Multi-factor authentication
MFA means requiring something beyond a password to log in. Usually it's something you have (a phone, a hardware key) in addition to something you know (the password).
With MFA enabled, even if an attacker gets your password, they still can't log in without the second factor. This is the single highest-leverage security control for small companies after a password manager.
Types of MFA (from worst to best)
SMS codes — A code texted to your phone. Better than nothing, but vulnerable to SIM swapping attacks where someone convinces your carrier to transfer your number. Don't use this for critical accounts if you can avoid it.
TOTP apps — Apps that generate time-based codes rotating every 30 seconds. Much better than SMS. This is the baseline you should use everywhere. We recommend Passwork 2FA (iOS, Android) — it works as a standard TOTP authenticator for any service, and if you're already using Passwork as your password manager, it's the natural choice: login confirmation happens in one tap without typing any code, setup is automatic via QR code, and it works offline.
Push notifications — Apps that send a push notification you approve. Convenient, reasonably secure. Watch out for "MFA fatigue" attacks where attackers spam push notifications hoping you'll approve one by accident.
Hardware keys — Physical devices like YubiKey that you plug in or tap. The most secure option. Resistant to phishing because the key validates the site you're on. More expensive ($50+ per key, and you need backups), but worth it for admin accounts.
For most small companies, the right answer is: TOTP for everyone, hardware keys for admin accounts if budget allows.
Where to enable MFA first
Not everything needs MFA on day one. Prioritize based on damage potential:
Priority 1: Enable immediately
- Email (Google Workspace, Microsoft 365) — email is the keys to the kingdom because it's used for password resets everywhere
- Cloud provider console (AWS, GCP, Azure) — full access to your infrastructure
- Code repository (GitHub, GitLab, Bitbucket) — access to your source code and often deployment pipelines
- Password manager — if someone gets in here, they get everything. Passwork supports MFA via TOTP, hardware security keys (FIDO2/WebAuthn), and one-tap confirmation through the Passwork 2FA app
Priority 2: Enable within first month
- Production databases
- CI/CD systems (if separate from code repo)
- Customer data platforms (CRM, support tools)
- Financial systems (banking, accounting software)
Priority 3: Enable over time
- Internal tools (project management, documentation)
- Development/staging environments
- Marketing tools
Implementing MFA
Step 1: Audit current state
Make a list of critical services. Check which ones have MFA enabled. For services that support MFA, check which users have it on.
You'll probably find that some accounts have MFA, some don't, and nobody has a complete picture.
Step 2: Start with yourself
Enable MFA on all your accounts first. Get comfortable with the workflow. Figure out what breaks and what's annoying before you roll it out to the team.
Step 3: Enable on shared/admin accounts
That AWS root account, the GitHub org owner, the Google Workspace admin — these are the highest-risk accounts. Enable MFA on them first.
Store backup codes in the password manager. If you're using hardware keys for these accounts, make sure there are at least two keys, stored in different locations.
Step 4: Require MFA for the team
Most platforms let you require MFA for all users:
- Google Workspace: Admin console → Security → 2-Step Verification → Enforcement
- GitHub: Organization settings → Authentication security → Require two-factor authentication
- AWS: IAM → Account settings → Password policy (for IAM users) or Organizations for enforcement
Send a heads-up to the team. Give them a deadline (one week is reasonable). Offer to help anyone who gets stuck.
Step 5: Handle exceptions
Someone will complain. A few common situations:
"I don't have a smartphone" — They can use a hardware key, or a TOTP app on their computer (less secure, but better than nothing).
"I lost my phone" — This is why backup codes matter. Store them in the password manager. If they're locked out, an admin can temporarily disable MFA while they set up a new device.
"This is too inconvenient" — For most services, you don't have to enter MFA every login. "Remember this device for 30 days" options exist. The inconvenience is real but manageable.
Recovery planning
MFA can lock you out of critical accounts if you're not prepared. Plan for these scenarios:
Someone loses their phone
- Backup codes stored in password manager
- Admin can disable MFA temporarily for that user
- For critical shared accounts, multiple people should have access
Key person leaves the company
- Never have one person as the only admin
- Critical accounts should have at least two people with full access
- Document account ownership in a central location
Hardware key fails
- Always register two keys per account
- Store the backup in a different physical location
MFA rollout checklist
Use this to track your rollout:
| Service | MFA enabled | Who has access | Backup codes stored |
|---|---|---|---|
| Google Workspace / M365 (email) | ☐ | ☐ | |
| AWS / GCP / Azure console | ☐ | ☐ | |
| GitHub / GitLab / Bitbucket | ☐ | ☐ | |
| Password manager | ☐ | ☐ | |
| Production database access | ☐ | ☐ | |
| Domain registrar | ☐ | ☐ | |
| CI/CD platform | ☐ | ☐ | |
| Slack / Teams | ☐ | ☐ | |
| CRM / customer database | ☐ | ☐ | |
| Banking / financial systems | ☐ | ☐ |
Talking to leadership
If someone asks why you spent time on this:
"We implemented MFA across the company. This prevents the most common types of account compromise — credential phishing and password reuse attacks. It took about a week and costs nothing for TOTP. For context, a single account takeover at a company our size typically costs significant time in incident response, credential rotation, and customer notification. We've effectively eliminated that risk class."
Self-check
Before moving on:
MFA coverage
- Your email has MFA enabled (Google Workspace / M365)
- Cloud provider console has MFA (AWS / GCP / Azure)
- Code repository has MFA (GitHub / GitLab)
- Password manager has MFA
- Backup codes stored securely (in password manager)
- At least one admin account has hardware key (if budget allows)
- You know how to recover if someone loses their phone
Team rollout
- Team notified about MFA requirement
- Deadline set for MFA enrollment
- Help offered to anyone struggling
- MFA rollout timeline documented
If you can check off at least 8 of these 11 items, move on.
What's next
Passwords and MFA are done. You've eliminated the most common attack vector.
Next: passkeys and passwordless authentication — removing passwords from the equation entirely with phishing-resistant cryptographic authentication.