You’ve got MFA? Awesome.
But here’s the thing… if it’s just SMS-based or full of exceptions, it’s like locking your front door but leaving the windows wide open.
Let me explain.
🧠 What Most Business Owners Think
Multi-Factor Authentication (MFA) is one of the most recommended security tools out there—and for good reason. It adds a second layer of protection beyond just a password.
But here’s where things go sideways:
Most businesses think they’re protected because MFA is “on.”
In reality, it’s often misconfigured, outdated, or easily bypassed.
🕵️♂️ Real-World Scenario: The MFA That Didn’t Work
This scenario happens far too often. You are logged into your Microsoft 365 account. You got it from GoDaddy because it was easy to do. Later, you notice that something is not right. You don’t know what it is but it is something rather strange. Turns out that your account had been accessed from overseas—even though MFA was enabled. What!?
How?
Turns out, you account was using SMS-based MFA.
The attacker intercepted the text message using a SIM swap. No wonder you were not gettings any messages nor calls.
No alerts. No warnings. Just a clean login.
And because you are limited in what you can do through the GoDaddy tenant, even thought you had MFA, the attacker spoofed a location and walked right in.
⚠️ Common MFA Mistakes We See
Let’s break down the usual suspects:
- SMS-based MFA
- Easy to intercept. Vulnerable to SIM swaps and phishing.
- Trusted location exclusions
- “We don’t prompt MFA in the office.”
- Problem: attackers spoof IPs or use VPNs to mimic trusted locations.
- Legacy authentication still enabled
- Old protocols like IMAP and POP don’t support MFA.
- If they’re still active, attackers can bypass MFA entirely.
- Static groups for MFA enforcement
- “Only this group gets MFA.”
- What if someone forgets to add a new user to the group?
🛡️ What You Can Do (Even If You’re Not Technical)
You don’t need to be an IT expert to fix this. You just need to ask the right questions.
Start here:
“Are we using modern MFA with number matching—and is it enforced for everyone, everywhere?”
If your IT team hesitates or says “we’re working on it,” it’s time to dig deeper.
✅ Quick Fixes You Can Ask For:
- Switch to Microsoft Authenticator with number matching
- It’s phishing-resistant and much harder to spoof.
- Remove location-based MFA exclusions
- MFA should apply everywhere, even in the office.
- Block legacy authentication protocols
- Disable IMAP, POP, and SMTP unless absolutely necessary.
- Use Conditional Access for all users and all apps
- Don’t rely on static groups. Make it universal.
🧠 Analogy Time: MFA = A Lock, But Not All Locks Are Equal
Think of MFA like a lock on your front door.
Some locks are pickable. Some are childproof. Some are biometric.
SMS-based MFA? That’s the flimsy lock from the dollar store.
Number matching with Microsoft Authenticator? That’s the smart lock with facial recognition.
🚀 Coming Up Next…
In the next post, we’ll dive into OAuth apps—those sneaky little pop-ups that say “Approve to continue.” You’ll learn how attackers use them to steal data and what you can do to stop it.
👣 Your Action Step Today
✅ Ask your IT team:
“Are we using Microsoft Authenticator with number matching—and is MFA enforced for everyone, with no location exclusions?”
If the answer is “not yet,” don’t worry. You’re ahead of the curve just by asking.
Want help reviewing your MFA setup?
We’ll walk through it with you—no jargon, no judgment, just clarity.
