Multi-factor authentication for businesses: practical, 99% effective, hassle-free

TL;DR

• Turning on MFA stops the vast majority of account compromises. More than 99% of compromised accounts did not have MFA.
• Avoid text messages for authentication whenever possible. TOTP and passkeys/FIDO2 are more robust.
• Admins and critical access: require FIDO2 keys/passkeys.
• Move toward adaptive MFA and disable old authentication protocols (IMAP/POP/SMTP Basic) that bypass MFA.
• Plan for recovery: backup codes, a second device, a clear procedure if someone loses their device.

An essential solution

Phishing and social engineering attacks hit hard (you noticed?!), especially overwhelmed IT teams and nonprofits with limited resources. MFA adds a barrier that stops the vast majority of such attacks.

Key point for Quebec: even though Bill 25 doesn’t specify a particular authentication type, implementing MFA proportionate to the risk helps meet your security obligations and reassure your clients and partners.

MFA options at a glance

Here is the good – better – ideal that Blue Fox recommends for most SMEs/nonprofits:

• Good: TOTP via an app (Microsoft/Google Authenticator, Aegis, etc.). Works offline, inexpensive, simple to deploy.
• Better: Push + protections (number matching, location/device context). Smoother, but beware of MFA fatigue.
• Ideal: FIDO2 / passkeys (physical keys or built‑in passkeys in phone/computer). Resistant to phishing, prevents relay attacks and fake sites.

SMS is still better than nothing… but vulnerable to SIM swapping. Use it only as a transitional method or as a backup (and even then...).

Quick deployment recipe for SMEs/nonprofits

Week 0 to 2 – Preparation

• Map your access: M365/Workspace, bank, CRM, payroll, providers (hosting, website), VPN.
• Assess and classify by risk factor: admins, finance, management, remote access, volunteers/contractors.
• Choose the method by profile: Admins, finance, access to sensitive data → FIDO2/passkeys. Regular employees → TOTP (or passkeys if ready).
• Admins, finance, access to sensitive data → FIDO2/passkeys.
• Regular employees → TOTP (or passkeys if ready).
• Plan recovery: second device or second key, printed backup codes, identity‑verification procedure to prevent fraud at the helpdesk (not just “give me the code by text”).

Week 2 to 3 – Implementation

• Train in 30 minutes: why MFA, how to install the TOTP app, how to register a passkey, where to retrieve a code if you lose your phone.
• Pilot on a small group.
• Correct internal documentation, then roll out in waves.
• Turn off the old doors: block legacy authentication (IMAP/POP/SMTP Basic), enforce modern auth.

Week 4 and onwards – Full ramp‑up

• Raise the requirements: admins and privileged accounts with FIDO2 only, push with number matching, ban SMS for critical accounts.
• Activate adaptive MFA (if available): stronger requirements when the context is risky (new location, non‑compliant device, suspicious behaviour).
• Audit monthly: who doesn’t have MFA, which methods are being used, blocked attempts, need to add backup keys.

Ready‑to‑use recipes by ecosystem

Microsoft 365 / Entra ID

• Quick and free: enable Security Defaults to force MFA and block several old protocols.
• Better (if you have P1/P2): Conditional Access policies to require MFA based on risk, block legacy auth and require FIDO2 for admins.
• Secure push: enable or check number matching and display of context (app/location).
• Passkeys/FIDO2: enable passkey registration (physical keys or Authenticator) and document the user journey.

Google Workspace

• Enforce 2SV by organisation unit, then require TOTP or security keys.
• Passkeys: allow password‑skip with passkeys for teams ready for passwordless.
• Admins: require security keys (physical ideally) for super‑admins and privileged accounts.

Keycloak and other open IdPs

• Enable WebAuthn/FIDO2 in the default auth flow.
• Policy: admins and sensitive applications in FIDO2, TOTP for others, SMS only for backup.

