Most breaches start with a compromised password. Here is a practical MFA rollout plan that even the smallest team can start today.
Passwords alone won't hold
Credential-stuffing bots and phishing kits attack indiscriminately — they don't check your company size. “We're too small to be a target” fails because the attacker is automation, not a person.
MFA adds a second gate — something only the real user possesses — so a stolen password alone is not enough. Per yen spent, few security measures come close to its impact.
The three accounts to protect first
You don't need a company-wide rollout on day one. Prioritize where compromise hurts most.
- Email (Microsoft 365 / Google Workspace) — the master key used to reset every other account
- Cloud admin consoles (AWS / Azure / GCP) — a takeover puts the business itself at risk
- Online banking and payment services — the direct route to financial loss
Choosing a second factor
SMS codes are far better than nothing but vulnerable to SIM swapping; prefer an authenticator app (TOTP) where possible. Better still, use passkeys (FIDO2): TOTP codes can be phished on a fake site, but passkeys only work on the genuine domain, making that attack structurally impossible.
Making it stick
Rollout is only half the job: store recovery codes safely, audit accounts when people leave, and separate admin accounts from daily-driver accounts. Convey helps with identity design and these operating rules as one package.