Multi-Factor Authentication (MFA) for Melbourne Businesses

Multi-factor authentication (MFA) requires users to verify their identity using two or more factors: something they know (password), something they have (phone or hardware token), or something they are (biometric). Even if an attacker obtains a user's password through phishing or a data breach, they cannot sign in without the second factor. Microsoft reports that MFA blocks 99.9% of automated account compromise attacks. For Melbourne businesses, enforcing MFA across all accounts is the single most impactful security control available.

We recommend Microsoft Authenticator app for most Melbourne business users — it supports push notifications with number matching, passwordless authentication, and is free to deploy. For privileged administrator accounts, we recommend FIDO2 hardware security keys (YubiKey) — phishing-resistant MFA that cannot be compromised by MFA fatigue attacks. SMS-based MFA (one-time codes via text message) is the weakest option and is susceptible to SIM-swapping attacks — we move clients away from SMS where possible.

This is a common objection. We address it in two ways: first, the Microsoft Authenticator app does not give employers access to the personal phone — it only receives push notifications. Second, for staff strongly opposed to using a personal device, we recommend a dedicated low-cost Android device provided by the business as an MFA device. The business policy should be clear that MFA is non-negotiable — exceptions create exactly the gaps attackers exploit.

Standard push-notification MFA can be bypassed by MFA fatigue attacks (repeatedly sending push requests until a tired or frustrated user approves one) and by adversary-in-the-middle phishing tools that capture session cookies. We mitigate both: number matching in Microsoft Authenticator prevents approval of push requests without verifying a displayed number; phishing-resistant FIDO2 keys are immune to adversary-in-the-middle attacks. For most Melbourne businesses, MFA with number matching provides sufficient protection against realistic threats.

Shared accounts present a specific challenge for MFA — if multiple people use one account, who owns the MFA device? Our recommendation is to eliminate shared accounts where possible by creating individual accounts for each user. Where shared accounts cannot be eliminated (reception desks, shared service accounts), we implement workstation-based conditional access — authentication is automatically trusted from specific enrolled devices, with MFA required from any unrecognised location.

For a Melbourne business of 10-50 users on Microsoft 365, MFA implementation typically takes 2-3 weeks — including user communication, registration period, Conditional Access policy configuration, testing, and enforcement. We never flip MFA on without warning — we communicate to staff in advance, provide registration instructions, allow a two-week registration period, then enforce. Emergency MFA implementation (in response to an active incident) can be completed within 24 hours.

For businesses already on Microsoft 365, most of the MFA capability is included in your existing licensing — the cost is the implementation and ongoing management, not additional licensing. We price MFA implementation as a fixed-fee project based on user count and application scope. Ongoing managed MFA (covering compliance reporting, new user onboarding, policy maintenance, and access reviews) is included in our managed IT and managed security programmes. Standalone MFA management is available as a per-seat monthly service.

Microsoft Entra ID (formerly Azure AD) supports single sign-on (SSO) integration with thousands of SaaS applications — MYOB, Xero, Salesforce, HubSpot, practice management platforms, and more. Once a user authenticates to Entra ID with MFA, SSO carries that authentication to integrated applications without requiring repeated MFA prompts. For applications that do not support SSO, we implement per-application MFA using Microsoft Authenticator or a third-party identity provider. The goal is comprehensive MFA coverage across every application without creating an unusable daily experience for staff.

Post-deployment, we monitor Microsoft Entra ID sign-in logs for suspicious authentication events — sign-ins from unexpected countries, impossible travel (two sign-ins from different continents within an hour), MFA approval of push requests followed by unusual activity, and accounts with failed MFA attempts indicating a credential stuffing attack. Monthly MFA compliance reports show coverage across all accounts, any accounts added since the last report, and any conditional access policy exceptions. Anomalies are investigated and escalated according to our incident response process.

Healthcare providers accessing My Health Records are required under the My Health Records Act to implement reasonable security measures — and MFA for systems containing patient data is explicitly referenced in the ADHA security requirements. For practices using clinical software with cloud access (Best Practice, Medical Director, Genie), we implement MFA at the identity provider level and review whether the clinical software vendor supports SSO or direct MFA integration. For staff accessing Medicare and DVA portals, we configure separate authentication controls appropriate for government portal access.