Minimalist MFA policy, ready to adopt

• Scope: all cloud accounts, email, VPN, payroll/finance tools, CRM, code repositories.
• Requirements: Admins/finance/sensitive access: mandatory FIDO2/passkeys, 2 keys per person (primary key + backup key), TOTP disabled. Employees: TOTP by default, passkeys encouraged. SMS: only as an approved backup method, never for admins.
• Admins/finance/sensitive access: mandatory FIDO2/passkeys, 2 keys per person (primary key + backup key), TOTP disabled.
• Employees: TOTP by default, passkeys encouraged.
• SMS: only as an approved backup method, never for admins.
• Recovery: printed backup codes, second device, strong identity procedure at the helpdesk, cool‑down period if a SIM swap is suspected.
• Exceptions: documented, temporary, with an end date.

Budget and hardware (realistically)

• TOTP: $0 per user (free apps, including several FOSS options).
• FIDO2 keys: plan for two keys per critical account. Count about CAD $35 to $140 per key depending on the model (USB‑A/C, NFC, FIPS, biometric).
• Mixed fleet: USB‑C + NFC works well for recent laptops and phones.
• Blue Fox advice: start by equipping management, finance, IT and internet‑exposed service accounts.

Common mistakes to avoid

• Leaving IMAP/POP/SMTP Basic active. This protocol bypasses MFA.
• Using push alone without number matching, which opens the door to MFA fatigue.
• Having only one method per person. There needs to be a backup plan, ideally one that doesn’t depend on IT being available 24/7 (your admin will appreciate 😊).
• Keeping SMS as the main method after the pilot.
• Forgetting to train people and selectively test account recovery.

Blue Fox’s word

Need a hand to move from texts to TOTP, deploy passkeys painlessly and put in place a clear MFA policy adapted to your team and your budget realities? We can assist you.

A bit like a USB‑key‑in‑hand! ;-)

#CyberSecurity #MFA #FIDO2 #Passkeys #ZeroTrust #Phishing #BusinessSecurity #BlueFox

Complete sources

• Effectiveness of MFA (over 99 %) Microsoft — post “2023 identity security trends” noting that 99.9 % of compromised accounts did not have MFA; Alex Weinert’s post “Your password doesn’t matter”; a 2023 study co‑signed by Microsoft showing a 99.22 % risk reduction and the advantages of TOTP vs SMS.
• Recommendations from the Government of Canada for SMEs/nonprofits: Canadian Centre for Cyber Security — “Baseline cyber security controls for small and medium organizations”; factsheet “Secure your accounts and devices with MFA”; Get Cyber Safe portal.
• Why avoid SMS as the main method: FBI IC3 — 1,611 complaints and losses of more than $68 M in 2021 due to SIM swapping; sharp rise in SIM swap fraud in the UK in 2024 (Cifas). NIST SP 800‑63B — restrictions and risk signals for out‑of‑band authentication via PSTN (SMS/voice).
• Biometrics: useful, but not alone: NIST SP 800‑63B — biometrics alone are not considered an authenticator; they must unlock a hardware factor.
• Phishing-resistant MFA (FIDO2/WebAuthn, passkeys): CISA — “Implementing Phishing‑Resistant MFA” and a note on number matching if phishing‑resistant methods are not yet possible; article “Phishing‑Resistant MFA is Key to Peace of Mind”. W3C WebAuthn L2/L3 specifications and FIDO/Passkeys resources. U.S. federal zero trust strategy OMB M‑22‑09 emphasising phishing‑resistant MFA.
• Large‑scale case study (transferable to SMEs/nonprofits): CISA + USDA — success of FIDO deployment for about 40,000 people in cases where PIV cards were not possible.
• Block legacy auth that circumvents MFA: Microsoft — deprecation and blocking of basic auth in Exchange Online; Conditional Access policies to block legacy auth; Security Defaults.
• Concrete activation recipes: Microsoft Entra — enable passkeys/FIDO2, number matching, context in Authenticator. Google Workspace — enforce 2SV, allow passkeys and password‑skip. Keycloak — enable WebAuthn in the auth flow.
• Cost benchmarks for FIDO2 keys (Canada): Public examples: YubiKey 5C NFC (Canadian providers), FEITIAN ePass NFC, SoloKeys. Prices vary depending on USB‑A/C, NFC, FIPS, biometric. Yubico, Canadian distributors, and vendors provide details.