Skip to Content

Setting Up MFA Step-by-Step

Setting Up MFA Step-by-Step

two factor authentication phone app

Photo by Zulfugar Karimov on Pexels

This lesson provides step-by-step instructions for enabling MFA on the most common small business platforms. If you get stuck, contact Beawit Consulting at 360-399-6834 for assistance.

Enabling MFA in Microsoft 365

Microsoft 365 is the most common business email platform. Here is how to enable MFA for all users:

  1. Log in to the admin center — Go to admin.microsoft.com and sign in with your admin account
  2. Navigate to Active Users — In the left menu, click Users > Active Users
  3. Enable MFA for all users — Click "Multi-factor authentication" at the top, select all users, click "Enable"
  4. Enforce MFA — After enabling, click "Enforce" to require MFA on next login
  5. Configure security defaults — Go to Azure Active Directory > Properties > Manage Security Defaults > Enable. This automatically requires MFA for all users and blocks legacy authentication

Each user will be prompted to set up MFA on their next login. They should:

  1. Download Microsoft Authenticator app on their phone
  2. Open the app and add a new account
  3. Scan the QR code shown on screen
  4. Verify by entering the 6-digit code from the app
  5. Save the backup codes provided — store them in a password manager or printed copy in a sealed envelope

Important: Users MUST save their backup codes. If they lose their phone and have no backup codes, they will be locked out of their account. Recovery requires admin intervention and can take 24-48 hours.

Enabling MFA in Google Workspace

  1. Log in to Admin Console — Go to admin.google.com
  2. Navigate to Security — Click Security > Authentication > 2-Step Verification
  3. Enforce 2SV for all users — Select your organization, set 2-Step Verification to "On" and "Enforce"
  4. Set a grace period — Give users 7-14 days to enroll before enforcement kicks in

Each user should:

  1. Go to myaccount.google.com > Security
  2. Click "2-Step Verification" and get started
  3. Choose "Authenticator app" as the primary method
  4. Scan the QR code with Google Authenticator
  5. Save backup codes securely

Enabling MFA on Other Common Platforms

QuickBooks Online

  1. Go to QuickBooks Online > Account > Security
  2. Click "Turn on 2-step verification"
  3. Enter phone number and verify
  4. Choose authenticator app as primary method for better security

Banking and Financial Accounts

Most banks now offer MFA. Log in to each banking portal, look for "Security" or "Two-factor authentication" in account settings. Enable it on every financial account — this is critical.

Social Media (LinkedIn, Facebook, Instagram)

Business social media accounts are targets for brand impersonation. Enable MFA in each platform's security settings. Use authenticator apps, not SMS.

Handling the "Lost Phone" Scenario

This is the number one objection to MFA: "What if I lose my phone?" Plan for it:

  • Backup codes — Every platform provides one-time backup codes during MFA setup. Print them and store in a locked location. One code gets you in when your phone is unavailable.
  • Secondary authenticator — Install the authenticator app on a second device (tablet) as backup
  • Admin reset — Your IT admin (or Beawit Consulting) can temporarily disable MFA to let you back in and re-enroll a new device

Common MFA Problems and Solutions

Problem: "Users complain about the extra step"

Solution: Explain that MFA takes 5 seconds and prevents 99.9% of account takeovers. Compare it to wearing a seatbelt — minor inconvenience, major protection. Most authenticator apps also support push notifications (approve/deny) which is even faster than typing a code.

Problem: "Users keep losing backup codes"

Solution: Store backup codes in a company password manager (like Bitwarden) under a shared vault that the admin can access. This way, lost backup codes are recoverable without contacting the platform.

Problem: "Legacy applications cannot do MFA"

Solution: Legacy apps that use basic authentication (like old email clients or accounting software) cannot handle MFA. Replace them with modern alternatives, or use app passwords (one-time passwords that bypass MFA for specific apps). App passwords are less secure but better than no MFA on everything else.

Key Takeaways

  • MFA setup takes 5 minutes per user — the investment is tiny compared to the protection
  • Always use authenticator apps over SMS when available
  • Backup codes are mandatory — store them securely before users need them
  • Enable MFA on email first, then remote access, then cloud apps, then admin accounts
  • Plan for the lost-phone scenario before it happens

Setting Up MFA Step-by-Step

This lesson provides step-by-step instructions for enabling MFA on the most common small business platforms. If you get stuck, contact Beawit Consulting at 360-399-6834 for assistance.

