Two-Factor Authentication — The Free Security Upgrade Every Australian Needs Right Now

Multi-factor authentication is the single most effective security improvement available to Australian individuals and businesses. Microsoft research found that enabling MFA stops 99.9% of automated account takeover attacks. It is free to set up on most platforms and takes approximately five minutes per account. Yet the majority of Australian small businesses and individuals still have not enabled it on their most important accounts.

How It Works

When you enable MFA, logging in requires two things: your password (something you know) and a second factor — usually a code from an app on your phone (something you have). Even if a criminal steals your password through a phishing attack or data breach, they cannot access your account without also having your physical phone. This single additional step eliminates the vast majority of account takeover attacks, because most criminals are operating at scale with automated tools and do not have the capability to also intercept your phone.

Set It Up on These Accounts First

Prioritise in this order: your email account (most important — it is the master key to everything else), your myGov account, your internet banking, your accounting software, and your social media accounts. Most platforms have MFA settings under Account Security, Privacy and Security, or Two-Factor Authentication. The setup process is similar on every platform — you confirm your phone number or scan a QR code with your authenticator app, and the platform sends you a test code to confirm it is working.

Authenticator App vs SMS — Which Is Better?

An authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) is significantly more secure than SMS-based MFA. SMS codes can be intercepted through SIM-swapping attacks — where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. This takes as little as 15 minutes using personal information available from data breaches. Authenticator apps generate codes locally on your device without any network transmission, and cannot be intercepted this way. Where platforms offer the choice, always use an authenticator app.

What to Do If You Lose Your Phone

Before enabling MFA on any account, save the recovery codes that most platforms provide during setup. These are typically 8-10 one-time codes that allow you to access your account if you lose your phone. Store these in a secure location — a password manager, a printed copy in a safe, or a secure notes app on a separate device. Never store recovery codes in the same place as the account credentials they protect.

MFA for Your Business

For businesses using Microsoft 365 or Google Workspace, MFA can be enabled for all users from the administrator console and enforced as a policy — meaning users cannot opt out. This is the recommended approach for businesses. IntrusionX can help implement MFA across your entire organisation and configure the additional access policies that maximise security. Contact us for a free consultation.

MFA for High-Risk Situations

Some situations deserve extra authentication vigilance beyond standard MFA. When travelling overseas, your accounts may be flagged for unusual access and may require additional verification. When accessing accounts on a new or shared device, be cautious — use incognito mode, ensure you log out completely, and do not allow the browser to save credentials. When receiving MFA codes for actions you did not initiate — such as a login request or password reset you did not trigger — do not enter the code. Instead, immediately change your password, because someone else has your credentials and is trying to use them.

Helping Others Set Up MFA

If you are the person in your family, friendship group, or small business who handles technology, help others set up MFA on their most critical accounts. The five most important are: email, myGov, internet banking, and for business owners, their accounting software and ATO portal. For older family members, Microsoft Authenticator has a backup and recovery feature that makes it more resilient to phone loss than Google Authenticator. For small businesses, IntrusionX can provide a facilitated MFA rollout across your entire team — ensuring every staff member is properly set up and understands how to use MFA before it is enforced. Contact us for a free consultation.