MFA Implementation Guide: Enable Multi-Factor Authentication Today

A patient died at Synnovis because multi-factor authentication was not enabled. Free controls. Minutes to implement. Catastrophic consequences when ignored.

You do not want to be the next case study. Here is your complete, practical guide to implementing MFA across your business. Today. Right now.

I am going to assume you have no cybersecurity background. I am writing this for the business owner who knows MFA is important but has no idea where to start. By the end of this guide, your organisation will have multi-factor authentication enabled on every critical system.

Let us get started.

Part 1: What You Are Actually Doing

Before we dive into configuration screens, let me explain what we are accomplishing.

Current situation: Your staff log in with just a username and a password. If those credentials are stolen (phishing, data breach, malware), attackers can log in as your staff and you will never know until it is too late.

After MFA: Your staff log in with a username, password, and a second factor (usually a code sent to their phone). Even if credentials are stolen, attackers cannot log in without physical access to your staff’s phones.

This is not theoretical protection. This is “Qilin ransomware gang cannot get into your systems even with stolen passwords” protection.

Part 2: The Four-Hour Implementation Plan

Here is the timeline:

Hour 1: Audit your systems and plan your approach

Hour 2: Configure MFA on your primary platform (Microsoft 365 or Google Workspace)

Hour 3: Enable MFA on critical secondary systems

Hour 4: Staff training and documentation

If you have more than 50 employees, add an extra hour for coordination. Otherwise, this is genuinely achievable in a single afternoon.

Hour 1: System Audit and Planning

Step 1: Create Your Systems Inventory

Open a spreadsheet. Create these columns:

System Name
What It Does
Who Uses It
Admin Access (Who has it?)
MFA Available (Yes/No/Unknown)
MFA Enabled (Yes/No)
Priority (Critical/High/Medium/Low)

Now list every system your business uses that requires a login:

Email platform (Microsoft 365, Google Workspace)
Accounting software (Xero, QuickBooks, Sage)
CRM system (Salesforce, HubSpot, Zoho)
Cloud storage (Dropbox, OneDrive, Google Drive)
HR systems (BambooHR, Breathe, Ciphr)
Payment processing (Stripe, PayPal, Square)
Website hosting control panel
Domain registrar
Social media management tools
Any industry-specific software

Do not skip anything. Every login is a potential attack vector.

Step 2: Prioritise Your Systems

Mark priority as follows:

Critical (Do Today):

Email platforms (highest priority)
Financial systems
Systems with customer data
Administrative accounts

High (Do This Week):

Cloud storage
HR systems
Website control panels

Medium (Do Within Two Weeks):

Social media tools
Project management software
Communication tools

Low (Do Within Month):

Systems with limited data access
Read-only tools
Non-critical services

Step 3: Choose Your MFA Method

You have three options:

Authenticator Apps (Recommended for Most)

Free apps on staff phones
Generate time-based codes
Work offline
Easy to use once set up

Examples: Microsoft Authenticator, Google Authenticator, Authy

Hardware Security Keys (Maximum Security)

Physical USB devices
Cost approximately £25 per user
Cannot be remotely compromised
Best for high-security environments

Examples: YubiKey 5 NFC, Titan Security Key

SMS Codes (Avoid If Possible)

Codes sent via text message
Vulnerable to SIM swapping
Better than nothing, but not ideal

For most small businesses, I recommend starting with authenticator apps. They are free, secure, and user-friendly once staff get used to them.

Hour 2: Configure Your Primary Platform

Most businesses run either Microsoft 365 or Google Workspace for email. We will tackle both.

