Why Every Business Needs Multi-Factor Authentication in 2025

Back to Blog

Here is a scenario that plays out across Southern California businesses every week. An employee's password gets stolen — maybe through a phishing email, maybe through a data breach at another website where they reused the same password, maybe through a brute-force attack on a weak credential. The attacker now has a username and password. They log in. They have full access to email, files, customer data, financial records, and every system that account could reach. The breach begins.

No alarm fires. No warning appears. As far as every system is concerned, it's just another login.

This is the reality of password-only security in 2025. Passwords are inherently fragile. They get phished, guessed, leaked, reused, and stolen. And a stolen password, on its own, should never be sufficient to give an attacker the run of your business. The solution — multi-factor authentication — is well understood, widely available, and still dramatically underdeployed across the SMB landscape.

That number is from Microsoft, and it is not cherry-picked. It comes from their analysis of billions of accounts and millions of attack attempts. MFA is not a nice-to-have feature for enterprise companies. It is the single most impactful security control a business of any size can deploy — and it costs almost nothing to implement when you already have Microsoft 365, Google Workspace, or most modern business software.

This article is going to tell you everything you need to know: what MFA actually is, what the different types mean in practice, why some forms of MFA are stronger than others, how to implement it across the systems that matter most, how IT Center enforces it for all managed clients, and how to handle the common objections your employees will raise. We will end with a step-by-step checklist you can hand to your IT person or give to us to implement for you.

What Multi-Factor Authentication Actually Is

Authentication — proving you are who you claim to be — relies on factors. Security professionals group these factors into three categories:

• Something you know — a password, PIN, or security question answer
• Something you have — a phone, a hardware key, a smart card
• Something you are — a fingerprint, face scan, or other biometric

Single-factor authentication means you only use one of these. For most businesses today, that means a password — something you know. The problem with relying solely on something you know is that knowledge can be stolen, guessed, or socially engineered out of you without your awareness. The attacker learns what you know, and now they have exactly what is required to pass your security check.

Multi-factor authentication requires at least two of these categories simultaneously. The critical insight is that the categories must be different. Two passwords do not constitute MFA. A password plus a one-time code sent to your phone is MFA — because to authenticate, an attacker would need both your stolen password and physical possession of your phone at the same moment. That is an enormously harder attack to execute.

The Four Types of MFA: What They Are and How They Compare

Not all MFA is equal. There is a meaningful spectrum between "better than nothing" and "cryptographically unphishable." Understanding where each method falls helps you make the right decisions for different parts of your business.

A Closer Look at SMS MFA: Better Than Nothing, But Not Ideal

SMS-based MFA deserves more explanation because it is the most commonly deployed and the most commonly misunderstood. The attack is called SIM swapping, and it works like this: a criminal calls your mobile carrier, poses as you, claims they lost their phone, and convinces customer service to transfer your phone number to a new SIM card they control. From that moment forward, every text message sent to your number arrives on their device instead of yours. Your MFA codes now go to the attacker.

SIM swapping is not theoretical — it has been used to compromise cryptocurrency accounts, business email accounts, and even accounts belonging to people who worked in cybersecurity. The criminal does not need your password or your phone. They need social engineering skills and a carrier's customer service line.

Does this mean SMS MFA is worthless? No. It still stops the overwhelming majority of automated credential-stuffing attacks. An attacker with a stolen password who tries to log into your Microsoft 365 account and hits an SMS MFA prompt will be stopped cold — because they do not have your phone number and cannot SIM-swap at scale. SMS MFA is a legitimate and meaningful security control.

What it is not: a reason to feel fully protected. For high-value accounts — executives, finance, IT administrators, anyone with access to sensitive data or financial systems — you should graduate from SMS to authenticator apps at minimum, and ideally to hardware keys. The protection gap is significant, and the upgrade cost is minimal.

"We tell every client the same thing: SMS MFA is like locking your front door but leaving the side gate open. It stops most attacks. But for your most valuable access, you need something stronger."
— Christian Vazquez, Founder, IT Center

Where MFA Must Be Enabled for Every Business

MFA is only effective where it is actually enforced. There is no value in enabling it on one system while leaving others completely open — attackers will simply find the unprotected path. Here are the critical systems where MFA must be mandatory for any business operating in 2025.

Microsoft 365 / Azure Active Directory

Microsoft 365 is the most targeted enterprise platform in existence. Every email, Teams conversation, SharePoint document, and OneDrive file lives here. If an attacker gets into M365, they have access to everything — and they can pivot to any system your company uses by reading emails, resetting passwords, and impersonating employees.

Microsoft includes MFA capabilities in all M365 business tiers. For basic tenants, Security Defaults enforce MFA across all users. For Business Premium and above, Conditional Access policies give you granular control — enforcing MFA from unrecognized devices, locations, or whenever risk signals are detected. IT Center configures Conditional Access for all managed M365 tenants; Security Defaults are a minimum but not sufficient for most businesses.

