MFA for SMEs: Practical guide to enable two-factor authentication everywhere in 1 week

Multi-factor authentication (MFA, also called two-factor authentication) blocks 99% of account compromises according to Microsoft. It's the security measure with the absolute best ROI: free, quick to deploy, immediately effective. Here's how to enable it everywhere in 1 week at an SME.

Day 1 — Microsoft 365 / Google Workspace

If you use Microsoft 365:

• Admin Center → Conditional Access (or Security Defaults for SMEs)
• Enable Security Defaults → MFA required for all users
• Force enrollment at next login

If you use Google Workspace:

• Admin → Security → Two-step verification → Enforce application
• 7-day grace period for user enrollment

Day 2 — Choose your MFA method

In order of preference (most to least secure):

• Physical FIDO2 key (YubiKey 5 — €50 / workstation): ultimate security, phishing-resistant, recommended for executives and IT.
• Authenticator app (Microsoft Authenticator, Google Authenticator, Authy): free, fast. SME standard.
• Push notification (Microsoft, Duo): convenient, vulnerable to "MFA fatigue" if misconfigured.
• SMS: avoid (vulnerable to SIM swap); last resort only.

Day 3 — User enrollment procedure

Prepare a short document (1 page) with screenshots:

• How to download Microsoft Authenticator (iOS/Android)
• How to scan the QR code at login
• What to do if you change phones
• Who to contact if problems arise

Day 4 — Manage exceptions

A few special cases:

• Service accounts (backup, monitoring): use service accounts with long passwords, no MFA. Restrict to source IP.
• Shared workstations (workshop, reception): quick authentication via shared physical key or dedicated account.
• Non-technical staff: plan 30-minute group training session.

Day 5 — Recovery codes

Each user must generate recovery codes:

• 10 single-use codes generated at enrollment
• Print or store in password manager (1Password, Bitwarden)
• Allows re-login if phone is lost

Day 6 — Extend to third-party SaaS

List of critical SaaS that must also have MFA:

• GitHub / GitLab (if dev teams) — MFA + SSH keys
• Slack / Teams admin
• AWS / Azure / GCP (if cloud)
• Business banking online (already required normally)
• Business tools: accounting, payroll, CRM, hosting

Day 7 — Testing and reminder training

• Verify all users are enrolled (Admin Center → reports)
• Simulation test: attempt login without MFA → blocked?
• 15-minute team meeting: reminder of best practices (never approve a push if no login attempt is in progress)

Total cost

• Software: €0 (included in Microsoft 365 / Google Workspace)
• FIDO2 keys (optional): €50 × 5 key personnel = €250
• Time: 4-8 hours IT + 30 minutes × users

Conclusion

One week of work to block 99% of account compromises. No other security measure has comparable ROI. If you haven't yet enabled MFA across the board in 2026, this is action #1 to do starting Monday.