Client Portal

How to Set Up Multi-Factor Authentication

Multi-factor authentication stops the vast majority of account takeovers, even when your password has already been stolen. Here's how to turn it on for the accounts and apps you use every day.

A laptop with an open 4 digit code lock place on it

Here's an uncomfortable truth: if an attacker gets hold of your password, they have your account. It doesn't matter how strong the password is. Once they have it, they're in. And with billions of leaked credentials floating around the internet from past data breaches, there's a reasonable chance at least one of your passwords is already out there.

Multi-factor authentication (MFA) changes that. Even with your password in hand, an attacker can't get in without the second factor that only you hold. It's one of the most effective security measures available, it's free on almost every major platform, and it takes about five minutes to set up. This guide walks you through exactly how.

Already using MFA but want to understand the different types and how they compare? Take a look at our introduction to multi-factor authentication for the full picture.

What You'll Need

For most accounts, the recommended approach is to use an authenticator app on your phone. This generates a six-digit code that refreshes every 30 seconds. You enter it alongside your password when logging in, and it works even without a mobile signal or internet connection.

The most widely used authenticator apps are:

  • Microsoft Authenticator — the best choice if you use Microsoft 365, as it enables one-tap approvals as well as codes.
  • Google Authenticator — simple and reliable, works with almost everything.
  • Authy — a good option if you want encrypted backups of your codes across multiple devices.

Download whichever you prefer before you start. The setup process is the same across all of them.

What about SMS codes?

Many accounts offer MFA via text message as an alternative. It's better than nothing, but it's worth knowing that SMS-based MFA can be intercepted through SIM-swapping attacks. Where you have the option, an authenticator app is the more secure choice. For most personal and business accounts, authenticator apps are now the recommended standard.

Setting Up MFA on Microsoft 365

If your business runs on Microsoft 365, this is the most important one to get right. A compromised Microsoft 365 account gives an attacker access to your email, SharePoint, Teams, and everything connected to it.

  1. Go to mysignins.microsoft.com/security-info and sign in with your Microsoft 365 account.
  2. Click Add sign-in method.
  3. Select Authenticator app from the dropdown and click Add.
  4. Open the Microsoft Authenticator app on your phone, tap the + button, and choose Work or school account.
  5. Scan the QR code shown on your computer screen.
  6. Microsoft will send a test notification to your phone to confirm everything is working. Approve it.
  7. Done. From now on, signing into Microsoft 365 will prompt you to approve the login on your phone.
For Microsoft 365 admins

If you manage Microsoft 365 for your organisation, you can enforce MFA for all users via the Microsoft Entra admin centre under Security > Authentication methods, or by enabling Security Defaults. This ensures no one in your team can skip it. Get in touch with us if you need help rolling this out.

Setting Up MFA on a Google Account

This covers Gmail, Google Drive, Google Workspace, and any other service tied to your Google account.

  1. Go to myaccount.google.com/security and sign in.
  2. Under the "How you sign in to Google" section, click 2-Step Verification.
  3. Click Get started and follow the prompts. Google will first ask you to confirm your phone number as a fallback.
  4. Once past the initial setup, scroll down to the Authenticator app section and click Set up authenticator.
  5. Open your authenticator app, tap +, and choose Scan a QR code.
  6. Scan the QR code shown on screen, then enter the six-digit code the app generates to confirm it's working.
  7. Done. Google will now ask for a code from your authenticator app whenever you sign in on a new device.

Setting Up MFA on Your 1Password Account

If you're using 1Password as your password manager (which we strongly recommend), protecting the account itself with MFA is essential. Your password manager is the keys to the kingdom, and it deserves an extra layer of protection.

  1. Sign in to your account at my.1password.com.
  2. Click your name in the top right and go to My Profile.
  3. Scroll to the More Actions section and click Set up two-factor authentication.
  4. Open your authenticator app, scan the QR code shown on screen, and enter the six-digit code to confirm.
  5. Save the recovery code that 1Password provides somewhere safe, ideally printed and stored securely. You'll need it if you ever lose access to your phone.

Note that 1Password already uses a Secret Key alongside your password for account security, which is an additional layer most other services don't have. Adding MFA on top of that makes your account extremely well protected.

Setting Up MFA on Other Accounts

The process is broadly the same across almost every platform. Look for the security or privacy section of your account settings and search for "two-factor authentication", "2FA", or "multi-factor authentication". You'll usually find a QR code to scan with your authenticator app, and from there the steps are identical to those above.

The accounts worth prioritising, if you haven't already:

  • Your email account (this is the most critical, since password reset links go here)
  • Banking and financial accounts
  • Cloud storage (Nextcloud, OneDrive, Google Drive)
  • Social media accounts used for your business
  • Any accounts that store card details or personal information
  • Your domain registrar and web hosting, if applicable

The website 2fa.directory maintains a useful list of which services support MFA and what methods they offer, if you're unsure about a specific platform.

Save Your Backup Codes

Every platform that offers MFA will also give you a set of backup codes during setup. These are single-use codes that let you access your account if you lose your phone or can't get to your authenticator app.

Do not skip this step, and do not save them only on the device you're trying to protect. Print them and store them somewhere safe, save them in a secure document kept offsite, or store them in a password manager on a separate device. The goal is to have them available in an emergency without them being easy for someone else to find.

What if I get a new phone?

Before switching to a new phone, make sure to transfer your authenticator app entries. Microsoft Authenticator and Authy both have built-in account recovery or transfer options. Google Authenticator added export functionality in recent versions. If you switch phones without doing this first, you'll need to use your backup codes to regain access, which is why keeping them somewhere safe matters.

MFA for Your Business: Going Further

For individual accounts, MFA is something anyone can set up in minutes. For businesses, it's worth thinking about it more systematically.

Priority
What to do
Immediate
Enable MFA on Microsoft 365 or Google Workspace for every user
Short term
Enforce MFA at admin level so users cannot disable it themselves
Ongoing
Include MFA setup in your onboarding process for new starters
Worth considering
Hardware security keys (such as YubiKey) for high-privilege accounts like IT admins and finance staff

Enforcing MFA across your organisation is one of the highest-impact security improvements you can make, and it doesn't require expensive software or a lengthy project to implement. If you're on Microsoft 365, it can be done in an afternoon.

Once MFA is in place, the next step is making sure your team can recognise the attacks designed to get around it. Our guide on how to spot a phishing email covers the warning signs everyone in your business should know.

Need help rolling out MFA across your team, or want to make sure it's enforced correctly in Microsoft 365? The Tranquil IT team can handle the setup and make sure nothing gets missed.

Email us at support@tranquilit.net or call us on 01279 658331.