MFA Is Not Enough: What Else Small Businesses Need to Do

Multi-factor authentication is the single most recommended security control for small businesses, and for good reason. It blocks the vast majority of automated credential attacks. But somewhere along the way, MFA became the finish line instead of the starting line. Business owners hear “turn on MFA” so often that many assume once it is enabled, they are covered. They are not. Attackers have adapted, and MFA alone leaves significant gaps that are being exploited regularly. Here is what MFA does not protect against and what you need alongside it.

What MFA Actually Protects Against

Before getting into the gaps, it is worth understanding what MFA does well. MFA requires a second form of verification beyond a password, typically a code from an authenticator app, a push notification, or a hardware key. This means that if an attacker steals or guesses a password through a phishing email, a credential dump, or brute force, they still cannot log in without that second factor.

This is genuinely effective against the most common attack pattern: stolen credentials used in automated login attempts. Credential stuffing attacks, where attackers take username and password combinations leaked from one breach and try them against other services, fail completely when MFA is enabled. Microsoft has published data showing that MFA blocks over 99% of automated account compromise attempts. That number is real and significant.

The problem is that the remaining fraction of attacks, the ones that bypass MFA, are exactly the type that target businesses specifically rather than spraying credentials at scale. These are not automated. They are deliberate, and they work.

MFA Fatigue Attacks

MFA fatigue, also called push bombing or prompt bombing, exploits a weakness in push-based MFA. The attacker already has the victim’s username and password, usually from a phishing attack or a credential leak. They initiate login attempts repeatedly, which sends a flood of MFA push notifications to the victim’s phone. The notifications arrive one after another, sometimes dozens of them, at all hours.

Eventually, the victim approves one. Maybe they are frustrated and want the notifications to stop. Maybe they are half asleep at 2 AM and tap “Approve” out of habit. Maybe they assume it is a system glitch. Whatever the reason, one accidental approval is all the attacker needs. Once they are in, MFA has been satisfied and will not challenge them again for that session.

This is not a theoretical attack. It was used in the 2022 Uber breach, where an attacker bombarded an employee with push notifications and then sent a WhatsApp message pretending to be IT support, asking them to approve the request. The employee complied. The attacker gained access to internal systems.

The fix is straightforward but requires a configuration change most small businesses have not made. Number matching, where the login screen displays a number that the user must type into their authenticator app, eliminates fatigue attacks because the user cannot approve without seeing the screen. Microsoft Entra ID (formerly Azure AD) supports number matching for Authenticator push notifications, and it should be enabled for every organization using push-based MFA.

SIM Swapping

SIM swapping targets SMS-based MFA specifically. The attacker contacts the victim’s mobile carrier, impersonates them using personal information gathered from social media or data brokers, and convinces the carrier to transfer the victim’s phone number to a SIM card the attacker controls. Once the transfer completes, the attacker receives all SMS messages sent to that number, including MFA codes.

This attack has been used to compromise email accounts, banking accounts, and cryptocurrency wallets. It is particularly effective against small business owners whose personal phone numbers are tied to business accounts. The attack does not require any technical sophistication on the attacker’s part, just social engineering skills and a willingness to call a phone carrier.

The defense is to stop using SMS for MFA wherever possible. Authenticator apps like Microsoft Authenticator, Google Authenticator, or Authy generate codes locally on the device and are not vulnerable to SIM swapping. Hardware security keys like YubiKeys are even stronger. If your organization is still using SMS codes as the second factor, migrating to app-based or hardware-based MFA should be a priority. For critical accounts like domain registrars, banking, and admin consoles, hardware keys are worth the investment.

Session Hijacking and Token Theft

This is the bypass that catches most people off guard because it makes MFA irrelevant after the fact. When you log into a service and complete MFA, the service issues a session token, a small piece of data stored in your browser that proves you have already authenticated. For as long as that token is valid, you do not need to enter your password or complete MFA again. That is why you can close your browser, reopen it, and still be logged into your email without re-authenticating.

Attackers who steal that session token can import it into their own browser and assume your authenticated session. From the service’s perspective, the attacker is you. They have already passed MFA. They have full access to whatever that session grants.

Session tokens get stolen through adversary-in-the-middle (AiTM) phishing attacks, where the victim clicks a phishing link that proxies them through the attacker’s server to the real login page. The victim enters their credentials and completes MFA normally, but the attacker’s proxy captures the session token that the real service issues. The victim sees a normal login experience. The attacker walks away with a fully authenticated session.

This attack pattern has been documented extensively against Microsoft 365 environments. The phishing page looks identical to the real Microsoft login page because it is the real login page, just proxied through the attacker’s infrastructure. Traditional phishing training that tells employees to “check the URL” is less effective here because the victim does interact with the real service.

