Cybersecurity · Vancouver, BC
Multi-Factor Authentication (MFA) for Vancouver Businesses
Hexafusion deploys, tunes, and operates multi-factor authentication for Vancouver and Lower Mainland businesses. Entra ID Conditional Access, Duo, Okta, hardware security keys, and the modern passkey replacements for SMS-based MFA. Every deployment covers 100 percent of users, satisfies your 2026 cyber-insurance questionnaire, and aligns to PIPEDA and BC's Personal Information Protection Act (PIPA) safeguards.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). The MFA rollout patterns described here come from real Vancouver deployments across dental, legal, accounting, manufacturing, and professional-services clients.
Why MFA is non-negotiable in 2026
Three reasons MFA stopped being optional for BC businesses:
- Cyber insurance hard requirement. Canadian carriers tightened in the 2025 renewal cycle and tightened again in 2026. The questionnaire now asks not just "do you have MFA" but "is it enforced on all users, including admins, executives, and remote staff" and "what method." Carriers either decline or surcharge policies without comprehensive MFA.
- Credential attacks dominate. Public breach reports consistently show stolen or phished credentials as the most common initial-access vector. MFA alone blocks the overwhelming majority of these attacks. The Office of the Privacy Commissioner of Canada has cited MFA absence as a contributing factor in recent breach decisions under PIPEDA.
- Compliance frameworks require it. SOC 2, PIPEDA reasonable safeguards, BC PIPA, FINTRAC for financial-services firms, and the Canadian Centre for Cyber Security baselines all either require or strongly recommend MFA for access to sensitive systems.
MFA methods compared
Not all MFA is equal. The method matters as much as the deployment.
| Method | Strength | Phishing-resistant | When to use |
|---|---|---|---|
| SMS text code | Weak | No (SIM swap, SS7) | Backup only. Avoid as primary. |
| Authenticator app (TOTP) | Strong | Partial (still phishable by adversary-in-the-middle) | Default for most users. Microsoft Authenticator, Google Authenticator, Authy. |
| Push notification | Strong (with number matching) | Partial | Common in Microsoft Authenticator. Number matching mitigates MFA fatigue. |
| Hardware key (FIDO2 / WebAuthn) | Strongest | Yes | Required for admins. Recommended for executives, finance, HR. YubiKey, Google Titan. |
| Passkey | Strongest | Yes | Newest standard. Built into iOS, Android, Windows Hello, macOS. Increasing application coverage. |
| Certificate-based / managed identity | N/A (machine) | Yes | Service accounts, automated workflows. Never share user MFA with services. |
Our default baseline: authenticator app for all users (push notification with number matching) plus hardware keys for administrators and high-risk roles. Passkey rollout is enabled for clients on Microsoft 365 Business Premium and higher.
Platforms we deploy
Microsoft Entra ID (Azure AD)
The default for Microsoft 365 clients. Conditional Access policies, sign-in risk detection, named locations, device compliance, privileged access workstations. Tightly integrated with Microsoft Defender for endpoint signals.
Google Workspace 2-Step Verification
For Workspace clients. Context-Aware Access policies, Advanced Protection Program for high-risk users, security keys mandatory for admins, integration with the Alert Centre.
Duo Security
When the application portfolio is mixed and you need a single MFA layer in front of legacy apps, VPNs, and on-premise servers. Strong in environments with non-Microsoft identity.
Okta Workforce Identity
When the business runs SaaS-heavy and needs a single identity hub federating dozens of third-party applications. Powerful directory and lifecycle automation.
Our standard MFA rollout
A typical Vancouver business of 10 to 50 users is fully MFA-enforced in 30 days with this sequence:
Audit current sign-in methods, legacy authentication usage, application portfolio, service accounts, shared mailboxes, and existing exceptions. Identify the blockers before announcing the change.
Build conditional access policies for the three identity tiers: standard user, administrator, executive or high-risk. Define trusted locations, compliant device requirements, app-sensitivity scopes, break-glass admin accounts.
Roll out to ten percent of users in report-only mode. Watch for unexpected blocks (legacy app needing service-account fix, shared workstation, vendor portal). Adjust policies. Then enforce on the pilot group.
Communications go out two weeks in advance with self-enrolment instructions. On enforcement day, the helpdesk is staffed for double the usual volume for the first three days. After that, support volume returns to baseline.
The break-glass admin account
The single configuration most teams miss. A break-glass account is an emergency administrator with a separate identity, a long stored password, MFA bypass for that account only, and strict monitoring. The reason: if your MFA provider goes down or your primary admin loses their device on a Sunday night, you still need a way in to fix it. Without a break-glass, you wait for vendor support and the business is down.
