Multi-Factor Authentication for Australian Businesses: What It Is and How to Deploy It

Passwords have had a long run. For decades, a username and a secret string of characters stood between your business and an attacker. That model is broken. Credential databases are leaked in bulk, sold on dark web markets, and fed into automated attack tools that test millions of combinations per hour. For Australian small and medium businesses, the gap between a compromised password and a compromised business has never been smaller — and multi-factor authentication (MFA) is the most reliable way to close it.

This guide explains what MFA is, why it matters, which methods are worth using, and how to deploy it across the tools your business relies on every day.

What Is Multi-Factor Authentication?

Multi-factor authentication is a login security requirement that forces a user to prove their identity in two or more distinct ways before they are granted access to an account or system. The three recognised categories of proof are:

• Something you know — a password, PIN, or security answer
• Something you have — a mobile phone, hardware token, or smart card
• Something you are — a fingerprint, face scan, or other biometric

A traditional login uses only one factor — the password. MFA requires at least two factors from different categories. Even if an attacker knows your password, they still cannot log in without the second factor, which they do not possess.

The numbers are stark. Microsoft's data shows that MFA blocks more than 99% of automated account compromise attacks. That single statistic is why MFA sits at the top of security frameworks worldwide, and why the Australian Cyber Security Centre (ACSC) lists it as Mitigation Strategy 1 in the Essential Eight — the baseline set of controls every Australian organisation should implement.

Two-factor authentication (2FA) is a subset of MFA — it specifically means two factors rather than three or more. In day-to-day business use, the terms are often used interchangeably, and the practical implementation is the same: you log in with a password and then confirm your identity a second time.

Why Passwords Alone No Longer Work

The failure of the password-only model is not theoretical. It is documented, measurable, and ongoing.

Credential stuffing. Billions of username and password combinations from past data breaches are freely available online. Attackers use automated tools to test these credentials against hundreds of services simultaneously. If a user's email and password were exposed in a breach of an unrelated website — a retailer, a gaming platform, a subscription service — those same credentials will be tested against your Microsoft 365 tenant, your cloud accounting software, and your VPN.

Phishing. Users hand over their passwords every day without realising it. A convincing fake login page for Microsoft 365 or a banking portal captures credentials in real time and sends them directly to the attacker. No malware is required; the user does the work themselves. The Australian Competition and Consumer Commission (ACCC) reported that phishing remains one of the most common initial access vectors in Australian cybercrime reports.

Password reuse. Research consistently shows that the majority of people reuse passwords across personal and work accounts. The average Australian SMB employee is likely using the same password — or a minor variation — across several platforms. A single breach of a personal account can directly expose corporate systems.

Brute force and password spraying. Attackers do not always rely on stolen credentials. Brute force attacks attempt enormous numbers of password combinations against a login endpoint. Password spraying takes the opposite approach — it tries a small number of common passwords (Password1, Welcome2024, the company name) across a large number of accounts, staying below lockout thresholds. Both attacks succeed regularly against accounts protected only by weak or reused passwords.

None of these attack methods are stopped by a stronger password policy. They are stopped by MFA.

Types of MFA — Ranked from Weakest to Strongest

Not all MFA is created equal. Some methods are significantly more resistant to attack than others. The table below ranks the most common methods.

A note on SMS OTP. SMS-based codes are better than no MFA at all, and they are widely supported. However, SIM swap fraud — where an attacker convinces a mobile carrier to transfer a victim's number to an attacker-controlled SIM — is a real and documented threat in Australia. Where possible, move business accounts away from SMS OTP and towards an authenticator app or stronger method.

A note on passkeys. Passkeys are an emerging standard that eliminates the password entirely, replacing it with a cryptographic credential stored on the device (phone, computer, or hardware key). Support is growing rapidly — Google, Apple, Microsoft, and a number of cloud platforms now support passkeys. For businesses running modern software stacks, passkeys represent the direction of travel.

MFA Fatigue Attacks — The Growing Threat

Understanding MFA fatigue is important for any business using push notification-based authentication.

Here is how the attack works. An attacker obtains a valid username and password — through phishing, credential stuffing, or purchase on the dark web. They attempt to log in to the target account. The login triggers a push notification to the user's phone: "Are you trying to sign in? Approve / Deny." The attacker does not stop at one attempt. They send dozens of push notifications in rapid succession, at any hour of the day, including late at night. Eventually, a user — confused, frustrated, or simply wanting the notifications to stop — taps Approve.

At that moment, the attacker is in.

This is precisely how Uber was breached in 2022. A contractor's credentials were obtained, and the attacker flooded the target with MFA push requests until one was approved, granting initial access that was then used to move laterally across Uber's infrastructure.

