Proudly supported by

Australian Government logo


Resources Hub / Small business cyber basics / Four questions you’ve always wanted to ask about multi-factor authentication

Four questions you’ve always wanted to ask about multi-factor authentication


Ask any cyber security expert to recommend their top security tips for small businesses and MFA, or multi-factor authentication, will be near to the top of the list.

Whether it’s for email accounts, social media, online shopping or work platforms, MFA adds another layer of security beyond simple password access.

MFA can come in a number of different forms and use a variety of platforms so it’s important to understand how it works and how you can turn it on today and put another roadblock in front of cyber criminals.

Here are the top four questions about MFA answered.

What is MFA?

MFA can also be known as two-factor authentication (2fa), two-step verification or a security key.

If your password is a key to unlock your business, MFA represents an additional layer of security like a digital alarm system.

MFA requires two or more proofs of identity to access an account, putting an additional barrier between you or your small business and cyber criminals.

Typically, MFA uses a combination of a password or secret question and a code, something physical (a card or token) or biometric (face scan or fingerprint).

While it all sounds very Mission Impossible, it’s actually a very efficient and simple solution that has a significant security impact.

Why is MFA important?

With one cyber crime reported in Australia every six minutes (according to the Australian Signals Directorate (ASD)), taking additional measures to protect your accounts and personal information from cyber criminals is critical.

What makes MFA so powerful is that it’s not just another password.

MFA is so effective against criminals because it requires multiple proofs of identity before access is granted to sensitive information.

While cyber criminals might be able to steal a password, they will have to get their hands on a second item of verification before they can access your account.

If this proof of identity is biometric, such as a face scan or fingerprint, that puts a strong barrier in front of would-be criminals.

The ASD and the Australian Cyber Security Centre say what makes MFA so powerful is that it “defends against the majority of password-related cyber attacks”.

These can occur in “credential stuffing attacks” when criminals steal passwords from one website and attempt to use them on another to gain access.

MFA also works like an alarm system. If someone shady is trying to access your accounts or systems, MFA will alert you to a sign-in attempt.

The MFA system can contact you to confirm that it is indeed you trying to log in. And, if it’s not, you’ll know to change your passwords.

What should I use MFA for?

Experts recommend that you enable MFA for any online systems that host important personal or business information and sensitive accounts.

These include:

  • Email: cyber criminals who have access to your email account can reset your passwords for other accounts.
  • Financial services: most major banks have MFA enabled on their banking apps, so make sure you switch it on. Also remember your accounting and payroll, invoicing software, share portfolio, and any financial system you have.
  • Accounts where you have important business information: Cloud drives, company database and even your logins to your company website should be protected with MFA.
  • Accounts where your banking details are saved: these include PayPal, Amazon, eBay or other online shopping outlets.
  • Social media accounts: think Instagram, LinkedIn and Facebook, and if you are using a business social media manager tool, don’t forget that as well.
  • Accounts that hold your personal information: these include websites like myGov or your Microsoft or Apple ID accounts.

How do I turn on MFA?

MFA can come in a variety of forms and differs depending on the type of software, application or service you are using.

The most common options for MFA are:

  • SMS: a randomly generated code that is sent from your account to your email or SMS containing a ‘one-time password’. This is not as secure as other forms of MFA.
  • Authenticator app: These are mobile applications that generate random one-time passwords and are more secure than receiving a code via SMS. Experts warn text messages can be intercepted, while you must have your phone in hand to use an authenticator app. Don’t forget to switch on security features for your authenticator app to add an additional security layer. There are a number of authenticator apps available including Google Authenticator, LastPass Authenticator, Microsoft Authenticator and Aunty Authenticator.
  • Biometrics: This method uses your face or fingerprints to access your device or apps.


Apps for banking, online shopping, social media or email services often have built-in MFA systems. For example, many online banking apps let you switch on biometric facial recognition to log in.

To access these, open your app and look for security or privacy settings.

The Australian Cyber Security Centre has links to detailed instructions on how to set up MFA for a number of popular important accounts including email, financial services and online shopping.

Don’t forget to update your details, passwords and phone numbers when they change if you are using MFA to ensure you maintain access to your accounts.

It’s also recommended you have a recovery method associated with your key accounts in case you cannot access your authenticator app or accidentally delete it.

Turning on MFA is a simple, free and highly powerful way to add a virtual security system to your most important accounts.

Combined with a strong password (or passphrase!), MFA can create a significant barrier between would-be thieves and your most important information and assets.

With Cyber Wardens, you can keep your digital floors clean and free of cyber criminals fishing.

Learn easy and simple cyber security tips for your small business

More helpful resources for you and your business

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.