For years, multi-factor authentication sat in the category of good practice rather than basic requirement. Businesses knew it was a reasonable thing to have, but treated it as something to roll out eventually, usually after a more urgent priority cleared the queue. That window has closed. A password alone is no longer a meaningful barrier against the kind of access attempts businesses face today, and treating MFA as optional now means accepting risk that has no real upside.
Passwords were never as strong as they felt. Most people reuse them across multiple accounts, choose ones that are easy to remember, and rarely update them unless forced to. Attackers have known this for years and built entire industries around it: credential stuffing, where stolen password lists from one breach are tested against other services, and phishing, which remains the most reliable way to simply ask for a password directly.
What has changed is the scale and speed at which this happens. Breached credential databases circulate widely and get tested automatically against thousands of services within hours of becoming available. AI-assisted phishing has made the messages requesting credentials more convincing than they used to be, closing the gap between a suspicious email and one that looks completely legitimate. A password that would have offered reasonable protection five years ago now offers very little, simply because the tools used against it have improved faster than the password itself.
MFA is effective for a simple reason. It requires something beyond knowledge of a password, typically something the user physically has, such as a phone generating a time-based code, or something tied to the user directly, such as a fingerprint. An attacker who obtains a password through a breach or phishing attempt still cannot complete the login without that second factor, which they do not have and cannot easily obtain remotely.
This does not make an account unbreakable. Sophisticated attacks exist that attempt to intercept or trick users into approving a second factor as well. But these attacks require significantly more effort and sophistication than simply using a stolen password, and they are far less common in practice. MFA does not eliminate risk. It removes the easiest and most common path to unauthorized access, which is where the overwhelming majority of real-world incidents originate.
The businesses still without MFA tend to fall into a predictable pattern. They have not been breached yet, so the absence of MFA has not produced a visible consequence, and the lack of consequence gets mistaken for the absence of risk. This is a misleading signal. Most businesses without MFA are not safe. They are simply not yet aware of an intrusion that has already happened, since credential-based access typically does not announce itself the way a ransomware note does.
When a breach does happen through a compromised password, the costs extend well beyond the immediate incident. Notification obligations under data protection law, the time spent investigating what an attacker accessed, and the damage to client trust once a breach becomes known all follow from an entry point that MFA would likely have closed. For a business that has not yet implemented it, the absence of MFA is not neutral. It is an open door that has simply not been used yet.
MFA does not need to be applied uniformly or aggressively across every system at once to be effective. The highest priority systems are the ones that, if compromised, would expose the most damage: email accounts, financial systems, cloud storage containing client data, and any system with administrative access to other tools. These deserve MFA first, regardless of how small the business is.
Authenticator apps generating time-based codes are a reasonable default for most businesses and avoid the weaknesses of SMS-based codes, which can be intercepted through SIM-swapping attacks. Hardware security keys offer stronger protection still and are worth the modest cost for accounts with the highest exposure, such as those with administrative privileges.
Rolling this out does not require a large IT budget or a dedicated security hire. Most major productivity and cloud platforms already include MFA as a built-in option, often at no additional cost. The barrier is rarely technical. It is usually the assumption that this can wait, applied repeatedly until it becomes the default position.
A password was once enough because the tools used against it were weaker. That is no longer the case, and the businesses still waiting to add a second factor are relying on an assumption that stopped being true some time ago.