Enabling MFA in Microsoft 365

Microsoft 365 is the most common business email platform. Here is how to enable MFA for all users:

  1. Log in to the admin center — Go to admin.microsoft.com and sign in with your admin account
  2. Navigate to Active Users — In the left menu, click Users > Active Users
  3. Enable MFA for all users — Click "Multi-factor authentication" at the top, select all users, click "Enable"
  4. Enforce MFA — After enabling, click "Enforce" to require MFA on next login
  5. Configure security defaults — Go to Azure Active Directory > Properties > Manage Security Defaults > Enable. This automatically requires MFA for all users and blocks legacy authentication

Each user will be prompted to set up MFA on their next login. They should:

  1. Download Microsoft Authenticator app on their phone
  2. Open the app and add a new account
  3. Scan the QR code shown on screen
  4. Verify by entering the 6-digit code from the app
  5. Save the backup codes provided — store them in a password manager or printed copy in a sealed envelope

Important: Users MUST save their backup codes. If they lose their phone and have no backup codes, they will be locked out of their account. Recovery requires admin intervention and can take 24-48 hours.

Enabling MFA in Google Workspace

  1. Log in to Admin Console — Go to admin.google.com
  2. Navigate to Security — Click Security > Authentication > 2-Step Verification
  3. Enforce 2SV for all users — Select your organization, set 2-Step Verification to "On" and "Enforce"
  4. Set a grace period — Give users 7-14 days to enroll before enforcement kicks in

Each user should:

  1. Go to myaccount.google.com > Security
  2. Click "2-Step Verification" and get started
  3. Choose "Authenticator app" as the primary method
  4. Scan the QR code with Google Authenticator
  5. Save backup codes securely

Enabling MFA on Other Common Platforms

QuickBooks Online

  1. Go to QuickBooks Online > Account > Security
  2. Click "Turn on 2-step verification"
  3. Enter phone number and verify
  4. Choose authenticator app as primary method for better security

Banking and Financial Accounts

Most banks now offer MFA. Log in to each banking portal, look for "Security" or "Two-factor authentication" in account settings. Enable it on every financial account — this is critical.

Social Media (LinkedIn, Facebook, Instagram)

Business social media accounts are targets for brand impersonation. Enable MFA in each platform's security settings. Use authenticator apps, not SMS.

Handling the "Lost Phone" Scenario

This is the number one objection to MFA: "What if I lose my phone?" Plan for it:

  • Backup codes — Every platform provides one-time backup codes during MFA setup. Print them and store in a locked location. One code gets you in when your phone is unavailable.
  • Secondary authenticator — Install the authenticator app on a second device (tablet) as backup
  • Admin reset — Your IT admin (or Beawit Consulting) can temporarily disable MFA to let you back in and re-enroll a new device

Common MFA Problems and Solutions

Problem: "Users complain about the extra step"

Solution: Explain that MFA takes 5 seconds and prevents 99.9% of account takeovers. Compare it to wearing a seatbelt — minor inconvenience, major protection. Most authenticator apps also support push notifications (approve/deny) which is even faster than typing a code.

Problem: "Users keep losing backup codes"

Solution: Store backup codes in a company password manager (like Bitwarden) under a shared vault that the admin can access. This way, lost backup codes are recoverable without contacting the platform.

Problem: "Legacy applications cannot do MFA"

Solution: Legacy apps that use basic authentication (like old email clients or accounting software) cannot handle MFA. Replace them with modern alternatives, or use app passwords (one-time passwords that bypass MFA for specific apps). App passwords are less secure but better than no MFA on everything else.

Key Takeaways

  • MFA setup takes 5 minutes per user — the investment is tiny compared to the protection
  • Always use authenticator apps over SMS when available
  • Backup codes are mandatory — store them securely before users need them
  • Enable MFA on email first, then remote access, then cloud apps, then admin accounts
  • Plan for the lost-phone scenario before it happens
Rating
0 0

There are no comments for now.

to be the first to leave a comment.