Our standard break-glass configuration:
- Dedicated account name (not tied to any individual), excluded from all conditional access policies that could lock it out
- Long randomly generated password stored offline in a sealed envelope at the office plus in a password manager only the principals can access
- Continuous alerting on any sign-in activity (this account should never be used in normal operations)
- Quarterly verification that the credential still works and the recovery procedure is rehearsed
- Documented in your disaster recovery plan with named owners
Common rollout failures and how we avoid them
The MFA deployments that fail in BC SMBs fail for the same reasons every time:
- Service accounts blocked. Backup software, monitoring agents, line-of-business systems often run under interactive accounts that cannot use MFA. We migrate these to certificate-based authentication or managed identities during week one rather than discovering it on enforcement day.
- Executive bypass. Leadership requests an exception. We push back hard. The compromise that gets every breach decision quoted in privacy commissioner findings is the executive whose MFA was waived. Hardware keys (one-second tap) make the experience better than authenticator apps.
- MFA fatigue attacks. Attacker repeatedly triggers push notifications hoping the user taps Approve to make it stop. We enable number matching (user must enter the number shown on the sign-in screen into the authenticator app) which defeats this entirely.
- Legacy authentication still enabled. Older Microsoft 365 tenants have basic authentication enabled by default for Exchange, POP, IMAP, SMTP. Attackers bypass MFA by using these protocols. Disabling legacy auth is a one-line policy change but breaks legacy apps and email clients still using basic auth. We audit and remediate during week one.
- Shared workstations. Receptionist, lab, warehouse PCs that multiple staff use. MFA on each user creates friction. The fix is workstation-level identity (Windows Hello for Business) plus per-session MFA, or kiosk mode with dedicated low-privilege accounts.
- No reset procedure. User loses phone, cannot sign in, cannot reset MFA, calls helpdesk, helpdesk has no documented identity-verification process, social-engineering attack succeeds. We define and rehearse the reset procedure during onboarding.
Coverage matrix: what we MFA-protect
Our standard scope on managed-IT plans:
- Microsoft 365 user sign-in (all users, all apps, including web, desktop, and mobile)
- Google Workspace user sign-in for Workspace tenants
- Remote access (VPN, Remote Desktop Gateway, Azure Bastion, Cloudflare Access)
- Administrative consoles (Microsoft 365 admin centre, Azure portal, Google admin, M365 partner portals)
- Privileged access workstations (jump hosts used to administer servers)
- Line-of-business SaaS with SSO support (we audit and federate every app possible)
- Password manager vault unlock
- Backup and recovery consoles (Veeam, Datto, Microsoft 365 backup)
- Financial systems (banking portals, accounting platforms with SSO support)
Frequently asked questions
Is MFA actually required by Canadian cyber insurance?
Yes. The 2026 renewal questionnaire treats MFA as a baseline. Carriers ask not just whether you have it, but how comprehensively it is deployed and what method. Without comprehensive MFA, expect surcharges or declines.
What's the difference between SMS, authenticator app, and hardware key MFA?
SMS is the weakest (SIM swap risk). Authenticator app is the default for most users. Hardware keys (YubiKey, Titan) are phishing-resistant and required for admins. Passkeys are the newest standard, built into modern devices.
Will MFA make sign-in painful?
Not when configured correctly. Conditional access only prompts on risk. From a trusted office laptop on the office network, users typically sign in once per session and MFA is invisible. Poor configuration prompts constantly. We tune during the rollout.
What about service accounts and shared mailboxes?
Service accounts move to certificate-based authentication or managed identities and are blocked from interactive sign-in. Shared mailboxes are delegated, never sign-in accounts.
How do we handle executives who refuse MFA?
Issue them hardware security keys (YubiKey or Titan). One-second tap. Faster than typing a six-digit code. Resistance disappears once they experience it.
What is conditional access?
A policy engine in Entra ID (and equivalents) that decides at sign-in time whether to grant access, require MFA, or block. Based on signals like user, group, device compliance, location, app, risk score. Separates real MFA from theatre.
Can we use the same MFA for Microsoft 365 and our other apps?
Yes for apps that support single sign-on (SSO). The identity provider authenticates once with MFA, third-party apps trust that token via SAML or OpenID Connect. We audit SSO coverage of your application portfolio during onboarding.
What if a user loses their phone or key?
We pre-configure at least two MFA methods per user, self-service password reset, and a documented manager-verified reset path through our helpdesk. Lost devices are revoked from conditional access within minutes.
Get your MFA assessment
Free 30-minute audit of your current MFA coverage, gap analysis against the 2026 cyber-insurance baseline, and a tailored rollout plan. No pressure to sign anything.
Book an MFA assessmentRelated cybersecurity topics
Part of our broader cybersecurity coverage for Vancouver and the Lower Mainland.