Defending against token theft requires controls beyond MFA. Conditional access policies that bind sessions to specific devices or IP ranges can limit the usefulness of a stolen token. Reducing session token lifetimes forces more frequent re-authentication, which shortens the window an attacker can exploit. Continuous access evaluation, available in Microsoft Entra ID, can revoke tokens in near real-time when risk conditions change. These are configuration changes, not new products, but they require Microsoft 365 Business Premium licensing. Most small businesses on Business Basic or Standard do not have access to conditional access policies at all.

MFA Does Not Stop Lateral Movement

Here is the gap that matters most and gets discussed the least. MFA protects the front door, the initial login to a cloud service, a VPN, or a remote desktop session. But once an attacker is inside your network, MFA is largely out of the picture.

Internal systems in most small business environments do not require MFA for machine-to-machine access. If an attacker compromises one workstation through malware or a phishing attack, they can move laterally to other machines on the network using stolen credentials, pass-the-hash attacks, or abusing legitimate admin tools like PowerShell and Remote Desktop. None of these lateral movements trigger an MFA prompt.

An attacker who gains access to a single endpoint can enumerate your Active Directory to find admin accounts, access file shares to steal data, move to servers to escalate privileges, and eventually reach your domain controller or backup systems. All of this happens inside your network perimeter, where MFA is not enforced.

This is the stage of an attack where Managed Detection and Response (MDR) becomes critical. MDR monitors for exactly these behaviors: unusual login patterns between machines, privilege escalation, access to sensitive resources from unexpected sources, and movement that deviates from normal baselines. MFA cannot see any of this. MDR can.

What Layered Security Actually Looks Like

The security industry uses the term “defense in depth” or “layered security” constantly, but it often comes across as a vague concept rather than a practical plan. Here is what it looks like in concrete terms for a small business that already has MFA enabled.

Endpoint Detection and Response (EDR) on every device. EDR watches what happens on each machine, processes running, files being modified, network connections being made, and flags behavior that looks malicious. If an attacker lands on a workstation and starts running reconnaissance commands, EDR catches it. MFA does not see it because the attacker is already past the login.

Email security beyond basic spam filtering. Advanced email protection scans links and attachments in real time, detects impersonation attempts, and can identify AiTM phishing pages that proxy through to real login services. Since phishing is still the most common way attackers get credentials in the first place, stronger email filtering reduces the number of attacks that reach the MFA stage at all.

Conditional access policies that restrict where and how logins can happen. You can require that logins to sensitive services only come from managed devices, from specific geographic locations, or from IP ranges you control. A stolen session token from a phishing attack becomes useless if the attacker’s device and location do not match your policies.

Network segmentation so that a compromised workstation cannot reach everything. If your accounting team’s machines are on the same network segment as your servers with no restrictions between them, one compromised laptop gives an attacker access to your financial data. Segmentation limits the blast radius of any single compromise.

Privileged access management to control who has admin rights and when. Most employees do not need admin access to do their jobs. Admin accounts should be separate from daily-use accounts, require additional authentication, and be monitored for unusual activity. The principle of least privilege, giving users only the access they need and nothing more, significantly reduces the damage an attacker can do with any single compromised account.

Security awareness training that goes beyond annual compliance checkboxes. Regular phishing simulations, focused sessions on current attack techniques like MFA fatigue and AiTM phishing, and a culture where employees feel comfortable reporting suspicious activity without fear of blame. Training does not stop every attack, but it reduces the success rate of the ones that rely on human interaction.

24/7 monitoring and response to catch what the tools detect. All of the layers above generate data and alerts. Tools like SIEM can correlate those alerts across systems, but without someone watching and acting on those alerts, they are just noise. This is where a managed security provider fits into the picture, not as a replacement for the other layers, but as the team that ties them together and responds when something fires.

The Right Way to Think About MFA

MFA is not failing. It is doing exactly what it was designed to do, which is block unauthorized logins using stolen credentials. The mistake is treating it as a complete security strategy when it is actually one control in a stack that needs several others to be effective.

Think of MFA as a seatbelt. Seatbelts save lives every day. Nobody would argue against wearing one. But you would not drive without brakes, airbags, or mirrors just because you had a seatbelt on. Each control addresses a different failure scenario. MFA stops credential theft from turning into account compromise. EDR stops malware from turning into a network-wide incident. Monitoring stops a quiet intrusion from turning into a catastrophic breach. You need all of them working togther.

If your business has MFA enabled and you are wondering what the next step is, the answer depends on where your biggest gaps are. For most small businesses, the highest-impact next moves are deploying EDR on all endpoints, enabling conditional access policies in your cloud environment, and getting some form of monitoring in place so that when something gets past MFA, someone notices before the damage is done.

Sequentur helps small and mid-sized businesses build layered security that goes beyond MFA without overcomplicating the environment. If you are trying to figure out what comes next after MFA, you can reach us through our contact page to walk through your current setup.