If you do one security thing this year, it should be this. Multi-factor authentication (MFA) blocks over 99% of automated account takeover attempts — including the vast majority of phishing-led ransomware intrusions that have hit UK SMEs in the last three years. It is the single highest-return control available to a small business.
And yet many SMEs still don't have it enforced everywhere it matters. This guide is the practical how: which methods to choose, what to enable first, and how to actually get people using it without a mutiny.
What MFA actually is (and isn't)
MFA means proving identity with at least two of: something you know (a password), something you have (a phone or a key), and something you are (a biometric). For SMEs this usually means password plus a second factor from a phone app or a hardware key.
MFA is not the same as "single sign-on" (SSO), although the two usually work together. MFA is also not optional any more — it's mandatory under Cyber Essentials and is increasingly a contractual requirement for insurance, supply chains and public-sector work.
Which second factor to use
Not all MFA methods are equal. From weakest to strongest for everyday SME use:
- SMS one-time codes. Better than nothing, vulnerable to SIM-swap and some phishing kits. Use only for low-value recovery scenarios — never as admin MFA.
- Authenticator app codes (TOTP). Free, fast, works offline. Vulnerable to sophisticated real-time phishing kits but vastly better than SMS.
- Push approval via an authenticator app (e.g. Microsoft Authenticator, Duo). Number-matching prompts. Resistant to most phishing. The current sweet spot for general users.
- Hardware security keys (FIDO2 / WebAuthn). Phishing-resistant by design. Best option for admins, finance, executives and high-risk roles. Modest cost per user.
A sensible default: push approval for everyone, hardware keys for admins and anyone with payment authority. Move most users away from SMS entirely.
What to turn on first
Don't try to enable MFA on everything at once. Sequence it. Start with the entry points a real attacker hits first:
- Email. Your email account is the master key to password resets for everything else.
- VPN and remote access. Direct path into the corporate network for remote and hybrid workers.
- Cloud admin consoles (Microsoft 365, Google Workspace, AWS, Azure).
- Finance and payment systems. Authorisation to move money, regardless of job title.
- Code repositories and CI/CD — if you have developers.
- Everything else, in priority order.
The rollout — a realistic sequence
Week 1–2: build the admin foundations
- Decide the second factor: which app, which key, which accounts get hardware.
- Document a fallback: what happens when someone loses their phone at 11pm on a Sunday.
- Pick a start date. Put it in the diary before communicating the rollout.
Week 3: communicate
- Tell people why (not just the policy) — phishing and ransomware are newsworthy. Most users respond well to a specific recent example.
- Tell them what to expect on day one of enforcement.
- Tell them who to call if they're stuck or locked out.
- Tell executives before their assistants, or at the same time. Always.
Week 4–6: pilot, then enable
- Pilot with IT, then a friendly department, then leadership. Fix breakages before the broad rollout.
- Enable enforcement in stages by department, not all at once.
- Have someone available to handle lockouts for the first two weeks. Expect them.
Week 7 onwards: tighten and clean up
- Remove legacy protocols that bypass MFA (basic auth, app passwords, IMAP/POP with passwords).
- Move admins to phishing-resistant factors only.
- Add conditional access: block sign-ins from unexpected countries and anonymous IPs.
Driving adoption without breaking the business
Three patterns predict an awful rollout:
- Enabling enforcement on a Monday morning at 09:00 across the whole company.
- Choosing SMS as the only acceptable factor.
- Telling people "figure it out yourself".
Three patterns predict a smooth one:
- Phased enforcement, with a clear calendar.
- A second factor people actually like (push approval on their phone, not fumbling with codes).
- A real, named human to call when the prompt hasn't arrived and the boss is travelling.
Practical pitfalls and how to handle them
Shared accounts and service accounts
Don't put a phone in a drawer for the bookkeeping account. Service accounts get a managed identity or a hardware key locked in a safe; shared user accounts get split into named accounts.
Legacy apps that don't support modern MFA
Treat this as a project, not a blocker. Common offenders are old IMAP mail clients, legacy VPNs, line-of-business apps with hard-coded SMTP credentials. The cheapest fix is usually replacing the app. The second cheapest is a conditional access exemption with compensating controls (IP allowlist, monitored).
Travel and roaming
If staff travel to places with no signal: hardware keys, downloaded authenticator profiles set up in advance, and clear policy on what to do when a factor is unavailable.
The locked-out executive
Guaranteed to happen at the worst possible moment. Print a small number of break-glass accountsstored in a tamper-evident envelope, with two people required to open it. Test the break-glass procedure annually, like a fire drill.
What "good" looks like
- MFA enforced on 100% of cloud and remote-access accounts — including service accounts.
- Number-matching push approval for general users; phishing-resistant factors for admins.
- Conditional access policies: blocked countries, blocked anonymous IPs, MFA challenge on every sign-in from a new device.
- A tested break-glass process and a real fallback path for lost phones.
- Quarterly reporting to leadership: percentage of accounts protected, number of blocked sign-in attempts, any pattern of suspicious push approvals.
What it costs
For most SMEs, the marginal cost of doing MFA properly is small: licensing tiers of M365 and Google Workspace already include it. The real cost is the rollout project — your IT team or MSP spending two to four structured weeks making it happen. Compared to the cost of a single compromised inbox, it is one of the best ROI investments in your IT estate.
Need help with your MFA rollout?
We roll out MFA for SMEs across Hertfordshire, Bedfordshire and London — usually completing a company-wide deployment with hardware keys for admins in 3–6 weeks. If you'd like a scoping conversation, get in touch.
