How to choose the right MFA for your small business

TL;DR: How to right-size your MFA solution to do more with less.

Key takeaways include:

  • Understanding small business authentication and MFA factors
  • Considerations including ease of use, cost-efficiency, pros and cons 
  • Creating your MFA implementation plan


If you’re reading this you know that when attackers get control of the right identity, they can break into a network, move laterally once inside, facilitate fraud, and extract sensitive data. 

But according to a study by the Cyber Readiness Institute, 30% of small to medium businesses don’t understand multi-factor authentication (MFA) or its security benefits, and 54% didn’t implement MFA of any kind. We believe part of that might be the challenge of too much choice. How do you assess your small business’s MFA needs, and how do you choose the right MFA solution?

We know the process can feel like wading through unexplored wilderness. So we made a guide. Right-sizing multi-factor authentication for small businesses adds a layer of much-needed protection — without much effort. This post will help you clarify your risks and needs and help you identify the right solution for your business.


Note: If you're already familiar with the MFA concepts here, we made a guide to help you stay on track with 8 Steps for Effectively Deploying MFA, or take an in-depth look at the implementation process with the MFA deployment guide


MFA and SMB authentication

Multi-factor authentication is a layered security approach that requires two or more types of authentication proof before allowing access. Variations include two-factor authentication (2FA), which uses two factors, and adaptive MFA, a more frictionless, human-friendly form that only activates when an interaction is considered suspicious based on contextual and behavioral data. 


Type of MFA

What it is

Pros and Cons


Two or more factor authentication. 

More factors = additional security layers. Depending on assurance level, additional factors may not necessarily add greater security than 2FA. Additional factors can create friction for legitimate users. 

2FA (2 Factor Authentication)

A type of MFA that uses only two factors. 

Generally a password + another factor. Can be less secure than MFA, unless the second factor is higher assurance. 

Adaptive MFA

MFA that prompts for higher factor security when suspicious criteria has been met. For example, when an IP trying to authenticate is too far away from the last login location to explain by reasonable travel times. 

Higher degree of usability and seamless user experience. Punishes bad actors without frustrating legitimate users. 


The importance of MFA for small business comes down to two things: bad actors really want your workforce’s identities, and accidents happen. 

Human error is the leading cause of data breaches for SMBs — but MFA doesn’t care whether employee credentials are leaked in a phishing expedition or compromised in a past breach. Unlike traditional password-only authentication, MFA prevents access to resources even when an attacker has the correct login credentials. They may have the right login password, but they probably don’t have the right cellphone, or smart ID card, or fingerprint. 

Authentication factors

Authentication factors are generally classified into three categories: 

  • Something you know (like a password or PIN)
  • Something you have (cellphone, Yubikey, etc.)
  • Something you inherently are (your fingerprint, FaceID, etc.) 

When designing a great MFA implementation plan for a small business, the recommended best practice is to use more than one type of factor. Asking for “something you know” and “something you have” will be harder to compromise than a login asking for two “something you know” factors. 

Every additional factor adds a layer of security, but authentication factors also have pros and cons. For instance, factors have different degrees of strength or assurance. And not every factor is resistant to phishing attempts. Another important balancing act will be building a login process secure without compromising on usability and productivity. 

Note: For more info on assurance levels, check out the in-depth datasheet Factor Types and Authenticator Assurance Levels and blog post Not All MFA is Created Equal




Assurance Level




Something you know


  • Low-cost baseline security
  • Easy to use and deploy
  • Employees understand how passwords work
  • Vulnerable to data breaches and loss
  • Major risk from social engineering and phishing
  • Easy to forget, reuse

Security Questions

Something you know


  • Low-cost baseline security
  • Users familiar with process of answering security questions
  • Easy to forget answers
  • Many questions weak, easy to guess or discover
  • Subject to social engineering/phishing

SMS, Voice, Email One-time Password (OTP)

Something you have (cellphone, landline, email)


  • Familiar experience for users
  • Easy to deploy as most individuals have a phone
  • Relies on phone/internet service provider for security; subject to social engineering (e.g. SIM swapping)
  • May require using a personal device, can't always be enforced
  • Limited DMARC standard implementation means detecting email-based spoofing is difficult

Mobile/Desktop One-time Password (OTP) apps. Ex: Google Authenticator, Okta Verify OTP, Authy

Something you have (app)


  • Low cost, many users able to install on laptop or phone
  • Crypto-based security
  • Algorithmically generated
  • Limited protection against a stolen device
  • Subject to real-time, adversary-in-the-middle attacks 

Physical token OTP. Ex: YubiKey, Symantec VIP

Something you have


  • Algorithmically generated
  • Does not require internet/data to use
  • Does not require personal device
  • Higher deployment and provisioning costs, orgs may not deploy to all users
  • Subject to loss and may require separate recovery option
  • Many OTP tokens do not support biometrics

