How to set up multi-factor authentication on every account
MFA blocks 99.9% of automated attacks. Here’s how to turn it on for every account that matters.
of automated credential attacks blocked by MFA (Microsoft)
of data breaches involve compromised credentials
average cost of a data breach in 2024 (IBM)
A strong password is not enough. Passwords get reused, phished, leaked in data breaches, and guessed. Multi-factor authentication (MFA) adds a second verification step — usually a time-based code from an app or a push notification — that makes stolen passwords useless to attackers.
Enabling MFA takes about 3 minutes per account. There is no single security action with a better return on that time investment.
The right choice for any Microsoft 365 environment. Supports passwordless sign-in, push notifications, and number matching to prevent MFA fatigue attacks.
Simple and reliable for personal accounts and Google Workspace. Now supports cloud backup to Google account. No push notifications — generates 6-digit codes.
Best choice if account recovery is a priority. Multi-device sync, encrypted cloud backup, and desktop app. Good for individuals managing many accounts.
Sign in at aka.ms/mfasetup or go to your Microsoft Account → Security → Advanced Security Options.
Select “Add a new way to sign in or verify.” Choose Authenticator app.
Install Microsoft Authenticator on your phone. Scan the QR code shown on screen.
Approve the test notification on your phone to complete setup.
Admins: Enforce MFA for all users in Microsoft Entra (Azure AD) → Security → Conditional Access, or enable Security Defaults.
Go to myaccount.google.com → Security → 2-Step Verification.
Click “Get started” and enter your password if prompted.
Choose Authenticator app from the list (preferred over SMS). Scan the QR code.
Enter the 6-digit code from the app to confirm, then click Turn On.
On iPhone/iPad: Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication.
On Mac: Apple menu → System Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication.
Follow the prompts to add a trusted phone number. Apple sends verification codes to trusted devices automatically.
Click your profile photo → Settings & Privacy → Sign in & security → Two-step verification.
Select “Authenticator app” and click Set up.
Scan the QR code with your authenticator app, enter the 6-digit code to verify, and save.
SMS-based MFA is far better than nothing — but it has known weaknesses. If a site offers an authenticator app option, use it.
- Codes generated offline — no cellular network required
- Immune to SIM-swapping attacks
- Codes expire every 30 seconds
- Works in airplane mode or poor signal
- Harder to intercept than SMS
- Vulnerable to SIM-swap attacks (attacker ports your number)
- Codes can be intercepted via SS7 protocol vulnerabilities
- Requires cellular signal
- Social engineering can redirect your number to an attacker
This is the most common concern — and it’s manageable. Most platforms provide backup codes when you set up MFA. Print them and store them in a safe location. Authy’s multi-device sync also helps. For business accounts, your IT admin can reset MFA. The risk of being locked out is far lower than the risk of account compromise without MFA.
For most accounts, no. Once a device is marked as trusted, you only see MFA challenges when signing in from a new device or browser, or after an extended period. Microsoft Authenticator push notifications take about 3 seconds. The mild inconvenience is worth the protection.
In Microsoft 365, enable Security Defaults (free) or Conditional Access policies (requires Azure AD P1, included in M365 Business Premium). In Google Workspace, go to Admin console → Security → 2-Step Verification → Enforcement. Both approaches let you enforce MFA for all users within a few clicks, with a grace period for users to enroll.
Want us to enforce MFA across your whole organization?
We can configure Conditional Access or Google Workspace enforcement policies and make sure no account slips through.