Multi-Factor Authentication: Why Every Montreal Business Needs It Now

Every day, automated tools scan the internet for business email accounts with weak or reused passwords. When they find one that matches a leaked credential from any data breach anywhere — and there are billions of leaked credentials in circulation — they try it. It takes seconds. No human hacker required.

If that login succeeds, the attacker has access to your email, your files, potentially your financial systems, and your clients' information. They can send phishing emails from your domain, intercept invoice payments, exfiltrate data, or quietly set up persistent access to return later.

Multi-factor authentication stops this attack — even if the attacker has the correct password.

What Is MFA?

Multi-factor authentication requires a user to provide two or more verification factors to access an account. Instead of just a password, you need:

• Something you know — your password
• Something you have — your phone (via an authenticator app or SMS code)
• Optionally: something you are — fingerprint or face ID

Even if an attacker has your exact password, they can't complete the second factor without physical access to your phone. The attack fails.

Why Passwords Alone Aren't Enough

The problem with passwords isn't that people choose bad ones (though many do). It's that passwords are static secrets that can be stolen in ways entirely outside your control:

• Data breaches — when any service you use gets breached, your email/password combination may be exposed, even if that service wasn't work-related
• Phishing — a convincing fake login page harvests your credentials without any malware involved
• Credential stuffing — automated tools try leaked passwords from one breach against hundreds of other services
• Password reuse — if you use the same password anywhere else, one breach compromises everything

Password managers help, but they don't eliminate these risks. MFA does, because the second factor is time-sensitive (codes expire in 30 seconds) and tied to a physical device the attacker doesn't have.

MFA Methods: Which One Should You Use?

There are several ways MFA can work, and they're not all equally secure:

Authenticator App (Recommended)

Microsoft Authenticator, Google Authenticator, or Duo generate time-based one-time passwords (TOTP) directly on your phone. This is the most secure common method — the code is generated locally and never transmitted until you type it in. Phishing-resistant versions (FIDO2/passkeys) are even stronger.

Push Notification

The Microsoft Authenticator app can send a push notification to your phone: "Someone is trying to sign in — approve or deny?" Simple and fast. Slightly vulnerable to "MFA fatigue" attacks (where attackers spam approval requests hoping you'll accidentally tap Approve), but Microsoft has number matching to address this.

SMS / Text Message

A code sent via text message. Better than nothing, but SMS MFA is the weakest option — SIM swapping attacks and SS7 vulnerabilities can intercept SMS codes. For most SMBs, SMS MFA is still a massive improvement over no MFA. For higher-risk accounts (admin accounts, finance), use an authenticator app.

Hardware Keys (FIDO2)

Physical security keys (like YubiKey) plug into USB and provide the strongest MFA protection available. Completely phishing-resistant. Best for admin accounts and executives who are high-value targets.

Where to Enable MFA in Your Business

MFA should be enabled everywhere that matters — not just Microsoft 365:

• Microsoft 365 — first priority, covers email, Teams, SharePoint, OneDrive
• VPN — remote access without MFA is a major attack vector
• Business banking portals — most Canadian banks offer MFA; use it
• Accounting software — QuickBooks, Sage, and similar platforms support MFA
• CRM and ERP systems — any system with client data or financial information
• Domain registrar and DNS — an often-overlooked account with enormous leverage if compromised
• Cloud services — AWS, Azure, Google Cloud admin accounts

The Common Objection: "It's Inconvenient"

The most common pushback we hear from Montreal SMB employees when MFA gets rolled out: "It's annoying, it slows me down."

The honest answer: it adds about 5 seconds to each login. Microsoft Authenticator remembers trusted devices, so you typically only need to approve on a new device or after a defined period (we usually set this to 14 days). After the first week, most users barely notice it.

The alternative — having your email or Microsoft 365 account compromised — typically results in days of disruption, potential data loss, client notification obligations under Law 25, and significant recovery costs. Five seconds per login is an extremely good trade.

How to Enable MFA in Microsoft 365

The quickest way to enable MFA for your entire Microsoft 365 organization:

1. Log in to the Microsoft 365 Admin Center (admin.microsoft.com) as a global admin
2. Go to Settings → Org Settings → Security & privacy → Multi-factor authentication
3. Enable Security Defaults (the fastest option — enforces MFA for all users) OR
4. Set up Conditional Access policies for more granular control (recommended for M365 Business Premium)
5. Communicate the change to your team with instructions to download Microsoft Authenticator
6. Set a roll-out date and enforce it

For most organizations, Security Defaults is the right starting point. For businesses with M365 Business Premium, Conditional Access gives you more control — requiring MFA only from unrecognized devices, for example, which reduces friction for employees on their regular work computers.

The Bottom Line

MFA is the highest-impact security change most Montreal small businesses can make — and it costs nothing to enable in Microsoft 365. The fact that many SMBs still haven't turned it on is one of the most common (and preventable) security gaps we find during IT assessments.

If you're not sure whether MFA is enabled across your organization, or whether it's configured correctly, our free IT assessment will tell you — along with a clear action plan to address any gaps we find.

---