Multi-Factor Authentication (MFA): A Complete Guide for Ontario Small Businesses
In February 2024, attackers broke into Change Healthcare — one of the largest health data processors in North America — without writing a single line of malicious code. They simply logged in. The credential they used was valid. The one thing that would have stopped them was not in place: multi-factor authentication. The breach ultimately cost over $3 billion.
Closer to home, the City of Hamilton’s 2024 ransomware attack resulted in a denied insurance claim — partly because MFA had not been fully implemented across their systems.
The same vulnerability affects thousands of Ontario small businesses every day. And the fix takes less than 30 minutes to deploy.
What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) — sometimes called two-factor authentication (2FA) or two-step verification — requires users to provide two or more forms of verification before accessing an account. Rather than relying on a password alone, MFA combines:
- Something you know — your password
- Something you have — a code from your phone, a hardware key, or an authenticator app
- Something you are — a fingerprint or face scan (less common in business settings)
The core idea is simple: even if an attacker steals your password, they cannot log in without also having access to your second factor. Since that second factor is usually your physical phone, it stops the vast majority of remote attacks cold.
Why MFA Matters for Your Ontario Business Right Now
The numbers are stark.
Microsoft’s research shows that MFA blocks 99.9% of automated account compromise attacks. More telling: virtually all compromised accounts — 99.9% — did not have MFA enabled at the time of the breach.
Despite this, only 27% of Canadian small businesses have fully deployed MFA. That leaves nearly three quarters of Ontario SMBs exposed to attacks that are trivially easy to prevent.
The cost of getting this wrong is significant. The average data breach in Canada now costs $6.98 million (IBM, 2025). For a small business, even a partial breach — one compromised email account, one hijacked Microsoft 365 login — can result in fraudulent wire transfers, exposed client data, and regulatory penalties under PIPEDA.
Cyber insurers have taken notice. Many are now refusing to pay claims when MFA was not in place at the time of the incident. It is no longer just a best practice — it is a condition of coverage.
The Three Types of MFA: Which Is Right for Your Business?
Not all MFA is equally strong. Here is how the options compare:
SMS Text Message Codes
A one-time code is sent to your mobile number each time you log in. This is the most widely used form of MFA, and it is far better than no MFA at all. However, SMS is vulnerable to SIM-swapping attacks — where an attacker convinces your mobile carrier to transfer your number to a SIM card they control.
Best for: Low-risk accounts, or as a fallback method. Not recommended as the sole MFA method for business email or financial systems.
Authenticator Apps (Microsoft Authenticator, Google Authenticator, Duo)
An app on your phone generates a rotating six-digit code that refreshes every 30 seconds. These codes are generated locally on your device — they are never transmitted, so they cannot be intercepted in transit. This is significantly more secure than SMS.
Best for: Business email (Microsoft 365, Google Workspace), cloud applications, remote access. This is the recommended standard for most Ontario small businesses.
Hardware Security Keys (YubiKey, Titan Key)
A physical USB or NFC device that you plug into your computer or tap against your phone. Hardware keys are completely phishing-resistant — even if an attacker tricks you into entering your password on a fake login page, the hardware key will not authenticate against the fake site.
Best for: Highly privileged accounts — administrators, finance staff with wire transfer access, executives. The Canadian Centre for Cyber Security (CCCS) specifically recommends phishing-resistant MFA like FIDO2 hardware keys for any privileged account.
How to Enable MFA on Microsoft 365 (Step-by-Step)
Microsoft 365 is the most common business platform in Ontario — and enabling MFA takes under 10 minutes for your administrator.
Step 1: Sign in to the Microsoft 365 Admin Centre with an administrator account.
Step 2: Go to Users → Active users and click Multi-factor authentication in the top toolbar.
Step 3: Select all users (or specific ones), then click Enable under Quick Steps on the right panel.
Step 4: Communicate the change to your team. When they next log in, they will be prompted to set up their second factor. Microsoft Authenticator is the recommended app.
Step 5: For stronger protection, go to Azure Active Directory → Security → Conditional Access and create a policy that enforces MFA for all sign-ins, including those from trusted locations. (This step is best done with your IT provider.)
Important: Require MFA immediately on admin accounts. A compromised administrator account gives an attacker full control of your Microsoft 365 environment — including the ability to disable MFA for other users.
How to Enable MFA on Google Workspace
If your business uses Google Workspace, the process is equally straightforward.
- Sign in to the Google Admin Console
- Go to Security → Authentication → 2-step verification
- Click Allow users to turn on 2-step verification and set enforcement to On
- Under Enforcement, set a deadline for all users to enrol
- Encourage staff to use Google Authenticator or a hardware key rather than SMS
Google’s research found that adding a second factor blocks 100% of automated bot attacks and 99% of bulk phishing attacks on Google accounts.
Common Objections — and Why They Don’t Hold Up
“My staff will find it inconvenient.”
Modern authenticator apps remember trusted devices for 30 to 90 days. Once a device is enrolled, users typically only see a second-factor prompt when logging in from a new device or location. The daily friction is minimal — a single tap on a phone notification for Microsoft Authenticator.
“We’re too small to be a target.”
Attackers do not target companies based on size. They run automated scans across millions of accounts simultaneously, looking for any account without MFA. Small businesses are often specifically targeted because they are less likely to have security controls in place.
“We’ve never had a breach.”
Many breaches go undetected for months. According to IBM, the average time to identify a breach is over 200 days. You may have already been compromised without knowing it.
“Our IT handles this.”
If your business does not have an IT provider actively managing your Microsoft 365 or Google Workspace tenant, MFA may not be configured — even if you believe it is. The default Microsoft 365 configuration for older tenants does not enforce MFA automatically.
The Bottom Line
Multi-factor authentication is the single highest-impact security control available to Ontario small businesses today. It blocks nearly every automated attack, costs nothing beyond your existing Microsoft 365 or Google Workspace subscription, and takes minutes to enable.
If your business email, remote access, and cloud applications are not protected by MFA today, that is the one thing you should fix this week.
WiseTech helps Mississauga and GTA businesses configure MFA correctly — including Conditional Access policies, admin account hardening, and staff enrolment guidance — as part of our managed IT service.
Book a free assessment to review your account security →
Related Posts
Published by WiseTech Team
May 15, 2026
Have Questions About Your Business IT?
Book a free assessment with WiseTech — personalised advice for your Mississauga business, no obligation.
Book Your Free Assessment