For many UK small and medium-sized businesses, multi-factor authentication (MFA) is now considered “basic security hygiene.” It’s often implemented quickly, ticked off during compliance checks, and assumed to be sufficient protection against account compromise. But in 2025, simply enabling MFA is no longer enough.
Cybercriminals have adapted. Phishing attacks bypass weak MFA implementations, push-notification fatigue tricks users into approving logins, and stolen credentials are replayed against cloud services at scale. The result? Businesses that technically “have MFA” are still being breached.
Why MFA Became Non-Negotiable
he majority of modern cyber incidents no longer start with malware, they start with compromised credentials. The Verizon 2024 Data Breach Investigations Report found that over 80% of breaches involve stolen credentials or phishing-based access.
Passwords alone are no longer a reliable defence. They are reused, guessed, phished, or leaked in breaches beyond your control. MFA works because it introduces an additional verification factor, something you have or are, making stolen passwords far less useful to attackers.Microsoft reports that MFA can block more than 99% of automated account compromise attacks when implemented correctly.
Why “Basic MFA” Is Now Insufficient
While MFA dramatically improves security, not all MFA is equal. Many SMBs deploy MFA in its weakest form and assume they are protected. In reality, attackers have adapted to these implementations.
Push-Based MFA Abuse
Attackers trigger repeated login attempts until a user eventually taps “Approve” out of habit or frustration. This technique, often called MFA fatigue has been used successfully against organisations of all sizes.
SMS-Based MFA Weaknesses
SMS codes are vulnerable to SIM-swap attacks and interception. The UK National Cyber Security Centre (NCSC) explicitly warns against relying on SMS as a primary MFA factor for sensitive systems.
MFA Without Context
If MFA does not consider device trust, location, behaviour, or risk level, attackers can still succeed using valid credentials from unusual locations or unmanaged devices. This is why identity-based security has replaced device-only protection.
Identity Is Now the Real Security Perimeter
Traditional security assumed users and devices inside the network were trustworthy. That assumption no longer holds in a world of cloud apps, remote work, and personal devices.
The Zero Trust security model; endorsed by the UK Government and NCSC, assumes breach and verifies every access attempt. NCSC guidance emphasises identity assurance, conditional access, and least privilege as core principles. MFA is a foundational element of Zero Trust, but only when implemented with intelligence and context.
What “MFA Done Properly” Looks Like for SMBs
Proper MFA is not about adding friction — it’s about reducing risk without slowing the business.
1. Use Strong MFA Methods
Best-practice methods include:
- Authenticator apps (time-based or number-matching)
- Hardware security keys (FIDO2 / passkeys)
- Passwordless authentication where possible
These methods are resistant to phishing and replay attacks.
2. Combine MFA With Conditional Access
Modern MFA should adapt based on:
- Device health and compliance
- Geographic location
- Time of access
- User behaviour patterns
Microsoft’s Zero Trust deployment guidance highlights conditional access as essential to preventing MFA bypass.
3. Protect Privileged Accounts First
Administrative accounts should always use:
- Strong MFA
- Dedicated devices
- Separate credentials from daily user accounts
The NCSC recommends tiered access and additional protections for privileged identities.
4. Train Users on MFA Awareness
Technology alone is not enough. Users should understand:
- Why MFA prompts appear
- When to reject unexpected requests
- How to report suspicious login activity
Human behaviour remains a critical factor in security resilience.
Why MFA Alone Is Still Not Enough
Even well-implemented MFA is only one layer.
Attackers who gain access can still:
- Abuse legitimate permissions
- Move laterally between systems
- Exfiltrate data using approved tools
This is why MFA must sit within a layered security model, alongside:
- Endpoint protection
- Identity governance
- Network segmentation
- Continuous monitoring
The UK Government’s Cyber Security Breaches Survey consistently shows that layered controls reduce breach impact.
MFA Is the Starting Line, Not the Finish
Multi-factor authentication is no longer optional. But in 2025, implementing MFA poorly can create a false sense of security.
For UK SMBs, the goal is not to “add MFA” it is to:
- Protect identities intelligently
- Reduce reliance on passwords
- Adapt access controls to risk
- Build resilience through layered defence
At I-Net Software Solutions, we help UK SMBs design identity-first security strategies, from MFA configuration and Zero Trust access controls to full security readiness assessments.
If you’re unsure whether your current MFA setup is actually protecting you, we offer a Security & Identity Readiness Assessment to identify gaps and recommend practical improvements.
Recommended Read
Why Endpoint Protection Alone Isn’t Enough in 2025