How to Set Up MFA Across Your Small Business

Multi-factor authentication. You know you need it. Your insurer is demanding it. But actually rolling it out to your team? That’s where things get complicated.

I’ve helped dozens of small businesses implement MFA, and I’ve seen every mistake in the book. Let me save you some time and frustration.

Why MFA Matters (The 30-Second Version)

Passwords get stolen. They get guessed. They get reused on sites that get breached. According to the ACSC, compromised credentials are involved in over 80% of successful breaches.

MFA means that even when (not if) a password gets compromised, the attacker still can’t get in. They’d need the second factor - usually your phone or a hardware key.

Simple concept, massive impact.

Before You Start: What You’ll Need

An inventory of what needs protection. At minimum:

  • Email (Microsoft 365, Google Workspace, or whatever you use)
  • Accounting software (Xero, MYOB, QuickBooks)
  • Cloud storage (Dropbox, OneDrive, Google Drive)
  • Any remote access tools (VPNs, remote desktop)
  • Admin accounts for everything

A communication plan. You’re about to change how everyone logs in. Surprise your team and you’ll spend days dealing with confused, annoyed people. Give them warning.

A backup plan for lockouts. Someone’s going to lose their phone on day two. Know how you’ll handle it before it happens.

Step 1: Start With Your Own Account

Before you touch anyone else’s setup, enable MFA on your own accounts and live with it for a week. You’ll discover the quirks, the apps that don’t play nice, and the genuine inconveniences. Better to learn on yourself than on your whole team.

For Microsoft 365:

  1. Go to account.microsoft.com
  2. Click Security
  3. Click “Two-step verification”
  4. Follow the prompts to add your phone

For Google Workspace:

  1. Go to myaccount.google.com
  2. Click Security
  3. Under “Signing in to Google,” click “2-Step Verification”
  4. Follow the setup wizard

Step 2: Choose Your MFA Method

You’ve got options, and they’re not all equal.

Authenticator apps (recommended for most): Microsoft Authenticator, Google Authenticator, or Authy. Free, reasonably secure, works on any smartphone. This is what I recommend for most small businesses.

SMS codes: Better than nothing, but attackers can intercept SMS through SIM swapping. Some insurers now specifically ask if you’re using SMS-only MFA and penalise you for it.

Hardware security keys: Things like YubiKeys. Extremely secure, but more expensive ($50-100 per key) and you need to manage physical devices. Great for admin accounts, overkill for everyone else.

Push notifications: Some platforms let you just tap “approve” on your phone. Convenient, but beware of “MFA fatigue” attacks where attackers spam login attempts until an annoyed user approves one.

My recommendation: use authenticator apps as your default, with hardware keys for anyone with admin access.

Step 3: Prepare Your Team

Send an email at least a week before the rollout. Something like:

Subject: New login security starting [date] - what you need to do

Hi team,

Starting [date], we’re adding multi-factor authentication to [email/all our systems]. This means you’ll need to confirm logins using your phone.

Here’s what you need to do before [date]: 1. Install Microsoft Authenticator (or Google Authenticator) on your phone 2. Watch this 3-minute video [link to a YouTube tutorial]

On [date], I’ll walk everyone through the setup during [morning meeting/lunch/whatever works].

Why are we doing this? It’s the most effective way to prevent account hijacking, and our cyber insurance now requires it.

Questions? Let me know.

Short, clear, with specific actions. Don’t bury the important stuff in paragraphs of explanation.

Step 4: The Rollout

I strongly recommend doing this in person or over video call, not via written instructions. People have questions, things go wrong, and it’s much faster to help someone in real-time.

For a typical small business (10-30 people), set aside two hours. You probably won’t need it all, but you want the buffer.

Walk through the setup together:

  1. Everyone opens the authenticator app
  2. Everyone logs into their email
  3. The system prompts them to set up MFA
  4. They scan the QR code
  5. They test it by logging out and back in

Make sure everyone saves their recovery codes somewhere safe. These are the keys to getting back in if they lose their phone.

Step 5: Handle the Inevitable Problems

“I got a new phone and forgot to transfer my authenticator.” This is the most common issue. They’ll need to use their recovery codes or contact you to reset their MFA. Make sure you have a process for verifying identity before resetting - an attacker could call pretending to be a staff member.

“I keep getting prompted every single time I log in.” Most systems let you “remember this device” for trusted computers. Show them how to tick that box on their work devices.

“The app isn’t giving me a code.” Check that their phone’s time is set to automatic. Authenticator apps are time-based, and a phone with the wrong time will generate wrong codes.

“I left my phone at home.” This is why recovery codes exist. They should have saved them somewhere accessible. If they didn’t… well, they’ll learn for next time.

Ongoing Management

MFA isn’t a set-and-forget thing. You need a process for:

  • New employees: Part of onboarding should include MFA setup
  • Departing employees: Disable their accounts promptly
  • Lost devices: Have a verified process for resetting MFA
  • New applications: Any new system that holds sensitive data needs MFA enabled

Keep a record of who’s set up on which systems. This becomes important when your insurer asks for proof of MFA implementation.

What About Apps That Don’t Support MFA?

Some older software doesn’t support modern MFA. You’ve got a few options:

  • Replace it. If the software is critical and unsupported, it’s probably time to look for alternatives anyway.
  • Put it behind a VPN with MFA. The software doesn’t have MFA, but the network access does.
  • Segment it. Keep it on an isolated network where damage is limited if it’s compromised.
  • Accept the risk. Sometimes this is the honest answer, but document it and revisit regularly.

Don’t Stop at Email

Once you’ve got email sorted, work through your other systems:

  • Accounting software
  • CRM
  • Cloud storage
  • Banking (most banks enforce this anyway)
  • Social media accounts (yes, really - hijacked business social accounts are a nightmare)

Each additional system you protect makes an attacker’s job harder.

MFA isn’t perfect security. Nothing is. But it’s the closest thing to a silver bullet we’ve got. An hour of setup headaches now could save you from a catastrophic breach later.

Get it done.