If your business email, banking, or remote access has ever been protected by nothing but a password, you’re not alone — and you’re not irresponsible. Most small businesses in New Hampshire and across New England start out that way. A password felt like enough when the company was three people and the stakes were low. But passwords get stolen constantly — through phishing emails, data breaches at third-party services, or simply because people reuse the same one across a dozen accounts. Multi-factor authentication, or MFA, is the single fastest way to close that gap, and the biggest reason most businesses haven’t done it yet isn’t technical — it’s inertia.
So what is MFA, exactly? It’s a second check that happens after you type your password. The idea is that your password is something you know, and the second factor is something you have — your phone, typically. After you log in with your credentials, you’re asked to approve the login with a code from an app on your phone or by tapping “approve” on a push notification. An attacker who steals your password from a breach somewhere is stopped cold, because they don’t have your phone. The account stays locked, even though the password was correct.
The reason security professionals push MFA so consistently is that automated credential-stuffing attacks — where stolen username-and-password combinations are tried across thousands of services — depend entirely on the password being the only barrier. Add a second factor and the overwhelming majority of those automated attempts simply fail. The attacker moves on to an easier target. This isn’t a guarantee against every possible threat, but it removes the most common and most scalable attack entirely.
The honest objection to MFA is that it adds a step, and that step can feel annoying — especially for employees who are already moving fast. That’s a fair concern, and we won’t pretend it isn’t there. What’s worth knowing is that most modern MFA implementations are designed to be as frictionless as possible. Authenticator apps like Microsoft Authenticator or Google Authenticator generate a six-digit code you glance at and type in, or send a push notification you approve with one tap. Many systems also let you mark a trusted device so you’re only prompted on new logins or after a set period. The friction is real, but it’s measured in seconds — and it tends to fade into routine within a week or two.
Not all second factors are equal, though. If you have a choice, app-based codes or push approvals are meaningfully stronger than SMS text message codes. Text messages can be intercepted or redirected in ways that app-based codes generally can’t, and SIM-swapping — where an attacker tricks a carrier into transferring your phone number — can defeat SMS codes. For most small businesses, SMS is still far better than nothing. But if your team is setting up MFA fresh, defaulting to an authenticator app is the right call from the start.
Where should you turn it on first? Email is the highest-priority target in almost every small business — Microsoft 365 and Google Workspace both support MFA and make it straightforward to require it for everyone on the account. Email is the master key to most other accounts, because password-reset links get delivered there. Banking and financial accounts are a close second. After that: any remote access or VPN your team uses to connect from home, and any admin-level account in your IT systems. Those are the accounts where a compromise causes the most damage and the hardest recovery. Start there, then work outward.
The part that surprises most people is how little time it actually takes. Enabling MFA on Microsoft 365, for example, is done in the admin portal in under 15 minutes. The same is true for most banking logins and common business apps. The barrier isn’t complexity — it’s that nobody has carved out the time to do it, and there’s no one whose job it is to make sure it actually gets done across every account and every employee. That last part is where things tend to break down. Even when an owner turns on MFA for themselves, it often doesn’t get enforced for every employee, every new hire, every shared login. One gap is enough.
That consistency gap — enforcing MFA everywhere, not just for some people — is one of the concrete things a flat-fee managed IT provider handles as standard. We set the policy, push it to every account, confirm it’s active, and catch the exceptions before they become problems. If you’re not ready to engage a managed provider, the checklist to start yourself is short: turn on MFA for your Microsoft 365 or Google Workspace admin account today, then require it for all users; do the same for your business banking login; and set it up on any VPN or remote-access tool your team uses. Those three steps, in that order, cover the highest-risk surface area for most small businesses in New Hampshire and across New England — and you can likely have all three done before lunch.