2FA/MFA: The Easiest Upgrade That Prevents Most Account Takeovers

2FA/MFA: The Easiest Upgrade That Prevents Most Account Takeovers

You’re busy. Security feels like one more thing. But if there’s a single change that punches way above its weight, it’s turning on multi-factor authentication.

Why this matters

Most account takeovers happen because someone reused a password that leaked in a breach, or fell for a phishing email. MFA adds a second step—usually a code from your phone—that makes a stolen password alone worthless. Microsoft estimates MFA blocks 99.9% of automated account attacks. That’s not a sales pitch. It’s just math.

What to do (30 minutes)

  • Start with email. Email is the master key. If someone owns your inbox, they can reset passwords to everything else. Turn on MFA for Microsoft 365 or Google Workspace first.
  • Then banking, payroll, and anything with money. Anywhere a wire transfer or payment could happen.
  • Use an authenticator app, not SMS. Apps like Microsoft Authenticator, Google Authenticator, or Authy generate codes on your phone. SMS works in a pinch, but it’s easier to intercept than people think.
  • Store recovery codes somewhere safe. When you set up MFA, most services give you backup codes. Print them or save them in your password manager. Not in your email.

What about shared logins?

Shared logins are common in small businesses—a team inbox, a social media account, a vendor portal. MFA makes these trickier but not impossible.

  • Best option: Give each person their own login and grant shared access through the platform (most support this).
  • If you truly need one login: Use a password manager that supports shared vaults. Store the MFA secret in the vault so authorized people can generate codes.
  • Avoid: Texting MFA codes to each other. It works until someone leaves and you can’t revoke access cleanly.

“What if someone loses their phone?”

This is the #1 concern people raise, and it’s valid. Plan for it before it happens.

  • Recovery codes: Save them during setup. They’re your backup key.
  • Multiple MFA methods: Most services let you register more than one device or method. Add a backup.
  • Admin recovery: If you’re on Microsoft 365 or Google Workspace, an admin can reset someone’s MFA. Make sure at least two people have admin access so you’re not locked out if one person is unavailable.

Common mistakes

  • Skipping email and only enabling MFA on “important” accounts. Email is the important account.
  • Using SMS when an authenticator app is available. SMS is better than nothing, but SIM swapping is a real attack.
  • No recovery plan. MFA without backup codes is a lockout waiting to happen.
  • Turning it on without telling anyone. Give people a heads-up and five minutes of guidance. Surprise MFA prompts cause panic and support calls.

Quick checklist

  • MFA enabled on all email accounts
  • MFA enabled on banking and payroll
  • Authenticator app installed (not relying on SMS)
  • Recovery codes saved in password manager or printed
  • At least two people can do admin recovery
  • Staff know what to expect when MFA prompts appear

This post is part of the Minimum Security Posture series.

If you’d like a second set of eyes, I can run through this with you and point out the top risks in your setup—no pressure.

Share this post
X Facebook LINE