MFA — or multi-factor authentication — allows users to verify their identity with something they know (e.g., a password or PIN), something they are (e.g., a fingerprint or facial scan), or something they have (e.g., an authenticator app). By choosing two or more of these authentication methods, security drastically improves.
Previously, all you needed to get into an account was your username/email and password. Passwords are easy to hack, and it’s even easier when users reuse passwords or store them insecurely. By only having a username and password to access your accounts, you’re leaving your front door open to cybercriminals.
Why Mandatory MFA is key to Zero Trust Security
If MFA isn’t mandatory, then you cannot implement zero trust. Zero trust is a strategy that verifies every user’s identity before granting access. It helps reduce the chance and scale of attacks by limiting the number of entry points and making them easier to detect. Many businesses follow zero-trust principles as part of their cybersecurity strategy, but it relies on mandatory MFA. Beyond external threats, failing to enforce MFA also exposes businesses to risks from within.
Insider Threats and Optional MFA
By allowing anyone with the username and password to access accounts at any time, it makes committing intentional insider threat attacks straightforward, as they have everything they need. With MFA, there’s an extra step that could be the key to stopping an insider threat. Of course, if they have access to that MFA method, they’ll still get in, but it’s an added layer of complexity that could help combat the attack.
Physical Security Risks Without Mandatory MFA
Insider threats aren’t the only risks that optional MFA introduces. Without MFA, poor physical security risks are amplified. If someone gains access to your office, how easy is it for them to log in to your devices and accounts? Post-it notes are one of the biggest security risks to companies — it sounds ridiculous, I know — but all it takes is a lone laptop with a password written on a Post-it note, and they’re in your network. With mandatory MFA, your physical security risks are still present, but attackers will only get so far before MFA trips them up.
Balancing Security and User Experience
Of course, your business could just assess the risk of an attacker hacking into an account without MFA. If requiring MFA would necessitate substantial changes to user behaviour, some might argue that making it mandatory could do more harm than good. If you have strong patching, network segregation, and other security protocols, you may be relatively secure. As we’ve said before, cybersecurity requires a multi-layered approach, and MFA is just one part of that. In our opinion, it’s better to have it than not. If it’s a choice between the minor inconvenience of mandatory MFA and a ransomware attack, we know which one we’d pick.
A Compromise: Conditional Access
There is a middle ground — conditional access. Conditional access gives admins the power to decide when a user receives MFA prompts. For example, you could set it so that all accounts must use MFA to log in once a month, but admin accounts must use MFA daily. You can also block logins from other countries unless users give notice before they leave the country. It’s still not as secure as mandatory MFA for all logins, but it’s a compromise and better than nothing.
Regardless, the stats speak for themselves.
Research by Microsoft shows that MFA can block more than 99.2% of account compromise attacks. This statistic is exactly why we believe MFA should be mandatory.
For very little effort, you can protect yourself from 99.2% of attacks. MFA can be set up within minutes, and it only adds a maximum of 30 seconds to your login time (depending on the MFA method chosen). Every company should make MFA mandatory for all accounts — it’s a no-brainer.
As of February 3rd, 2025, Microsoft will begin requiring MFA for all user accounts accessing the Microsoft 365 admin centre. This will be rolled out in phases at the tenant level and will likely continue expanding across all accounts over time. It's only a matter of time until Microsoft enforces MFA.
MFA is no longer a nice-to-have; it is a necessity for protecting business accounts from cyber threats. With cyberattacks on the rise and passwords alone offering little protection, implementing MFA is one of the easiest and most effective security steps a company can take.
Setting up MFA is straightforward and takes only a few minutes, yet it can prevent 99.2% of account compromise attacks. The minimal time investment is well worth the security benefits. Whether through mandatory MFA or conditional access, every business should prioritise MFA as part of its cybersecurity strategy.
The risk of not implementing it simply isn’t worth it.
