← Back to blog
Cybersecurity Microsoft 365

What Is Multi-Factor Authentication (MFA) and Why Does Every UK Business Need It?

Multi-factor authentication (MFA) is one of the most effective security measures available to a small business — and one of the most frequently neglected. Microsoft's own data suggests that enabling MFA blocks over 99.9% of automated account compromise attacks. Despite this, a significant proportion of UK small businesses still rely on passwords alone to protect their email accounts, financial systems, and cloud applications. If your IT provider hasn't enforced MFA across your organisation, that needs to change.

What Is Multi-Factor Authentication?

Multi-factor authentication means requiring more than one piece of evidence before granting access to an account. Traditionally, logging in requires only something you know — your password. MFA adds a second factor: something you have (your phone, a hardware key) or something you are (a fingerprint or face scan).

The principle is simple: even if an attacker has your password — whether through a data breach, phishing, or brute force — they cannot access your account without the second factor. And the second factor is typically a physical device in your possession, which the attacker doesn't have.

Types of MFA

Not all MFA is equally secure. From most to least secure:

  • Hardware security keys (FIDO2) — a physical USB or NFC device that you plug in or tap. Virtually impossible to phish. Recommended for high-privilege accounts.
  • Authenticator apps — applications like Microsoft Authenticator or Google Authenticator generate a time-based six-digit code, or send a push notification for you to approve. This is the recommended default for most small business users.
  • SMS one-time codes — a six-digit code sent to your mobile number by text message. Better than no MFA, but vulnerable to SIM-swapping attacks. Acceptable but not ideal.

Why Passwords Alone Are No Longer Adequate

The uncomfortable truth is that passwords are regularly compromised without the account owner knowing anything about it. Data breaches at third-party services — which happen constantly — expose email addresses and passwords that are then sold on criminal marketplaces. If an employee reuses the same password across multiple services (which most people do, despite knowing they shouldn't), a breach at an unrelated website can give an attacker the credentials to your Microsoft 365 account, your accounting software, or your banking portal.

Password complexity requirements help, but they're not sufficient on their own. A twelve-character password with special characters is meaningless if it's been leaked in a breach. MFA renders leaked passwords useless — an attacker with the correct password still can't get in without the second factor.

MFA and Microsoft 365

For businesses using Microsoft 365, MFA is configured through the Microsoft 365 Admin Centre using either Security Defaults or Conditional Access policies. Security Defaults is Microsoft's baseline configuration that enforces MFA for all users — it's suitable for small businesses without specific compliance requirements and can be enabled in a few clicks. Conditional Access (available on Business Premium) provides more granular control: requiring MFA when users sign in from unfamiliar locations, blocking access from certain countries, or requiring a compliant device.

For more detail on what Microsoft 365 Business Premium includes on the security side, see our post on Microsoft 365 Business Basic vs Standard vs Premium.

The Microsoft Authenticator app

Microsoft Authenticator is the recommended MFA method for Microsoft 365. It's a free app available on iOS and Android that handles both push notifications (approve or deny a sign-in request) and time-based codes. The push notification method is particularly good for user experience: instead of typing a six-digit code, the user simply taps "Approve" on their phone. Setup takes about two minutes per user.

Why Your IT Provider Should Be Enforcing MFA — Not Just Recommending It

There's an important distinction between recommending MFA and enforcing it. Recommending means sending an email asking users to set it up. Enforcing means configuring your Microsoft 365 tenant so that MFA is required for every sign-in, and users cannot bypass it even if they'd prefer not to bother.

Users will consistently choose convenience over security if given the option. That's not a criticism — it's human behaviour. Your IT provider's job is to remove that choice by making MFA mandatory, not optional. If your IT support company has told you that you "should" enable MFA without actually configuring it for you, that's a gap in your service.

Lasetech enforces MFA as a baseline requirement for all managed IT clients. It's not an optional extra — it's the standard configuration that every organisation should have, regardless of size.

MFA and Cyber Essentials

The UK's Cyber Essentials scheme, updated in 2023, now explicitly includes MFA requirements for accounts with administrative privileges and for accounts that access cloud services. If your business is working towards Cyber Essentials certification — or if a client or government contract requires it — MFA is not optional. It's a certification requirement.

Given that ransomware and account compromise are two of the most common threats facing UK small businesses, the Cyber Essentials requirements around MFA reflect genuine risk reduction, not bureaucratic box-ticking. See our post on why UK small businesses are the number one target for ransomware for the broader context.

Frequently Asked Questions

What is multi-factor authentication in simple terms?

Multi-factor authentication means proving your identity in more than one way when you log in to an account. Typically, you enter your password (something you know) and then approve a notification on your phone or enter a code from an app (something you have). Even if someone steals your password, they can't log in without also having your phone.

Does MFA slow down logging in?

Marginally — approving a push notification adds two or three seconds to the sign-in process. In practice, most users adapt quickly and report that the interruption is negligible. Microsoft Authenticator's push notification method is particularly smooth. The security benefit is enormous relative to the minor inconvenience, and modern Conditional Access policies can reduce MFA prompts for trusted devices and locations, making the friction even lower.

Can MFA be bypassed by attackers?

No security measure is completely unbypassable, but MFA is highly effective against the most common attack methods. The most significant vulnerability is "MFA fatigue" — attackers repeatedly sending push notifications in the hope that a user approves one accidentally or out of frustration. Microsoft Authenticator now includes number matching (you must enter a number shown on the sign-in page into the app) which defeats this attack. Configuring number matching is a recommended best practice.

Is MFA required for Cyber Essentials certification?

Yes — since the 2023 update to the Cyber Essentials scheme, MFA is required for all accounts that access cloud services, including Microsoft 365, and for all accounts with administrative privileges. Businesses applying for Cyber Essentials or Cyber Essentials Plus certification must be able to demonstrate that MFA is enforced, not just available.