Mobile app push notifications. Ex: Okta Verify with Push

Something you have and something you are (fingerprint)

  • Medium
  • Low cost, many users able to install an app on laptop or phone
  • Algorithmically generated, not delivered over insecure channels
  • Some apps support biometrics
  • User-friendly
  • May require using a personal mobile device.
  • Users may have privacy concerns and cannot be enforced in some regions
  • Subject to man-in-the-middle and phishing attacks

Personal Identity Verification (PIV)/Common Access Card (CAC) smart cards

Something you have and something you know (PIN)


  • Mature technology
  • Extremely strong authentication level
  • Phishing-resistant inbuilt MFA (required PIN to access)
  • Needs insert-based, contact-based reader
  • Can be lost or stolen
  • Not widely supported on mobile platforms
  • PIN resets can be painful

FIDO2.0 / WebAuthn and CTAP2. Ex: Mac Touch ID, Android fingerprint, Windows Hello, Yubikey Bio 

Something you have (hardware) and something you are


  • Phishing-resistant
  • Support for both on-device biometrics and security keys
  • Frictionless end-user experience
  • Puts organization on path to passwordless
  • Can reduce IT/support costs for factor enrollment and reset
  • Not yet widely adopted
  • May require purchasing new hardware
  • Only applies to web-based authentication

Okta FastPass

Something you have (app) and something you are


  • Phishing-resistant for all managed devices + MacOS, Windows, and Android on unmanaged devices
  • Frictionless end-user experience
  • Leverages device context to help admins make policy decisions based on device posture
  • Can reduce IT/support costs for factor enrollment and reset
  • Not yet widely adopted
  • Only applies to web-based authentication
  • Not currently FIDO2.0 certified 


Consider your SMB’s MFA needs 

Understanding your organization’s assets and security needs is fundamental when deciding what MFA factors are right for you. There’s rarely a one-size-fits-all solution for all situations, so SMBs should choose factors that solve a variety of scenarios. Sensitive private data, vital systems, intellectual property, and more — begin by assessing these to identify what needs protection.

Certain small business employees might need access to important source code or sensitive personal data. Those employees will need a stricter policy, or you might consider implementing MFA for sensitive actions within applications. This kind of fine-tuning can reduce risk, meet ongoing compliance requirements, and foster a good work experience while maintaining a high level of assurance. 

Along with access needs of different user roles, do you need to support workers remotely or on-premises? Remote or highly mobile workers may have internet access but little to no service from cell phone carriers (working off an airplane’s Wi-Fi or from a rural home, for example), so voice and SMS may not be reliable. Access needs don’t stop there: Hardware devices generating event-based or time-based OTPs or resource-heavy factors with long set-up times may not be ideal for short-term contractors and high-turnover roles. 

Generally speaking, provide users with multiple factor options so they always have a backup. Strive to enable strong, phishing-resistant factor types when feasible, use biometrics as a second factor where your hardware supports it, and for sensitive apps enforce high assurance and phishing-resistant authenticators as part of your MFA policies.

When considering authentication factors, ask…
  • Do I have high-assurance, phishing-resistant factors?
  • Am I using a mix of factor types to maximize security posture? 
  • Do my security factors adequately protect my employees and assets, whether remote, on-premise, or both? 
  • Am I striking a good balance between usability and security? (If not, are options available to help increase usability, like Adaptive MFA or biometric authentication?)
  • Are the factors realistically deployable? Will the company need to purchase additional tech or invest significant time for implementation?

Choosing the right MFA for your SMB 

Easy, user-friendly solution

From a managerial perspective, is the solution easy to implement, easy to manage, and appealing to use? Will you need dedicated employees for upkeep and adjustments? Is it user-friendly enough that everyone will want to use it? When an employee loses MFA or has problems, can a solution be rolled out easily, with less work for IT and faster turnaround times for employees? 

For your workforce: the best MFA solution in the world won’t function if it isn’t turned on, and the perceived additional work of MFA in the workplace can potentially lead to frustration and workarounds. Drops in productivity add unnecessary additional work for IT/cybersecurity — who, in true SMB fashion, are probably already wearing multiple hats. Does your MFA have options to boost user experience, like biometric logins or adaptive MFA?

And finally, user-friendly can apply to vendors, too. Is working and communicating with them generally easy or confusing? Do they have a record of fast, effective deployments with other customers? Do they have out-of-the-box options? Are they eager to help you find solutions if something goes wrong or you have questions?


As a small business, you’re likely used to doing more with less. Your MFA solution should do the same. 

Just by implementing MFA, you’re better equipped to avoid losses from a data breach, fraud, and ransomware demands. But consider the total cost of ownership, upfront costs, and ongoing maintenance. Does the MFA vendor provide additional resources, how-tos, tech support, and help with implementation? Are they certified to provide high-assurance authenticator factors, like WebAuthn and CTAP2? Will an MFA solution be easy to use with current personnel, or will you need to hire a new technical role? Looking to the future, will your MFA solution easily scale with you as your business grows? Is it easy to integrate with legacy tech? 

