Sign in Subscribe
protect your organisation

Tip 2: MFA everywhere you can

Jonathan

2 min read
The text "security tips for your organisation" on a blue/green background.To the right is a silver shield and padlock.In the background are dots linked by lines suggesting a network.
🛡️
This post is one in a collection of tips to help you protect yourself, your business, or your organisation online. The series was published from 23rd June 2025 over two weeks and you can view other posts in the series here.

I sometimes get asked what the biggest tip is that I can give someone that’s worried about their security, and I start with Multi Factor Authentication. Sometimes you’ll see this called Two Factor Authentication or use the acronyms MFA or 2FA.

Image showing an app titled "Multi-Factor Authentication". There are logos for three companies (Microsoft, Google, Dropbox), each with their company name and numbers underneath them. To the right of each code is a countdown timer showing 18 seconds are remaining. At the bottom there are buttons requesting a fingerprint and a tick "approve" button.

Simply put, MFA requires the person logging in to provide an additional confirmation that they are who they say they are.  MFA takes many forms, from codes sent by SMS text message, to time sensitive codes generated by an app, to hardware keys like a Yubikey or Google Titan.  Enabling MFA requires you to have one of these things before you can login - the attacker is unlikely to have a code generated by an app on your phone (or your hardware key).

Bright blue, flat, rectangle device with gold metal contacts for plugging into a USB socket. In the middle of the rectangle is a gold circle with a key symbol on it. There's also a hole so the device can be placed on a key chain.
A hardware security key made by Yubico. This example supports the FIDO U2F standard, and is plugged in to a USB port. The user then touches the gold circular button to complete the MFA step.

Enabling MFA is quick, often free, and is an easy step to improve security.  Any MFA is better than no MFA, but if you have the option to use an app to generate codes it’ll be better than getting a text message.  Text messages require you to have signal (not guaranteed) and there are attacks that could allow an attacker to get your text message. That attack scenario is probably not something most of us worry about, but if you are a high ranking individual in a big company you may wish to consider it.

Banner image: Generated by Google Gemini from the prompt "Generate a new banner image. There should be a dark background with a network of nodes overlaid. A shield and a padlock should be on the right, on top of the nodes. On the left should be the text "Security tips for your organisation". That exact text should be used. Make the network nodes have a green and blue gradient."

This post was also shared via LinkedIn as post from my company, Jonco IT & Security Ltd.

MFA app mock-up generated by Microsoft Copilot.

Blue Yubikey U2F USB token image by Bautsch on Wikimedia (public domain).