VPN and Remote Access

VPN access is a direct tunnel into your internal network. An attacker with stolen VPN credentials who is not stopped by MFA has the same access as your own employees — to servers, shared drives, internal applications, and everything else on your network. VPN MFA is non-negotiable. Every major VPN solution supports it. If yours does not, it is past time to replace it.

Business Email Accounts

Business email compromise (BEC) — where an attacker gains access to a business email account and uses it to redirect wire transfers, approve fraudulent invoices, or impersonate executives — caused $2.9 billion in losses in the United States in 2023 alone, according to the FBI. Virtually every BEC attack starts with a compromised email account. MFA on every email account eliminates the vast majority of this attack surface.

Business Banking and Financial Portals

If your bank offers MFA, enable it — and push for the strongest option they provide. Most business banking portals now support authenticator apps or hardware tokens. This is where SIM-swap attacks are most dangerous: a criminal with your banking login and your phone number forwarded to their SIM can initiate wire transfers, change account settings, and cause catastrophic financial damage before you even know what happened.

Cloud Storage and File Sharing

Dropbox, Google Drive, SharePoint, Box — wherever your business stores documents, MFA should be active. These platforms often hold sensitive client data, contracts, financial records, and intellectual property. A compromised cloud storage account can result in data theft that triggers breach notification obligations and regulatory penalties.

IT Administration Accounts

Any account with administrative privileges — domain admin, Microsoft 365 global admin, firewall admin, server access — needs the strongest MFA available. These accounts are the master keys to your entire environment. IT Center enforces hardware key MFA for all privileged accounts we manage. There is no exception.

How IT Center Enforces MFA for Every Managed Client

MFA enforcement is not something we offer as an option or suggest as a best practice. It is a technical requirement that we configure and enforce for every client we manage, without exception. Here is what that looks like in practice.

Conditional Access policies in Microsoft 365. For all M365 clients, we configure Conditional Access policies that block authentication without MFA, regardless of where the login attempt originates. Users cannot bypass MFA by connecting from the office network or a trusted device without going through the verification process. We also configure policies that increase scrutiny for logins from new locations, new devices, or during unusual hours — adding an extra layer of protection beyond the base MFA requirement.

Authenticator app enrollment for all users. During onboarding, we walk every user through Microsoft Authenticator setup, including enrollment of backup methods. We set a deadline for enrollment and then — after reasonable notice — block access for any account that has not completed MFA setup. This is where many IT teams fail: they enable MFA in policy but leave enforcement lax. We do not.

Hardware keys for privileged accounts. Any account with administrative access to any system we manage gets a hardware security key as the required MFA method. Authenticator apps are acceptable for standard users but not for accounts with the power to change security settings, access sensitive data at scale, or affect the entire tenant.

MFA for all supported systems. We extend MFA requirements to every platform and system in your environment that supports it — VPN, cloud services, line-of-business applications, and remote access tools. We document what we have enabled and flag any system that does not support modern authentication as a risk item requiring remediation or replacement.

Ongoing monitoring for MFA bypass attempts. Our monitoring includes alerts for authentication events that succeed without MFA — which can indicate policy gaps, legacy authentication protocols being exploited, or compromised administrative credentials. We close these gaps proactively rather than waiting for an incident to reveal them.

All of this is included in our flat-rate managed services model at $300 per computer user per month. MFA configuration and enforcement is not a separate line item — it is part of the baseline security posture we maintain for every client.

The Cost of Not Having MFA

Business owners sometimes treat MFA as a compliance checkbox — something to enable and forget. The actual cost of skipping it is much more concrete.

The average cost of a business email compromise incident — which MFA would have prevented — is $125,000 in direct financial losses, not counting recovery time, legal fees, and reputational damage. Ransomware attacks, which frequently begin with compromised credentials, cost SMBs an average of $250,000 to $500,000 when you account for downtime, data recovery, and business disruption. These are not theoretical numbers. They are averages from documented incidents.

Compare that against the cost of MFA deployment. For businesses already on Microsoft 365, the MFA infrastructure is included in your existing subscription. Authenticator apps are free. The cost of implementation is professional time to configure it correctly — which, for IT Center clients, is included in your managed services agreement.

The math is not close. MFA is one of the highest-return security investments a business can make, and the return comes not in revenue but in risk eliminated.

Addressing the Objections: "It's Inconvenient"

Here is the objection we hear from employees more than any other: MFA is inconvenient. And honestly? It is, slightly. There is an extra step. There is a code to retrieve or a prompt to approve. This is real, and dismissing it does not help.

What helps is context. When an employee understands that the extra ten seconds they spend approving an MFA prompt is the thing standing between their normal workday and a ransomware event that shuts the company down for two weeks — the inconvenience recalibrates. When they understand that their email account being compromised could lead to their colleagues receiving fraudulent wire transfer requests in their name — the math changes.

