, the account can't be accessed without the second factor.
Where should we apply MFA first?
Start with Microsoft 365 / Google Workspace, admin accounts, password managers, remote access, and any system holding customer or financial data. Then extend to the rest of the environment.
Is SMS-based MFA secure enough?
SMS is better than nothing, but it's vulnerable to SIM-swap and interception. We recommend authenticator apps as the baseline and hardware keys (e.g. YubiKey) for admin accounts.
Will MFA slow down staff?
With sensible policies, no. Trusted devices, longer session lifetimes for known locations, and push approvals make MFA almost invisible day-to-day. Friction is highest on first-time logins and unknown devices — which is exactly when it should be.
What about staff who lose their phone?
Strong MFA design includes recovery paths: backup factors, helpdesk-mediated resets with identity verification, and clear processes that don't fall back to weak recovery options.
Can MFA stop business email compromise?
MFA dramatically reduces the chance of a successful credential-based attack. Combined with email security, conditional access and user education, it closes most of the common pathways into business inboxes.