The mitigation is straightforward. Number matching requires the user to enter a specific number displayed on the login screen into their authenticator app before the approval is registered. Because the attacker cannot see the number displayed on the user's screen, they cannot generate the correct response — even if the user opens the app. Microsoft 365's Authenticator app now enforces number matching by default, which removes the tap-to-approve vulnerability for most business Microsoft 365 deployments.

For the highest-risk accounts, phishing-resistant MFA — FIDO2 hardware keys or passkeys — is the correct answer. These methods do not use push notifications at all, and cannot be bypassed by social engineering.

Deploying MFA Across Your Business — Practical Steps

Rolling out MFA is not technically complex, but it does require a structured approach to avoid disrupting operations and to ensure every account is actually covered.

Start with email (Microsoft 365 or Google Workspace)

Email is the highest-value target for attackers and the one most businesses under-protect. A compromised email account enables business email compromise (BEC) — fraudulent payment redirection, invoice manipulation, and supplier impersonation. It also enables further account takeovers, because most cloud services use email for password resets. Whoever controls the inbox effectively controls every account tied to it.

Enable MFA on your Microsoft 365 or Google Workspace tenant before anything else. This is the foundation everything else rests on.

Extend to all cloud applications

Once email is protected, map every cloud application your business uses and identify which ones support MFA. Common targets include CRM platforms (Zoho, Salesforce, HubSpot), accounting software (Xero, MYOB), cloud storage (SharePoint, OneDrive, Google Drive), and remote access solutions including VPNs and remote desktop gateways. Each of these represents a potential entry point. MFA should be mandatory, not optional, on every service that handles business data or provides access to your network.

Require MFA for admin accounts first

If you are running a phased rollout — which is a reasonable approach for larger teams — admin accounts must be in scope from day one, not at the end of the project. Privileged accounts have the highest blast radius. An attacker with admin credentials can disable security controls, create new accounts, exfiltrate data in bulk, and deploy ransomware across the entire environment. Leaving admin accounts unprotected during a rollout, even briefly, is a material risk.

Use conditional access policies

For businesses running Microsoft 365, Conditional Access policies in Microsoft Entra ID (formerly Azure Active Directory) provide granular control over when and how MFA is required. Rather than a binary on/off, you can configure policies that step up to MFA when a user logs in from an unrecognised device, an unusual location, or outside business hours. You can require phishing-resistant MFA specifically for admin roles while applying standard authenticator-app MFA to general users. You can block access entirely from countries where your business has no legitimate users.

Conditional Access requires Microsoft Entra ID P1 or P2 licensing, which is included in Microsoft 365 Business Premium. It is meaningfully more powerful than the out-of-the-box Security Defaults and is the recommended approach for any business that has the licensing to support it.

Communicate the rollout to staff

MFA introduces a step that users have not experienced before. Without clear communication, the most common outcomes are resistance, confusion, and help desk calls at the moment of enforcement. Before rollout, explain to staff what is changing and why — in plain language, without jargon. Provide instructions for downloading and configuring the Microsoft Authenticator app. Tell them what to do if they cannot access their phone (a backup code or an IT contact to call). A short walkthrough session, even via a recorded video, reduces friction substantially and improves adoption.

MFA for Microsoft 365 — The Australian Business Standard

Microsoft 365 is the dominant productivity platform for Australian SMBs, which makes its MFA configuration particularly important to get right. There are three approaches, and they are not equally recommended.

Security Defaults is Microsoft's free baseline security configuration, available to all Microsoft 365 tenants. When enabled, it enforces MFA registration for all users and requires MFA at login based on Microsoft's risk assessment. It uses the Microsoft Authenticator app or an authenticator TOTP app. Security Defaults is a significant improvement over no MFA, it costs nothing, and it takes minutes to enable from the Microsoft Entra admin centre. For businesses that have not yet enabled any form of MFA, Security Defaults is the correct starting point.

Conditional Access (Entra ID P1/P2) provides the policy-based control described above — location awareness, device compliance requirements, risk-based step-up authentication, and granular per-application or per-user rules. This is the approach recommended for businesses with Microsoft 365 Business Premium or higher licensing, and for any organisation that needs more than a blanket MFA requirement.

Per-user MFA is the legacy method — MFA configured individually on a per-account basis through the Microsoft 365 admin centre. It predates Security Defaults and Conditional Access and does not offer the same policy flexibility. It is not recommended for new deployments. If your Microsoft 365 environment is currently using per-user MFA, it is worth discussing migration to Conditional Access with your IT provider.

The minimum position for any Australian business on Microsoft 365 is Security Defaults enabled. If your tenant has that capability switched off — which may have happened historically to accommodate a legacy application or a VPN — re-enabling it should be treated as an urgent action.

What MFA Does NOT Protect Against

Honesty about the limits of any security control matters. MFA is one of the most effective controls available, but it does not protect against everything.

