SMS-based two-factor was a great upgrade in 2010. In 2026 it's the weakest version of MFA. Here's what to use instead.
Two-factor authentication (the bit where the site sends you a code after your password) was a massive security upgrade when it became mainstream around 2010. SMS-based 2FA is now the weakest version of it — strong enough to keep out the lazy attacker, weak enough to fall to anyone with a moderate budget. An authenticator app fixes this for free.
A SIM swap is when someone walks into a Telstra/Optus/Vodafone store with fake ID and convinces the staff to port your phone number to their new SIM. Your phone stops receiving SMS; theirs starts. They now receive all your 2FA codes. About 2,000 successful SIM swaps happen in Australia each year — far more attempts.
SMS is a 1980s protocol. The text of your codes is visible to your carrier and (in some cases) to a sophisticated attacker on the same cellular network. Authenticator app codes never leave your phone — they're generated locally.
If your phone is in a dead zone, you don't get the code. If you're roaming overseas, you might not get the code. If the carrier has issues, you don't get the code. Authenticator codes work offline, instantly, anywhere.
All three are free. Microsoft Authenticator is the right choice if you have M365 (it handles passwordless sign-in to M365 natively, no code typing). Google Authenticator works for any 2FA-enabled site. 1Password's built-in 2FA generator is convenient if you already pay for 1Password. Pick one, use it for everything.
Pick your most important accounts first — bank, email, M365, password manager. In each one's security settings, look for 'Two-Factor Authentication' or '2-Step Verification' or 'Security Keys'. Switch from SMS to 'Authenticator app'. The site shows a QR code. Scan with your authenticator app. The app starts generating six-digit codes that change every 30 seconds. Done.
Passkeys are an even newer standard that eliminates the password entirely — your phone's biometric authentication IS the login. Apple, Google, Microsoft all support them. Banks, M365, big SaaS all support them. Where passkeys are offered, take them — they're stronger than passwords + 2FA combined.
MFA is the single biggest defensive upgrade you can make. Pair it with the rest.
whedo.it deploys Microsoft Authenticator + Conditional Access policies for managed M365 clients as part of the security baseline. Phishing-resistant MFA across every user, no user training required, the rollout itself is invisible. Worth a chat.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director