Microsoft 365 MFA Setup

Prerequisites:

Global Administrator access
List of all users
30 minutes

Step-by-Step Process:

Go to the Microsoft 365 admin centre: https://admin.microsoft.com
Navigate to: Users > Active users
At the top of the page, click: Multi-factor authentication
This opens the multi-factor authentication page showing all your users
Select the users you want to enable MFA for (start with admins, then roll out to everyone)
In the right-hand panel under “quick steps,” click Enable
A popup will appear warning you about the change. Click enable multi-factor auth
Users will now be required to set up MFA the next time they log in

To Configure Per-User Settings:

Select a user and click service settings
Under “verification options,” I recommend enabling:

Notification through mobile app

Verification code from mobile app
Call to phone (backup only)
Disable “Text message to phone” if possible (unless users specifically need it)

To Enforce MFA Organisation-Wide (Recommended):

Go to Azure Active Directory admin centre: https://aad.portal.azure.com
Navigate to: Security > Conditional Access
Click + New policy
Name it: “Require MFA for All Users”
Under Assignments > Users:

Include: All users

Exclude: Create an emergency admin break-glass account
Under Assignments > Cloud apps:

Select: All cloud apps

Under Access controls > Grant:

Select: Require multi-factor authentication

Set “Enable policy” to On
Click Create

This enforces MFA for all users across all Microsoft services.

Google Workspace MFA Setup

Prerequisites:

Super Admin access
List of all users
30 minutes

Step-by-Step Process:

Go to Google Admin console: https://admin.google.com
Navigate to: Security > Authentication > 2-Step Verification
Check the box: Allow users to turn on 2-Step Verification
To enforce for everyone, check: Enrollment
Set enforcement date (I recommend 7 days from now to allow preparation)
Uncheck: Allow users to trust their device
Click Save

To Configure Methods:

In the same menu, scroll to 2-Step Verification methods
Enable:

Google prompts (easiest for users)

Security keys
Google Authenticator
Consider disabling SMS if your organisation can manage without it

To Enforce Immediately for Admins:

Navigate to: Security > Authentication > 2-Step Verification
Scroll to Enforcement rules
Create a new rule targeting your admin organisational unit
Set enforcement to On with immediate effect
Admins will be required to enroll immediately

Hour 3: Enable MFA on Secondary Systems

Now work through your spreadsheet systematically.

General Process for Most SaaS Applications:

Log in as administrator
Go to Settings > Security (or similar)
Look for “Two-Factor Authentication,” “2FA,” or “Multi-Factor Authentication”
Enable it for your account first (to test)
Configure organisation-wide policies if available
Document the process for your staff

System-Specific Guides:

Xero:

Settings > Security
Enable two-factor authentication
Download authenticator app
Scan QR code
Enter verification code

Salesforce:

Setup > Identity > Multi-Factor Authentication
Enable “Require multi-factor authentication for all users”
Configure authentication methods

Dropbox Business:

Admin console > Settings > Authentication
Enable “Require two-step verification for all members”
Set enforcement date

WordPress: Install a plugin like Wordfence or iThemes Security that adds MFA capability. Configure in the plugin settings.

What If a Service Does Not Have MFA?

If a critical service does not offer MFA, you have three options:

Use Single Sign-On (SSO): Link the service to your Microsoft 365 or Google Workspace account, so MFA is enforced at the SSO level
Demand It: Contact the vendor and tell them you require MFA. If enough customers demand it, vendors will add it
Replace the Service: If a critical service does not offer basic security in 2025, they are not taking security seriously. Find a competitor who does.

Hour 4: Staff Training and Documentation

Your staff need to understand why you are doing this and how to use their new authentication method.

Create a Simple Staff Guide

Use this template:

IMPORTANT SECURITY UPDATE: Multi-Factor Authentication

What is changing?

Starting [DATE], you will need two things to log into your work accounts:

Your password (as usual)
A code from an app on your phone (new)

Why are we doing this?

We are protecting our business and your personal information. Even if someone steals your password, they cannot log in without your phone. This prevents the type of ransomware attack that killed a patient at an NHS facility earlier this year.

What you need to do:

Download an authenticator app on your phone:

iPhone: Microsoft Authenticator or Google Authenticator

Android: Microsoft Authenticator or Google Authenticator
Next time you log into your email, you will be asked to set up MFA
Follow the on-screen instructions to scan a QR code with your app
Save the backup codes somewhere safe (not on your phone)

How it works:

Enter your username and password as usual
Your phone app will show a 6-digit code
Enter that code
You are logged in

The code changes every 30 seconds, so even if someone sees it, it will not work later.

What if I lose my phone?

Contact IT immediately. We have backup methods to recover your account. This is why backup codes are important - store them somewhere safe.