Practical steps that reduce friction without reducing security:

• Number matching and geographic context. Modern Microsoft Authenticator prompts show the number displayed on screen and the location of the login attempt. This takes two seconds to verify and dramatically reduces accidental approvals of fraudulent prompts (MFA fatigue attacks).
• Trusted device registration. Conditional Access can be configured so that employees who log in from a known, managed device do not face repeated MFA prompts every hour. They authenticate fully on enrollment day and then get a persistent session on that device.
• Passwordless authentication. For Microsoft 365, we can configure Windows Hello for Business or the Microsoft Authenticator app as a passwordless authentication method — meaning employees tap an approve button on their phone and they're in, with no password to type at all. This is often faster than password-only login while being dramatically more secure.
• Clear communication during rollout. Resistance to MFA is almost always about surprise and lack of context. When we roll out MFA for clients, we send a plain-English explanation to all staff before the change happens, hold a brief Q&A session, and provide a simple two-page guide for setup. Employees who understand why the change is happening cooperate at a dramatically higher rate.

MFA Implementation Checklist

Use this checklist as a roadmap. Work through it systematically, or hand it to your IT team or managed services provider to execute.

1. Step 1Audit your current authentication state. List every system, application, and service your business uses. Note which ones support MFA and which do not. Flag any that do not support modern authentication as a security risk requiring action.
2. Step 2Enable Conditional Access in Microsoft 365. Navigate to Azure Active Directory > Security > Conditional Access. Create a policy requiring MFA for all users on all applications. Set a grace period for enrollment, then enforce. If you are on a plan that does not include Conditional Access, enable Security Defaults as a minimum.
3. Step 3Deploy Microsoft Authenticator to all employees. Communicate the change 5–7 days in advance. Provide setup instructions. Set an enrollment deadline. After the deadline, enforce MFA policy and follow up with anyone who has not completed enrollment.
4. Step 4Issue hardware keys for all administrative accounts. Identify every account with administrative privileges in every system. Procure hardware security keys (YubiKey 5 series is our standard recommendation). Enroll and require hardware key MFA for all privileged accounts. Remove authenticator app as a fallback option for these accounts.
5. Step 5Enable MFA on your VPN. Access your VPN management console and enable MFA for all remote access connections. Most enterprise VPN solutions integrate directly with Azure AD or support RADIUS-based MFA. If your VPN does not support MFA, add it to your replacement roadmap.
6. Step 6Enable MFA on business banking. Log in to your business banking portal and navigate to security settings. Enable the strongest available MFA option — authenticator app over SMS if available. Register backup methods and store recovery codes securely (not in email).
7. Step 7Enable MFA on all cloud services. Work through your list of cloud services — Dropbox, Salesforce, QuickBooks Online, your payroll platform, cloud storage, and any other SaaS applications. Enable MFA on each. Where possible, use SSO through your Microsoft 365 or Google Workspace identity so MFA is enforced centrally.
8. Step 8Block legacy authentication protocols. In Microsoft 365, block Basic Authentication and any legacy authentication protocols that can bypass MFA entirely. These legacy protocols are a common bypass route for attackers who have stolen credentials — disabling them closes the loophole.
9. Step 9Enable MFA fatigue protection. Configure number matching in Microsoft Authenticator and enable additional context (geographic location of login attempt) in your MFA prompts. This prevents attackers from flooding employees with approval requests until someone accidentally approves one.
10. Step 10Document, monitor, and verify. Produce a report of MFA enrollment status across all users and systems. Review it quarterly. Add MFA status to your security onboarding checklist for new employees. Monitor authentication logs for any successful logins that bypassed MFA and investigate them immediately.

MFA and Cyber Insurance: What Underwriters Are Now Requiring

If you are renewing a cyber liability insurance policy in 2025 or applying for one for the first time, you are going to answer questions about MFA. This is no longer a question that appears once at the bottom of the application. It is front and center.

Most carriers now require MFA on email, remote access, and privileged accounts as a condition of coverage. Some require it across all systems. The difference between having MFA deployed and not having it can mean the difference between a policy being issued, having a claim paid, or being denied coverage on a specific loss because a covered system lacked the required controls.

IT Center can provide documentation of your MFA deployment for insurance applications and renewals, including Conditional Access policy exports, enrollment status reports, and a written security posture summary. If your renewal is coming up, contact us and we will make sure you can answer every question on that application accurately and favorably.

Your Next Step

If you are running a business in Southern California and MFA is not enabled — or not fully enforced — across your critical systems, you have a gap that needs to close. Not eventually. Now.

The good news is that MFA deployment is one of the fastest wins in cybersecurity. Unlike a full security overhaul, it can be implemented systematically over a week or two without disrupting daily operations. The impact is immediate and substantial. That 99.9% stat is real — and it represents the attacks that simply stop happening the day MFA goes live.

IT Center has been protecting Southern California businesses since 2012. MFA configuration and enforcement is part of our standard managed services deployment for every client. If you want to know exactly where your current authentication posture stands — and what it would take to close any gaps — we offer a free security assessment with no obligation.