How to Set Up Multi-Factor Authentication for Your Small Business
Step-by-step guide to enabling MFA across Microsoft 365, Google Workspace, and key business apps to stop account takeovers.
Account takeover is the most common way small businesses get breached. An employee clicks a phishing link, their Microsoft 365 or Google Workspace password lands on a criminal’s list, and within hours the attacker is reading emails, forwarding invoices, and impersonating the business owner. Multi-factor authentication (MFA) stops the vast majority of these attacks cold — even if the password is compromised, the attacker can’t log in without the second factor.
Despite this, many small businesses still haven’t enabled MFA for everyone. This guide covers the practical steps to roll it out across your most important accounts.
What MFA Actually Does
When you log in with only a password, that’s one factor (something you know). MFA requires a second factor from a different category:
- Something you have — an authenticator app on your phone, a hardware security key
- Something you are — biometrics (fingerprint, face ID)
The most practical second factor for business users is an authenticator app like Microsoft Authenticator, Google Authenticator, or Authy. These apps generate a 6-digit time-based one-time password (TOTP) that changes every 30 seconds. Even if an attacker has your username and password, they can’t log in without the current code from your phone.
SMS text message codes are better than nothing but weaker than an app — SIM-swapping attacks and SS7 vulnerabilities can intercept SMS codes. Use an authenticator app whenever the platform supports it.
Step 1: Enable MFA in Microsoft 365
Microsoft 365 (formerly Office 365) is the most common email and productivity platform in small businesses, and it’s a primary target for credential attacks.
Using Security Defaults (Recommended for Most Small Businesses)
Microsoft’s “Security Defaults” setting enables MFA for all users with a single toggle. It’s free, requires no Azure AD licensing, and is the fastest way to protect a small organization.
- Sign in to the Microsoft Entra admin center as a Global Administrator
- Go to Identity > Overview > Properties
- Click Manage security defaults
- Set the toggle to Enabled and click Save
After enabling this, users will be prompted to register MFA on their next sign-in. They’ll be guided through setting up the Microsoft Authenticator app.
What Security Defaults enforces:
- All users must register for MFA within 14 days
- MFA is required at every sign-in for administrator accounts
- MFA is required for all users when a sign-in looks risky (unusual location, unfamiliar device)
- Legacy authentication protocols (IMAP, POP3, SMTP AUTH without modern auth) are blocked
Using Conditional Access (Microsoft 365 Business Premium Required)
If you have Microsoft 365 Business Premium or above, Conditional Access policies give you more granular control — requiring MFA from outside the office network while skipping it for known trusted IPs.
- In Entra admin center, go to Protection > Conditional Access
- Create a new policy, target All users
- Under Conditions, configure location exclusions if needed
- Under Grant, select Require multi-factor authentication
- Set the policy to On and save
Conditional Access is worth the extra setup time for organizations with 10+ users or compliance requirements.
Step 2: Enable MFA in Google Workspace
If your business uses Gmail and Google Workspace instead of Microsoft, the process is slightly different.
- Sign in to the Google Admin console as a Super Admin
- Go to Security > Authentication > 2-Step Verification
- Set Allow users to turn on 2-Step Verification to on
- To require it (rather than just allow it): set Enforcement to On for the entire organization or specific organizational units
After enabling enforcement, give users a grace period (2–4 weeks recommended) to enroll before the deadline kicks in. Users enroll at myaccount.google.com/security.
For stronger protection, Google Workspace supports hardware security keys (FIDO2). Under the 2-Step Verification settings, you can require hardware keys for specific high-risk users like administrators.
Step 3: Protect Other High-Value Business Accounts
Microsoft 365 and Google Workspace are the biggest targets, but other accounts matter too:
Your domain registrar. If an attacker takes over your domain registrar account, they can redirect your email, steal your domain, and impersonate your business completely. Enable MFA at GoDaddy, Namecheap, Cloudflare, or wherever your domain is registered.
Your bank and financial accounts. Most banks offer MFA. Enable it everywhere, and prefer authenticator apps over SMS when available.
QuickBooks, payroll, and accounting software. These contain employee data and bank routing numbers — high-value targets. Intuit, Gusto, and most payroll providers support MFA.
Your website hosting and DNS. A compromised hosting panel can inject malware into your website. Enable MFA for cPanel, Plesk, WP Engine, or whatever control panel you use.
Any SaaS tool where contracts, customer data, or payments are stored. Salesforce, HubSpot, Shopify, and most business SaaS tools support MFA. Check each platform’s security settings.
Step 4: Deploy an Authenticator App to Your Team
Rolling out MFA to employees works best when they have clear instructions before they hit the enrollment prompt.
Recommended apps:
- Microsoft Authenticator — best choice if you’re on Microsoft 365; supports push notifications (tap Approve instead of typing a code)
- Google Authenticator — straightforward TOTP, works on any platform
- Authy — supports multi-device sync and encrypted backup, good for users who frequently switch phones
What to tell employees:
- Download the authenticator app from the App Store or Google Play
- When prompted by Microsoft/Google, open the app and scan the QR code shown on screen
- The app will show a 6-digit code — enter it to complete registration
- Going forward, after entering your password you’ll be prompted to approve a push notification in the app or type the 6-digit code
Backup codes. During enrollment, both Microsoft and Google offer a set of single-use backup codes. Employees should print these and store them somewhere safe (not their email inbox). If they lose their phone, backup codes are the recovery path.
Step 5: Handle Common Objections and Edge Cases
“I don’t have a smartphone.” Hardware security keys (FIDO2) like YubiKey work via USB or NFC and don’t require a phone. They’re more secure than app-based MFA and cost around $25–55 each.
“What if someone loses their phone?” This is the most common MFA support scenario. Have a process defined before it happens:
- Admins can require re-enrollment or bypass MFA for a single sign-in via the admin console
- Backup codes (distributed at enrollment) can cover the employee until a new device is set up
Shared accounts. MFA is harder on shared logins. The right answer is to eliminate shared accounts — give each employee their own credentials. For systems that force a single login, a hardware key stays on-premises and doesn’t require a personal phone.
Service accounts and automated connections. Automated scripts, integrations, and service accounts that use basic authentication will break when you enable MFA or block legacy protocols. Audit these before enforcing MFA, and convert them to OAuth, app passwords, or service principals as needed. Microsoft 365’s admin center shows a report of legacy auth usage to help identify what needs conversion.
What MFA Won’t Stop
MFA is powerful but not a complete defense. Adversary-in-the-middle (AiTM) phishing attacks can steal session cookies after an MFA-authenticated login, bypassing MFA entirely. Conditional Access policies that check device compliance and block session token replay are the next layer of defense.
MFA also doesn’t protect against malware on the device itself, or against users who approve MFA prompts without reading them (MFA fatigue attacks). Brief your team: never approve an MFA prompt you didn’t initiate, and if you receive a suspicious prompt, change your password immediately.
But for most small business threat models — opportunistic credential stuffing, phishing campaigns, breached password lists — MFA alone stops the attack. It’s the single highest-return security investment available for the price of free.
Related Articles
Employee Offboarding Checklist: How to Wipe and Redeploy a Returned Laptop
A practical small-business checklist for offboarding a departing employee and safely wiping, reimaging, and redeploying their returned laptop.
How to Set Up SPF, DKIM, and DMARC for a Small Business
How to add SPF, DKIM, and DMARC records for your business domain so your email actually lands in the inbox and spoofers can't impersonate you.
How to Set Up Guest Wi-Fi Safely in a Small Business
How to put guest Wi-Fi on its own VLAN, isolate clients, throttle bandwidth, and avoid the common shortcuts that expose your business network.