---
id: "action-implement-mfa-passkeys"
type: "action-item"
source_timestamps: ["¶9"]
tags: ["access-control", "quick-wins"]
related: ["claim-mfa-blocks-common-attacks", "framework-dobrygowski-smb-cyber-defense", "prereq-mfa-passkey-knowledge"]
action: "Implement multifactor authentication and upgrade to passkey systems."
outcome: "Blocks the most common cyberattacks and secures access points."
speakers: ["Daniel Dobrygowski"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Implement MFA and Passkeys

**Action:** Implement multifactor authentication (MFA) across all systems immediately, then transition away from traditional passwords toward passkey systems, which offer considerably higher security.

**Outcome:** Blocks the most common cyberattacks and secures access points ([[claim-mfa-blocks-common-attacks]]).

**Where it fits:** Step 1 ("Do the basics") of [[framework-dobrygowski-smb-cyber-defense]]. Requires [[prereq-mfa-passkey-knowledge]].

> [!warning] Do not stop here
> MFA is foundational, not a silver bullet. Attackers bypass MFA via fatigue attacks, SIM-swap, and session-token/cookie theft, and many attacks target non-identity weaknesses. Pair MFA with patching, configuration hardening, and monitoring (see enrichment on [[claim-mfa-blocks-common-attacks]]).
