Value Aligners
Get protected

Playbook: Multi-Factor Authentication Done Right (And Why SMS Is Not Enough)

Multi-factor authentication (MFA) is the highest-value security control most small businesses can turn on. It blocks the overwhelming majority of account-takeover attacks. But not all MFA is equal, and the way you set it up decides whether it actually protects you. Here is how to do it right.

Start where the money and the keys are

You do not have to do everything at once. Turn on MFA in this order: email first (it is the reset point for everything else), then banking and finance, then admin accounts, then the rest of your business apps. Email is the master key. Protect it before anything.

Know the levels, from weakest to strongest

  • SMS text codes. Better than nothing, but vulnerable to SIM-swapping and interception. Use it only where nothing better is offered.
  • Authenticator apps. A free app generates a rotating code. A big step up from SMS and the right default for most small businesses.
  • Number matching push. A prompt that makes you type a number shown on screen, instead of just tapping “approve.” This defeats the “approve by mistake” attacks.
  • Passkeys and hardware security keys. The strongest option. These are phishing-resistant by design, because the credential is tied to the real website and cannot be handed to a fake one.

Avoid the “approve” trap

Simple one-tap “approve” prompts can be defeated by flooding someone with requests until they tap yes to make it stop. If your tools offer number matching, turn it on. And tell your team a simple rule: never approve a login prompt you did not start yourself. An unexpected flood of prompts is an attack in progress, not a glitch.

Plan for the lost-phone moment

MFA only sticks if it survives a lost or replaced phone. Save backup codes in your password manager, register a second factor where you can (a second key or a backup device), and write down a simple recovery process so a lost phone does not lock someone out of their own work.

Make it the rule, not the exception

Where your platforms allow it, require MFA rather than leaving it optional. Optional MFA protects only the people who already cared. Required MFA protects everyone, which is the point.

See why setup matters in this story of a business that had MFA on and still got breached. Want to know which accounts in your business are still unprotected? Start with a free assessment.

Don’t wait for a breach to find your gaps. Value Aligners matches your business to the right cybersecurity tools in minutes — free.

Get My Free Assessment

Responses

  1. Small Business Cybersecurity: The Complete Starter Guide (2026) – Cybersecurity Breach Stories

    […] Account takeover and MFA fatigue. Attackers use leaked passwords, then wear down your defenses. Learn how to set up MFA the right way. […]

    Like

    Reply
  2. The 2 A.M. Approval: How MFA Fatigue Let an Attacker Walk Right In – Cybersecurity Breach Stories

    […] is still essential. It just has to be set up the right way. Our Playbook on multi-factor authentication walks through […]

    Like

    Reply

Leave a comment

Don’t wait for a breach to find your gaps. Value Aligners matches your business to the right cybersecurity tools in minutes — free.

Get My Free Assessment