Task 5: Set Up Multi-Factor Authentication (MFA)

By now, you’ve built a solid foundation with strong passwords and a password manager. This Task—enabling Multi-Factor Authentication (MFA)—will take your small business defenses to the next level. The best part is that it’s very easy to deploy and 100% free.

Multi-Factor Authentication (MFA) adds a critical layer of security to your accounts. It adds a layer of defense to your authentication process, dramatically improving the security of logging in to your apps and systems. Even if an attacker manages to steal your password, they won’t be able to log in without the second factor of authentication. This prevents attackers from even being able to attempt some of the most common attacks, like brute forcing or password spraying. And even if they decide to manually try to attack your login, it makes it far more difficult for them to succeed.

What is MFA?

MFA requires you to verify your identity using two or more factors including:

  1. Something you know — i.e. your password.
  2. Something you have — like your phone or an authenticator app.
  3. Something you are — like a fingerprint or facial recognition.

Even if your password gets compromised, attackers would still need access to your second factor to break in. This simple step blocks the vast majority of account takeovers.

Comparing MFA Methods: Good, Better, Best

While deploying any type of MFA is far better than not using MFA at all, they aren’t all equal in terms of the level of protection that they provide.

The following chart does a good job of breaking this down:

MFA MethodSecurity LevelProsCons
Text Message (SMS) CodesGoodEasy to set up, widely supportedVulnerable to interception, SIM-swapping attacks
Email-Based MFASlightly BetterSimple, familiarEmail accounts are often a weak link
Authenticator AppsBetterStronger security, not reliant on cell carriers, internet access not required for codeSlightly more setup, needs access to phone
Authenticator App with Biometric LockBestPrevents unauthorized use even if phone is stolenRequires biometric-capable device

While SMS and Email MFA are far better than no MFA, we recommend using an authenticator app, preferably with a biometric lock (like fingerprint or face recognition). All of the main authenticator apps allow this, and once activated all it requires is that you use your fingerprint or face to unlock it, the same way you would unlock your phone.

This adds significantly stronger protection and ensures only you can approve logins.

How to Set Up MFA Using an Authenticator App

Step 1: Choose and Install an Authenticator App

Choose an authenticator app and install it on your smartphone. Some of the most popular are:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy

Ensure the app itself is secured with a biometric lock or device PIN.

Step 2: Add Accounts to Your Authenticator App

Once you’ve installed an authenticator app, you’ll need to add accounts to it.

Let’s walk through how to do this using Google Authenticator as an example (the process is very similar for Microsoft Authenticator and Authy).

Adding an Account in Google Authenticator:

  1. Open the Google Authenticator app on your smartphone.
  2. On the bottom right corner, tap the ‘+’ (plus) button to add a new account.
  3. You’ll be presented with two options:
    • Scan a QR code (most common and easiest method)
    • Enter a setup key manually (used if a QR code isn’t provided)
  4. Choose ‘Scan a QR code’.
    • This will activate your phone’s camera.
  5. On your computer, navigate to the account or service you want to protect.
    • Go to its security settings and look for Two-Factor Authentication (2FA) or MFA setup.
    • Select the option to set up with an authenticator app.
  6. A QR code will appear on your screen.
  7. Point your phone’s camera at the QR code until the app recognizes it and adds the account.
  8. The app will now generate a 6-digit verification code that changes every 30 seconds.

Microsoft Authenticator / Authy:

  • The process is nearly identical:
    • Tap Add Account or +
    • Choose Work/School account or Other account
    • Scan the QR code using your phone’s camera.
    • The account will appear in your app with a rotating 6-digit code.

Step 3: Enable MFA on Your Important Accounts

Start with your most critical accounts:

  • Email (Google Workspace, Microsoft 365)
  • Financial accounts (banking, PayPal, etc.)
  • Cloud services (Dropbox, QuickBooks, etc.)
  • Any admin panels (website CMS, hosting, etc.)
  • Social media & business platforms (LinkedIn, Facebook Business, etc.)

Go to the security settings of each service and look for Multi-Factor Authentication, Two-Factor Authentication, or 2-Step Verification options. Follow the instructions to link your authenticator app—usually by scanning a QR code.

Step 3: Store Backup Codes Safely

Many services will provide backup codes in case you lose access to your authenticator app.

Store these in your password manager under the relevant entry, and optionally print a physical copy to lock in a secure location.

Step 4: Test And Verify

After setup, log out and attempt to log back in to ensure that your MFA is working correctly.

Confirm you can retrieve and use your authenticator app codes without issue.

Keep Going!

While not every application supports MFA, you should enable it everywhere you can. Prioritize high-value accounts and gradually work your way through the rest.

🕒 Timing Tip: What to Do If the Code Doesn’t Work

Authenticator apps generate time-based one-time passwords (TOTP) that refresh every 30 seconds.

If you enter a code and it doesn’t work, don’t panic! It’s usually just a timing issue. Simply wait a few seconds for a new code to appear in the app and try again.

If codes consistently fail:

  • Ensure your phone’s time and date settings are set to automatic (sync with network time).
  • Some apps (like Authy) offer a “Time Sync” option in their settings—use this if you suspect your device is slightly out of sync.