Multi Factor Authentication - The Second Lock That Could Protect Your Organisation
July 6, 2026

Cyber criminals are constantly looking for the easiest way into your systems, and unfortunately, passwords alone are no longer enough. 

Even strong passwords can be compromised through phishing emails, data breaches, malware or social engineering attacks. Once a criminal has your password, gaining access to email, cloud platforms, financial systems and sensitive information can be alarmingly straightforward. 

 

This is where Multi Factor Authentication (MFA) becomes one of the most effective cyber security controls available. Think of it as a second lock on your front door: a stolen password may open the first, but MFA prevents criminals from walking straight in. 

What is Multi-Factor Authentication? 

MFA, sometimes referred to as Two- Factor Authentication (2FA), requires users to provide two or more forms of verification before gaining access to an account. Rather than relying on a password alone, it adds a second layer of protection through something you know, something you have, or something you are. 

 

Common methods include a mobile phone approval notification, a code from an authenticator app, a fingerprint or facial recognition, or a physical security key. Even if a cyber-criminal obtains your password, they will typically be unable to log in without that second factor. 

A Real-World Example: The CEO Fraud Attempt


Consider this scenario. An employee receives what appears to be an urgent email from the CEO requesting payroll information. It looks genuine and creates a sense of urgency. 



What the employee does not know is that a cyber-criminal had already stolen their password earlier in the week through a phishing attack. 

 

That evening, the attacker attempts to log in to the organisation's Microsoft Office 365 environment using the employee's credentials. They’re correct. Normally that would be enough. 

 

However, the organisation has MFA enabled. 

 

Instead of granting access, Microsoft sends a sign in approval request to the employee's phone. The employee, not attempting to log in and not expecting a notification, immediately recognises something is wrong. They deny the request and report it to their IT team. The compromised password is reset before the attacker can reach any systems or information. 

 

In this case, MFA didn’t just stop the attacker, it alerted the employee that someone was actively attempting to access their account, giving the organisation time to respond before any damage occurred. 


What could have happened without MFA? 

Without MFA, the attacker would have gained immediate access to the employee's account. 


Within minutes, they could have: 


  • Read emails and internal conversations 
  • Accessed payroll or customer information 
  • Sent convincing emails from the employee's account 
  • Requested fraudulent payments from Finance 
  • Reset passwords to other connected systems 
  • Distributed phishing emails internally to compromise additional staff


What starts as a single stolen password can quickly escalate into financial loss, data breaches, regulatory reporting obligations and lasting reputational damage. Many significant cyber incidents begin with nothing more than a compromised username and password. 

Why it matters for your organisation


Every organisation relies on digital systems - mail platforms, cloud applications, payroll, customer databases and collaboration tools all contain information that cyber criminals actively seek to exploit. MFA is one of the simplest, most cost effective security measures available, and the Australian Cyber Security Centre (ACSC) identifies it as one of the most effective controls organisations can implement to prevent unauthorised access. 

 

Whether you’re part of a large organisations, a school, a not-for-profit or a small business, MFA significantly reduces the likelihood of a breach – even when passwords have already been stolen.

Don’t forget your personal accounts 

Cyber security is not just an organisational responsibility. Individuals should also enable MFA wherever possible, particularly for: 

  • Email accounts 
  • Online banking 
  • Social media 
  • Cloud storage 
  • Government services 
  • Shopping and payment platforms 

 

Your email account is often the gateway to your digital life. If a cyber-criminal gains access, they may be able to reset passwords across other accounts and commit identity fraud. Enabling MFA takes only a few minutes and make a significant difference. 

Setting up MFA with CDF 


CDF has developed a practical guide to setting up Multi-Factor Authentication on your CDF Online account. If you haven’t already done so, we encourage you to take this step today. 

Set up MFA on your CDF Online account

You may also find these resources helpful: 

 

A single password should never be the only thing standing between a cyber-criminal and your organisation. 


If you have any concerns about the security of your CDF accounts or suspect unauthorised activity, please contact us today. 

Share this article:

Related articles

July 1, 2026
Announcement: 1 July 2026
June 22, 2026
Shining bright in crisp autumn sun, the colourful playground at St Agatha’s Catholic Primary School in Cranbourne stands quietly in peaceful silence until a sudden burst of upbeat music signals the beginning of recess and students stream out into the fresh air and sunshine with squeals of laughter and delight. Walking into this heartening scene, Principal Michelle Bruitzman is quick to greet students who surge around her with a smile. Celebrating its fiftieth year in 2026, St Agatha’s has been a keystone in the lives of thousands of families since it was established in 1976. “ We have students whose parents and grandparents went here as well as children of families newly arrived from all over the world ,” says Michelle.
June 17, 2026
Catholic communities across western Victoria came together from 25 to 29 May 2026 to celebrate Diocese of Ballarat Catholic Education Ltd (DOBCEL) Catholic Education Week, gathering under the theme "Peace be with you all" (Romans 15:33) to reflect on the faith, learning and belonging that lie at the heart of Catholic education. Schools across the Diocese embraced the week in ways that reflected their own unique character; liturgies, prayer experiences, student-led activities and acts of hospitality brought students, families and staff together in celebration. A highlight was the historic Mass celebrated at Sovereign Hill's recreated St Alipius Tent Church for the first time since COVID, connecting today's students and educators with the rich heritage of Catholic education in Ballarat.
More

CDPF Limited, a company established by the Australian Catholic Bishops Conference, has indemnified the Catholic Development Fund ABN 15 274 943 760 (the Fund) against any liability arising out of a claim by investors in the Fund. In practice, this means your investment is backed by the assets of the Catholic Archdiocese of Melbourne. The Fund is required by law to make the following disclosure. Investment in the Fund is only intended to attract investors whose primary purpose for making their investment is to support the charitable purposes of the Fund. Investors’ funds will be used to generate a return to the Fund that will be applied to further the charitable works of the Archdiocese of Melbourne and the Dioceses of Sale and Bunbury. The Fund is not prudentially supervised by the Australian Prudential Regulation Authority nor has it been examined or approved by the Australian Securities and Investments Commission (ASIC). An investor in the Fund will not receive the benefit of the financial claims scheme or the depositor protection provisions in the Banking Act 1959 (Cth). The investments that the Fund offers are not subject to the usual protections for investors under the Corporations Act (Cth) or regulation by ASIC. Investors may be unable to get some or all of their money back when the investor expects or at all and investments in the Fund are not comparable to investments with banks, finance companies or fund managers. The Fund’s identification statement may be viewed here or by contacting the Fund. The Fund does not hold an Australian Financial Services Licence.