Attackers Don't Break In Anymore — They Log In. Please Use MFA.

If you only do one thing for your company's security this month, make it this: turn on multi-factor authentication, everywhere, for everyone.

That advice sounds almost too simple. But the way businesses get compromised has changed, and MFA is the single control that best matches how attacks actually work today.

Attackers log in. They don't break in.

The image most of us carry of a "hack" — someone in a dark room exploiting a flaw in a firewall — is increasingly out of date. CrowdStrike's 2026 Global Threat Report puts it plainly: adversaries are no longer "breaking in" — they're logging in. In CrowdStrike's data, 82% of detected intrusions were malware-free: no virus, no suspicious attachment, nothing for a traditional antivirus to catch. The attacker simply signed in with a real username and a real password, and from the system's point of view, looked like an employee.

Where do those passwords come from? Everywhere, unfortunately:

• Phishing. An email that looks like Microsoft, Google, or your bank asks an employee to "confirm their login." Many of these are now AI-generated — fluent, personalized, and free of the spelling mistakes we were all taught to look for.
• Infostealer malware. A small program, often picked up from a fake download or a malicious ad, that quietly copies every password saved in the browser and ships it to a marketplace where criminals buy credentials in bulk.
• Other people's breaches. When an unrelated website leaks its user database, attackers take those email-and-password pairs and try them on business email, banking, and admin panels — because people reuse passwords. It works far more often than it should.

Here's the planning assumption we recommend to every business we work with: some of your company's passwords are already out there. Not because your team did anything wrong — because leaks are a constant background condition of operating online in 2026. The question isn't whether a password will leak. It's whether a leaked password is enough to get in.

MFA makes a stolen password not enough

Multi-factor authentication adds a second proof of identity to the login: a prompt on the employee's phone, a code from an authenticator app, or a passkey stored on the device. The password alone stops being the key to the building.

This is not a marginal improvement. A study by Microsoft based on real-world attack data from its identity platform found that enabling MFA blocks over 99% of account-compromise attacks. Microsoft's own incident data backs it from the other direction: the overwhelming majority of accounts that do get compromised didn't have MFA turned on.

Very few security measures offer that ratio of protection to effort. MFA is built into the tools you already pay for — Google Workspace, Microsoft 365, your bank, your accounting software. Turning it on costs nothing but a short rollout.

How to roll it out in a small business (this week, not this quarter)

You don't need a project plan. You need an afternoon of admin work and one clear message to the team.

1. Start where the damage is highest: email. Email is the master key to everything else — password resets for every other service land there. Enforce MFA in Google Workspace or Microsoft 365 first.

2. Then protect the accounts that move money or hold data. Banking, payment processors, payroll, your accounting platform, customer databases, and any admin console (your website host, your domain registrar, your cloud provider).

3. Enforce it — don't suggest it. Both Google Workspace and Microsoft 365 let administrators require MFA for every user. An optional rollout reliably converges to "the owner and the IT person have it, nobody else does." Set a deadline, require it, and help stragglers in person.

4. Prefer app-based codes or passkeys over SMS. Text-message codes are better than nothing, but they can be intercepted. An authenticator app (free: Google Authenticator, Microsoft Authenticator) is stronger. Passkeys — now supported by Google, Microsoft, and Apple — are stronger still and remove the code-typing step entirely.

5. Save the recovery codes. When someone loses a phone, recovery codes are the difference between a five-minute fix and a locked-out employee. Store them somewhere safe and central — a password manager works well.

6. Brief the team on one new trick: prompt bombing. Attackers who have a stolen password sometimes trigger MFA prompts repeatedly, hoping someone taps "Approve" just to make the buzzing stop. The rule to teach: if you didn't just try to log in, never approve — and tell IT. If your platform offers number matching (typing a displayed number instead of tapping approve), turn it on.

Honest fine print: MFA is the first layer, not the only one

We'd be overselling if we told you MFA ends the conversation. Determined attackers have answers to it — phishing pages that relay the one-time code in real time, the prompt-bombing trick above, malware that steals an already-logged-in session. That's exactly why modern security thinking talks about layers: reduce what's exposed to the internet, train people on the tricks aimed at them, and watch for the unusual login that slips through.

But layers stack in order, and this is the bottom one. Every other defense works better when a stolen password isn't enough to walk in the front door. If your business hasn't enforced MFA yet, that's the move — this week.

---

Wondering whether your team would spot the phishing email that steals the password in the first place? Confidanti runs a free phishing test for growing businesses — no platform to install, no commitment.