TL;DR
SMS-based MFA is broken. SIM-swapping and adversary-in-the-middle phishing kits like Evilginx and Tycoon can bypass it in seconds. This checklist walks Australian SMBs through upgrading to phishing-resistant MFA (FIDO2, passkeys, number matching) and deploying six conditional access policies that lock down Microsoft Entra ID and Google Workspace without needing an enterprise budget.
Why SMS and Phone-Call MFA Are No Longer Safe
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
For years, multi-factor authentication meant "enable SMS codes and move on." That era is over. Two attack methods have made SMS and voice-call MFA unreliable for any business handling sensitive data:
SIM swapping. An attacker convinces your telco to port your mobile number to a SIM card they control. Once the number transfers, every SMS code lands on their phone. In Australia, the ACSC has repeatedly warned that SIM-swapping attacks are rising, targeting businesses with valuable accounts — cloud admin portals, email, banking.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Adversary-in-the-middle (AiTM) phishing. Tools like Evilginx 2 and Tycoon Phishing-as-a-Service create convincing proxy pages that sit between your staff and the real login screen. The employee enters their username, password, and MFA code on what looks like the legitimate site. The proxy forwards the credentials to the real service in real time, captures the session cookie, and the attacker walks in — no second factor needed. SMS codes, authenticator app prompts, and push notifications all fall to this attack because the attacker simply relays whatever the victim enters.
The ACSC's Essential Eight maturity model now recommends phishing-resistant MFA at Maturity Level 2. If your business handles anything sensitive — client data, financial systems, government contracts — SMS is a compliance gap, not a security control.
Phishing-Resistant MFA Options for SMBs
FIDO2 security keys (YubiKey 5 series). The gold standard. A physical USB or NFC key generates a cryptographic challenge-response tied to the specific domain. AiTM proxies cannot capture and replay this because the browser binds the authentication to the origin. Cost: around AUD 70–90 per key. Give every admin and high-privilege account one. Register a backup key and store it securely.
Passkeys (platform-built-in FIDO2). Windows Hello, Touch ID, Face ID, and Android fingerprint unlock can all act as FIDO2 authenticators. Passkeys sync across devices via the OS cloud (iCloud Keychain, Google Password Manager). This is the easiest path for staff — no hardware to lose, no app to install. Both Entra ID and Google Workspace support passkeys natively in 2026.
Microsoft Authenticator with number matching. If you are not ready for hardware keys, this is your baseline. Enable number matching in the Entra ID admin centre so that staff must type the number shown on screen into their phone. This defeats AiTM push-bombing because the attacker cannot see the number displayed on the victim's login page.
What to deprecate. Disable SMS, voice calls, and plain push notifications (without number matching) across all tenant accounts. Set this in your MFA policy — do not leave weaker methods available as fallbacks.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →Conditional Access: Your Six-Policy Starter Pack
Conditional access evaluates every login attempt against rules you define before granting access. Think of it as a bouncer that checks ID, dress code, and the guest list simultaneously. Below is a six-policy starter pack covering both Entra ID and Google Workspace.
Policy 1: Block legacy authentication. Legacy protocols (IMAP, POP, SMTP basic auth, older Office desktop apps) do not support modern MFA. Attackers brute-force these endpoints endlessly. Block them entirely. In Entra ID: Conditional Access > New Policy > Conditions > Client apps > Legacy authentication. In Google Workspace: Security > Access and data control > Less secure apps > Disable.
Policy 2: Require MFA for all admin-role sign-ins. Every account with a privileged role — Global Admin, Security Admin, User Admin, or equivalent — must complete MFA at every sign-in. No exceptions, no remember-me exemptions longer than 24 hours.
Policy 3: Require compliant or managed devices. Only allow sign-ins from devices enrolled in your MDM (Intune, Google Endpoint Management). A compliant device has a PIN or biometric lock, disk encryption enabled, and an up-to-date OS. This stops attackers who phish credentials from an unmanaged device.
Policy 4: Geofence sign-in locations. If your team works from Australia and occasional overseas travel, create a policy that blocks sign-ins from countries you never do business with. Most Australian SMBs can safely block sign-ins from regions with high attack origination. Whitelist Australia and any countries where staff travel. Review quarterly.
Policy 5: Session timeout and re-authentication. Set maximum session lengths. For admin portals, force re-authentication every 4 hours. For regular user sessions, 12–24 hours is reasonable. In Entra ID, configure sign-in frequency under Session controls. In Google Workspace, set session duration under Security > Access and data control.
Policy 6: Block risky sign-ins automatically. Enable identity protection (Entra ID Identity Protection or Google Workspace login challenges). When the system detects impossible travel, unfamiliar IP ranges, or leaked credentials, automatically block the sign-in or require a phishing-resistant second factor. This is your safety net for the edge cases your static rules miss.
FAQ
Q: We only have five staff. Is conditional access overkill? A: No. Attackers do not discriminate by company size. Automated phishing campaigns target every Microsoft 365 and Google Workspace tenant equally. A five-person accounting firm with client tax file numbers is a high-value target.
Q: Do we need YubiKeys for every employee? A: Start with passkeys and Microsoft Authenticator with number matching. Reserve hardware keys for admin accounts and anyone handling financial or client-privileged data. You can phase in hardware keys over a quarter.
Q: What if a staff member loses their YubiKey? A: Register two keys per account — one primary, one backup stored in a locked drawer or safe. If both are lost, an admin can temporarily exempt the account while a new key is issued.
Q: How much does this cost for a small business? A: Conditional access policies require Microsoft 365 Business Premium (around AUD 33/user/month) or Google Workspace Business Plus (around AUD 18/user/month). YubiKeys are a one-time AUD 70–90 each. The cost of a single business email compromise is far higher.
Conclusion
MFA without conditional access is a locked door with the key under the mat. Upgrade from SMS to phishing-resistant authentication, deploy the six-policy starter pack, and you close the most common attack paths against Australian SMBs — without enterprise infrastructure or budget.
Visit consult.lil.business for a free cybersecurity assessment tailored to your business.
References
- ACSC Essential Eight Maturity Model
- Microsoft Entra ID Conditional Access Documentation
- NIST SP 800-63B Digital Identity Guidelines — Authentication and Lifecycle Management
- Google Workspace Security Best Practices
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.