Questions?

Contact [IT CONTACT] for help.

Conduct a Brief Training Session

Gather staff (or do a video call) and:

Explain why you are implementing MFA (use the Synnovis case)
Show them how to download the authenticator app
Walk through the first-time setup process
Demonstrate daily use
Explain what to do if they lose their phone
Answer questions

This needs to be 15-20 minutes maximum. Do not over-complicate it.

Create Backup Procedures

Establish clear procedures for:

Lost Phones:

Who to contact
How quickly you can restore access
Temporary backup authentication methods

New Staff:

MFA setup included in onboarding
Who configures their accounts
Testing before their first day

Departing Staff:

Remove MFA devices immediately when staff leave
Revoke all authentication tokens

Part 3: The First Week After Implementation

Expect Some Friction

The first week will involve:

Staff forgetting their phones
Questions about how to use the authenticator app
Complaints about the extra login step
Technical issues with some devices

This is normal. Be patient. The inconvenience is minimal compared to the protection gained.

Monitor Adoption

Check your admin dashboards to verify:

Percentage of users with MFA enabled
Failed authentication attempts (potential issues or attack attempts)
Users requesting help or backup codes

Gather Feedback

Ask staff:

What problems are they experiencing?
Is the process confusing anywhere?
Do they need additional training?

Use this feedback to refine your process for future staff.

Part 4: Advanced MFA Strategies

Once you have basic MFA working, consider these enhancements:

Hardware Security Keys for High-Risk Users

Deploy FIDO2 security keys to:

Executives
IT administrators
Finance team members
Anyone with access to highly sensitive systems

Cost: £20-40 per user Benefit: Cannot be remotely compromised, even by sophisticated phishing

MFA for Physical Office Access

Some businesses are integrating digital authentication with physical security:

Use the same authenticator app for building access
Hardware security keys that work with door readers
Unified authentication across digital and physical security

Risk-Based Authentication

Microsoft 365 and Google Workspace can adjust MFA requirements based on:

Login location (require MFA from new locations)
Device trust (skip MFA on trusted devices)
Risk signals (require MFA if suspicious activity detected)

This reduces MFA fatigue while maintaining security.

Common Problems and Solutions

Problem: Staff say they cannot receive codes because they have no phone signal

Solution: Authenticator apps work offline. The codes are generated on the device, not sent over the network. Demonstrate this by putting your phone in airplane mode and showing codes still generate.

Problem: Staff want to skip MFA because it is inconvenient

Solution: Show them the Synnovis case. Ask if a few extra seconds at login is worth a patient dying. Make it about protection, not inconvenience.

Problem: The managing director refuses to use MFA because they are “too busy”

Solution: Executives are high-value targets. They need MFA more than anyone else. If they refuse, document this refusal in writing. When (not if) their account is compromised, you have evidence you tried to prevent it.

Problem: Our accounting software charges extra for MFA

Solution: This is unethical price gouging for basic security. Switch vendors. There are competitors who include MFA as standard. Name and shame the gougers by contacting us.

Problem: Authenticator app codes are not working

Solution: Check the phone’s time settings. If the phone’s clock is wrong by more than 30 seconds, codes will not sync. Enable automatic time in phone settings.

Your Action Plan Right Now

Stop reading. Start implementing.

In the next 10 minutes:

Create your systems inventory spreadsheet
Identify your primary email platform
Bookmark the relevant admin console

In the next hour:

Work through the Microsoft 365 or Google Workspace setup
Enable MFA for your own account first
Test the process

By end of business today:

Enable MFA on email for all staff
Configure at least one critical secondary system
Send initial communication to staff

This week:

Complete rollout to all critical systems
Conduct staff training
Establish backup procedures

This month:

Enable MFA on all remaining systems
Review and document processes
Schedule periodic audits

The Bottom Line

A patient died because multi-factor authentication was not enabled. The control was free. Implementation takes hours. The consequences of not implementing it are catastrophic.

You now have everything you need to implement MFA across your business. The only question is whether you will do it before or after your preventable disaster.

How to Implement MFA Across Your Business in One Afternoon (Complete Guide)