Overall, think about value. A solid MFA solution provides additional security factors — a great one could also save you time and money by freeing up your IT resources while preventing fraud and launching you towards a Zero Trust business strategy, helping you stay ahead of compliance and new regulations, and delivering streamlined, role-based access for employees. 

Industry and compliance requirements 

After considering (and reconsidering) your MFA needs, providing for a variety of access needs, and planning for high assurance and phishing-resistant authenticators, you need to check compliance requirements. No matter what authentication assurance your industry requires, your vendor should have you covered. 

Many industries require multi-factor authentication for different user groups across employees and consumers. And some regulations even require specific authentication assurance levels.

Meet these requirements by choosing from a range of assurance factors — including knowledge factors, possession factors, inherence factors, and time-based factors — that comply with your industry requirements.

When considering MFA solutions for small businesses, ask…

  • Does the solution have passwordless options or adaptive MFA to reduce friction for users? 
  • Are there options for on-premise and web-based security? 
  • Does the vendor have a history of high adoption rates and fast implementation in past workforce deployments? 
  • Is the solution easy to use? (Ready out-of-the-box, with no or low-code options, scalable, compatible with legacy tech?) 
  • Can you or IT enroll or reset MFA factors on the account yourself, saving time and money for your team? 
  • Does the MFA solution comply with business-critical compliance requirements?

MFA implementation plan 

Plan for remote SMB workers and lost devices 

Now that you understand the importance of MFA, let’s move on to how to implement MFA. 

Onboarding and training should ideally be done in the office, but remote work brings other challenges for MFA deployment and troubleshooting. It’s best to enable factors that let users get up and running fast, like built-in biometrics or mobile web authenticators. For remote onboarding, consider virtual onboarding sessions. Bolstering security for remote cloud access is also critical.

Workplaces with BYOD policies have different security challenges. Device assurance policies create an additional layer of security on top of SMB authentication policy rules to validate devices in use, letting you check attributes like OS, encryption, and jailbreak/root detection as part of your organization’s policies. 

Company data downloaded to computers is also at risk. Require users to complete MFA challenges after they enter a password to unlock their machine, and educate workers on the importance of never leaving a device unlocked and unsupervised. A forgotten phone or a stolen work laptop can become easy all-access passes if left unsecured. Procedure for lost devices should also be part of a comprehensive IT and cybersecurity playbook, and result in additional security steps like closing current sessions, requiring the user to re-authenticate, disassociating the device from the user’s account and access rights, and remote wiping of corporate data (for company-owned devices). 

Phase your deployment 

Complex deployments and policies can be tricky to get right, especially right away. Be prepared to track MFA effectiveness during deployment, and ready to refine and adjust policy based on the results. The first phase of deployment should include IT/Security, and from there you can expand to other user groups. 

Get comfortable with monitoring MFA functionality early — it will pay off during troubleshooting and adjusting configuration in the future. Try implementing a mechanism for user feedback: users might not take the time to provide a full written report, but an audit trail gives some visibility into their experiences. How many times did it take to enter their OTP? Did they give up, or get frustrated? Unexpected findings may indicate a misconfiguration, reveal an unexpected scenario that you hadn’t planned for, or give insight into gaps in workforce education. 

Training and awareness 

Change can be met with skepticism, especially when MFA feels like an unnecessary added frustration. 

A successful authentication system for small businesses relies on everyone, from management to IT to new hires, using MFA from day one at the company. This is an area where being an SMB is to your advantage: unlike a company with hundreds of thousands of employees, you’re more likely to know or have a personal connection with individuals. Proactively address concerns and communicate the importance of MFA for enhancing security. Choose user-friendly tools and promote a security-first culture to minimize disruption and make the MFA experience as seamless as possible. Foster an atmosphere of personal pride and teamwork in staying secure, and make sure everyone understands how important their role is in keeping the company safe. Develop or adopt onboarding checklists and user security checklists to make processes as easy as possible, even for remote onboarding.

Learn more about easily reducing risk with MFA

Now that you’re prepared with knowledge of what MFA is and how it keeps you safe, we hope you feel more confident choosing a cybersecurity solution that’s right for you.

Still have questions? Make it easier to stay on track with 8 Steps for Effectively Deploying MFA, or take an in-depth look at the implementation process with the MFA deployment guide

Okta is the World’s Identity Company. We free everyone to safely use any technology — anywhere, on any device or app. Our Workforce and Customer Identity Clouds enable secure yet flexible access, authentication, and automation that transforms how people move through the digital world and puts Identity at the heart of business security and growth


Related resources

Secure your Small Business with Identity

MFA (Multi-Factor Authentication) Solutions

How to Protect your Organization from Identity-Based Attacks

The Need for Phishing-Resistant Multi-Factor Authentication

The State of Zero Trust Security 2022