Malware on the endpoint. If an attacker has deployed a keylogger or remote access tool on a user's device, MFA does not prevent that attacker from operating within the active session. Endpoint security — including endpoint detection and response (EDR) tools — addresses this layer.

Adversary-in-the-middle (AiTM) phishing. A sophisticated phishing attack does not just capture a password — it proxies the entire login session in real time. The user logs in through the attacker's phishing site, which relays credentials and MFA codes to the real service and receives back an authenticated session token. The attacker captures and replays this token, effectively bypassing MFA entirely. Tools like Evilginx make AiTM attacks accessible to non-expert attackers. The mitigation is phishing-resistant MFA (FIDO2/passkeys), because these methods bind the authentication to the legitimate domain and cannot be replayed through a proxy.

Insider threats. A malicious or compromised employee who is already authenticated is not stopped by MFA. Behavioural monitoring, the principle of least privilege, and access logging address this risk.

Unpatched vulnerabilities. An attacker who exploits a software vulnerability in a web application or network service may be able to gain access without ever touching the authentication layer. Patch management — keeping systems and applications current — closes these entry points. MFA and patching are complementary controls, not substitutes for each other.

This is why security frameworks like the Essential Eight exist as a set of controls rather than a single recommendation. MFA is Mitigation Strategy 1 because it addresses the most common and highest-volume attack vector. It does not address every attack vector. A layered approach, maintained by a competent IT provider, is the only complete answer.

How Pickle Helps Australian Businesses Deploy MFA

Pickle's managed IT services include the full lifecycle of MFA deployment for Australian SMBs, strata buildings, and commercial properties. That means reviewing your current Microsoft 365 configuration and identifying gaps, enabling Security Defaults or configuring Conditional Access policies appropriate to your licensing, setting up the Microsoft Authenticator app for your staff with clear onboarding instructions, extending MFA requirements to cloud applications beyond Microsoft 365, and monitoring authentication logs for failed MFA attempts and anomalous login patterns that may indicate an active attack.

MFA deployment is not a one-off project. Staff join and leave, devices change, and applications are added. Pickle's ongoing managed IT model keeps your authentication environment current and your monitoring active.

If your Microsoft 365 tenant does not have MFA enforced today, that is a risk you can address this week. Call Pickle on 1300 688 588 or email [email protected] to arrange a Microsoft 365 security review.

Frequently Asked Questions

Q: Is MFA the same as two-factor authentication (2FA)?

A: Two-factor authentication is a specific form of multi-factor authentication that uses exactly two factors — typically a password and a one-time code. MFA is the broader term covering two or more factors. In practice, most business MFA implementations use two factors, so the terms refer to the same thing in most day-to-day conversations. FIDO2 hardware keys and passkeys collapse the password and the second factor into a single phishing-resistant credential, which technically satisfies the MFA requirement in a single step.

Q: What is the best MFA method for a small business?

A: For most Australian SMBs, an authenticator app (Microsoft Authenticator or Google Authenticator) generating time-based one-time codes (TOTP) is the right default. It is free, widely supported, significantly stronger than SMS codes, and straightforward for staff to use. For high-risk accounts — executives, finance personnel, IT administrators — upgrading to FIDO2 hardware tokens (such as a YubiKey) provides phishing-resistant protection that no software-based attack can bypass.

Q: What happens if an employee loses their phone and cannot authenticate?

A: This is the most common objection to MFA rollouts, and it has well-established solutions. Microsoft 365 allows administrators to generate temporary access passes for locked-out users. Authenticator apps can also be backed up and restored to a new device, and many TOTP apps support encrypted cloud backup. The key is to establish an account recovery process before rollout rather than after the first lockout — your IT provider should document and communicate this process to staff as part of the deployment.

Q: Does MFA slow down the login process significantly?

A: The additional step typically takes between five and fifteen seconds for an authenticator app code or a push notification approval. Conditional Access policies can reduce friction further by only prompting for MFA when the login is from an unrecognised location or device — so a user logging in from their usual laptop on the office network may not be prompted at all, while the same user logging in from an unfamiliar location will be. FIDO2 hardware keys are arguably faster than typing a password and entering a code — a single tap or plug-in completes authentication. The security gain is not meaningfully offset by the time cost.

Q: Is MFA enough on its own to protect our business accounts?

A: MFA is the most effective single control for preventing unauthorised account access, but it is not a complete security posture on its own. It does not protect against malware on the device, AiTM phishing attacks that steal session tokens, unpatched vulnerabilities in your software or network, or insider threats. A complete approach layers MFA with endpoint protection, patch management, email filtering, staff security awareness training, and ongoing monitoring. MFA is the right place to start — but it is the beginning of a layered security strategy, not the end of one.