Multi-Factor Authentication for SMEs: Implementation Guide

Multi-factor authentication (MFA) is consistently identified as one of the highest-impact security controls available to any organisation. The UK NCSC estimates that MFA prevents over 99% of automated credential attacks. NIS2 references access control as a required security measure. ISO 27001 Annex A includes MFA in its identity management controls. Cyber Essentials requires MFA on all cloud services and internet-facing services.

Despite this, a significant proportion of Irish SMEs have not deployed MFA across all critical accounts. This guide explains what MFA is, which accounts to prioritise, what authentication methods to use, and how to roll it out without disrupting day-to-day operations.

What Is Multi-Factor Authentication?

Authentication is the process of verifying that someone is who they claim to be. Single-factor authentication — the standard username and password — relies on one piece of evidence. Multi-factor authentication requires at least two independent factors from different categories:

  • Something you know — password, PIN
  • Something you have — authenticator app, hardware token, SMS code
  • Something you are — biometric (fingerprint, face recognition)

MFA significantly raises the barrier for attackers because compromising one factor (for example, stealing a password through phishing) is no longer sufficient to gain access. The attacker also needs the second factor, which they typically do not have.

Not All MFA Is Equal

Authentication methods vary significantly in their resistance to attack:

Hardware security keys (FIDO2/WebAuthn) — the strongest available. Physical keys (YubiKey, Google Titan) that require physical possession and are resistant to phishing because they validate the site they are authenticating against. Required for the highest-value accounts.

Authenticator apps (TOTP) — time-based one-time passwords generated by apps like Microsoft Authenticator, Google Authenticator, or Authy. Strong protection against credential stuffing and most phishing attacks. The recommended standard for most SME use cases.

Push notifications — a prompt is sent to a registered device; the user approves it. Convenient but vulnerable to MFA fatigue attacks — where attackers repeatedly send push requests until a user approves one by mistake.

SMS codes — the weakest common MFA method. Vulnerable to SIM swapping and SS7 interception attacks. Acceptable for low-risk accounts; not recommended for privileged accounts or sensitive systems.

Which Accounts to Prioritise

Immediate priority — enable first: - Email accounts (Microsoft 365, Google Workspace) — email is the primary attack vector and the recovery mechanism for every other account - Cloud administration and management consoles - VPN and remote access - Password manager (if used) - Financial systems — banking, accounting, payroll

Second priority: - All SaaS applications used by staff - Source code repositories - Customer-facing systems - Any system with access to personal or sensitive data

Final phase: - Internal systems accessible only from the corporate network - Developer and test environments

The principle: MFA should be on everything. Prioritise by the value of what the account can access and the consequences of its compromise.

Rollout: Avoiding Common Failures

Enable in audit mode first. Before enforcing MFA, enable it in a monitoring or audit mode if your platform supports it (Microsoft Entra ID / Azure AD has this capability). Identify which users successfully complete the enrolment and which need support before enforcement begins.

Communicate before you enforce. Staff who receive an unexpected MFA prompt without prior warning will contact IT support in volume. Send a clear communication — what is changing, why, when, and what they need to do to enrol — at least a week before enforcement.

Provide enrolment support. Have a simple guide for how to download and configure the authenticator app on their device. Make support available for the first few days after enforcement.

Handle exceptions carefully. Some accounts (service accounts, shared accounts, legacy systems that do not support MFA) require alternative controls. Document these exceptions, assess the risk, and implement compensating controls. Do not allow exceptions to become permanent workarounds for convenience.

Do not rely on SMS for high-value accounts. If you are deploying MFA on administrative accounts, financial systems, or accounts with access to sensitive data, use an authenticator app or hardware key — not SMS codes.

MFA and Compliance

NIS2 — Article 21(2)(j) requires "multi-factor authentication or continuous authentication solutions" as a baseline security measure.

ISO 27001:2022 — Control 8.5 (Secure authentication) requires strong authentication to be applied based on access restrictions and the topic-specific access control policy.

Cyber Essentials — requires MFA on all cloud services and user accounts that can access cloud services.

GDPR — does not specifically mandate MFA but requires "appropriate technical measures" to protect personal data. For most systems holding personal data, MFA is expected as part of that baseline.

How ShieldIQ Supports MFA Compliance

ShieldIQ's security controls module includes MFA deployment as a tracked control across NIS2, ISO 27001, and Cyber Essentials. Your MFA coverage can be documented, evidence attached, and gaps tracked on the remediation action board.

Run a free security assessment to see your current authentication posture →