The Truth About 2FA: Why It Wasn’t Enough for This Small Business

A Password Should Not Be the Reason Your Business Gets Hacked

A few weeks ago, I got a call from a small business owner. It had been a long day for them. Their clients were receiving strange file-sharing links from what appeared to be company email addresses. These looked like Dropbox or OneDrive files, but something was off.

As it turned out, those emails were not legitimate. Someone had broken into one of their employee’s Microsoft 365 accounts. And yes, the business had already set up two-factor authentication.

They thought they were protected. They were not.

Even With Two Factor Authentication, Attacks Can Still Happen

This company had followed the standard security advice. They used strong passwords. They had enabled two-factor authentication. But someone still got in.

How? Most likely, one of their employees approved a login request they should not have. Maybe it was a phishing email that looked like it came from Microsoft. Maybe it was a fake login screen that collected credentials and prompted for the two-factor code. Either way, the attacker got in.

Once inside, they created inbox rules to hide replies. They forwarded messages. Then they started emailing customers with malicious links.

This is not just a technical issue. It is a trust issue. Clients were put at risk, and the business had to respond fast to limit the damage.

A Better Way to Log In: Passkeys

Passwords can be stolen. Two-factor codes can be tricked. Passkeys are different.

With a passkey, there is no password to steal. You do not enter a code or approve anything. Instead, you log in using something you have and something you are.

That could be:

• Your fingerprint on a Windows laptop or Android phone

• Your face with Face ID on an iPhone

• A screen lock on a mobile device

This type of login is resistant to phishing and social engineering. Even if an attacker knows your email address, they cannot log in without your physical device and your biometric confirmation.

Microsoft Entra ID Supports Passkeys Today

If your business is using Microsoft 365, then you are already using something called Microsoft Entra ID. It used to be called Azure Active Directory. Entra ID is what controls who can sign in, what apps they can access, and what kind of authentication is required.

Microsoft now supports Passkey sign-ins through Entra ID. You can register a phone or laptop and use it to log in to Outlook, Teams, SharePoint, OneDrive, and other Microsoft apps.

This works across most modern devices, including:

• iPhones with Face ID or Touch ID

• Android phones with screen lock or biometrics

• Windows PCs with Windows Hello

• Macs with Touch ID or Face ID via a paired iPhone

As long as the device supports secure biometric logins, you can use Passkeys.

What I Did for That Client

I helped the client recover from the compromise. That included resetting passwords, removing inbox rules, checking for hidden forwarding, and updating their domain's DNS records to stop spoofing.

But I did not stop there. I looked at what could make their environment stronger. I started setting up Passkeys for key employees. I walked them through what it takes to make this work across devices. I also recommended a third-party option that adds even more control. That tool is Duo Security.

Duo adds a layer of policy-based protection. It can stop logins from unfamiliar locations or devices. It can check the health of the device before allowing access. It gives you insights and alerts when something looks suspicious. It works with Microsoft 365.

Security Should Be Strong and Simple

Security does not have to be complicated. It just needs to work in the real world. Passkeys are easier for employees to use and harder for attackers to bypass.

If your business is still relying on passwords and basic two-factor authentication, now is a great time to look at what is possible with Microsoft Entra ID. Passkeys are already available. Duo Security can help you build smarter and stronger layers of protection.

This is not about checking boxes. It is about building a system that keeps your business safe without making life harder for your team.

If you want help setting up Passkeys or improving your Microsoft 365 security, I would love to talk.

Is This Right for Your Business?

If you are a small business that relies on Microsoft 365 for communication, file sharing, and collaboration, Passkeys can help you take a big step forward in protecting your users and your clients.

This is especially valuable if you:

• Store client data in OneDrive or SharePoint

• Use Outlook as your main email platform

• Collaborate remotely with Teams

• Manage sensitive information or financial records

• Have field workers or mobile staff logging in from phones and tablets

• Have experienced a phishing attempt or spoofing attack before

  
  

I work with service-based businesses, construction teams, agricultural operations, office environments, and more. If you rely on Microsoft tools to run your company, this upgrade makes sense. It is not just about protecting your inbox. It is about protecting your business as a whole.