Skip to content
Convey

Tech Column

MFA for small businesses: a realistic, low-cost starting point

4 min read

Most breaches start with a compromised password. Here is a practical MFA rollout plan that even the smallest team can start today.

Passwords alone won't hold

Credential-stuffing bots and phishing kits attack indiscriminately — they don't check your company size. “We're too small to be a target” fails because the attacker is automation, not a person.

MFA adds a second gate — something only the real user possesses — so a stolen password alone is not enough. Per yen spent, few security measures come close to its impact.

The three accounts to protect first

You don't need a company-wide rollout on day one. Prioritize where compromise hurts most.

  • Email (Microsoft 365 / Google Workspace) — the master key used to reset every other account
  • Cloud admin consoles (AWS / Azure / GCP) — a takeover puts the business itself at risk
  • Online banking and payment services — the direct route to financial loss

Choosing a second factor

SMS codes are far better than nothing but vulnerable to SIM swapping; prefer an authenticator app (TOTP) where possible. Better still, use passkeys (FIDO2): TOTP codes can be phished on a fake site, but passkeys only work on the genuine domain, making that attack structurally impossible.

Making it stick

Rollout is only half the job: store recovery codes safely, audit accounts when people leave, and separate admin accounts from daily-driver accounts. Convey helps with identity design and these operating rules as one package.