Safe Shield IT
← Back to Blog
Security

MFA for Small Offices: What It Is, How to Set It Up, and Why It Matters

Table of Contents

What is MFA?

Multi-factor authentication (MFA) means requiring two forms of identification to log in instead of one. You enter your password (something you know), and then confirm your identity with a second factor (something you have), usually your phone.

The most common second factor is a push notification or a six-digit code from an authenticator app like Microsoft Authenticator or Google Authenticator. Some systems also support text messages, phone calls, or physical security keys.

You've probably already used MFA without thinking about it. When your bank sends you a code to verify a login, that's MFA. When Apple asks you to confirm a new device login on your phone, that's MFA.

The idea is simple: even if someone steals your password, they can't get in without also having your phone.

Why it matters for small offices

According to Microsoft's own data, MFA blocks over 99.9% of account compromise attacks. That's not a marketing number. It reflects the reality that most attacks rely on stolen or guessed passwords, and MFA makes those passwords useless on their own.

For a small professional office, the math is straightforward:

  • Email is your front door. If someone gets into your email, they can read client communications, reset passwords for other systems, send messages as you, and access shared files. For a law firm or CPA practice, that's a catastrophic breach.
  • Passwords alone are not enough. People reuse passwords across sites. They use predictable patterns. They write them on sticky notes. Even strong, unique passwords can be captured in a phishing attack.
  • Small offices are targeted. Attackers know that small businesses have weaker security than enterprises. You don't need to be specifically targeted. Automated attacks try stolen credentials against millions of accounts. If your password was exposed in any data breach, ever, it's being tried against your email right now.
  • Compliance requirements are catching up. IRS Publication 4557 recommends MFA for tax preparers. Cyber insurance applications increasingly require it. Some carriers won't issue a policy without MFA on email.

MFA is the single highest-value security improvement a small office can make. Nothing else comes close in terms of risk reduction relative to effort.

How to set it up on Microsoft 365

If your office uses Microsoft 365 (Outlook, Teams, SharePoint), here's how to enable MFA:

For the admin (the person who manages your M365 tenant):

  1. Sign in to the Microsoft 365 admin center (admin.microsoft.com)
  2. Go to Users > Active users
  3. Click Multi-factor authentication at the top
  4. Select all users (or specific users to start)
  5. Click Enable under Quick Steps
  6. Confirm

For each user (first time after MFA is enabled):

  1. Sign in to your email normally
  2. You'll be prompted to set up MFA
  3. Download Microsoft Authenticator on your phone (iOS or Android)
  4. Open the app and scan the QR code shown on screen
  5. Confirm the test notification
  6. Done

The whole process takes about 5 minutes per person. After setup, you'll get a quick notification on your phone each time you log in from a new device or browser. On devices you use daily, you won't be prompted again for a while.

Recommended settings:

  • Use the Authenticator app, not text messages (SMS can be intercepted)
  • Require MFA for all users, including partners and admin accounts (especially admin accounts)
  • Set up at least two verification methods per user as a backup
  • Create a "break glass" admin account with a very strong password stored offline in case the primary admin gets locked out

How to set it up on Google Workspace

If your office uses Google Workspace (Gmail, Drive, Meet):

For the admin:

  1. Sign in to the Google Admin console (admin.google.com)
  2. Go to Security > Authentication > 2-Step Verification
  3. Check Allow users to turn on 2-Step Verification
  4. Optionally, set a date to enforce 2-Step Verification for all users
  5. Save

For each user:

  1. Go to myaccount.google.com/security
  2. Click 2-Step Verification and follow the prompts
  3. Set up Google Authenticator or use Google's built-in prompts
  4. Save backup codes somewhere safe

Same advice applies: use an authenticator app over SMS, enforce it for everyone, and keep backup methods configured.

Common objections and honest answers

"It's too inconvenient."

It adds about 5 seconds to your login, and only when signing in from a new device. On your daily workstation, you'll rarely see it. Compared to the inconvenience of a compromised email account, 5 seconds is nothing.

"My team won't do it."

They will if it's required, not optional. Set a date, announce it, walk everyone through the setup, and move on. We've done this for offices where the average employee age is 55+. It takes one afternoon.

"We're too small to be a target."

You're not being individually targeted. Automated attacks don't care how big you are. They try credentials in bulk. If any employee's password was ever in a breach (check at haveibeenpwned.com), your account is already in an attacker's database.

"We already have strong passwords."

Good. MFA makes strong passwords even stronger. But password strength doesn't protect against phishing, keyloggers, or credential stuffing from data breaches. MFA does.

"What if I lose my phone?"

That's what backup methods are for. Set up a secondary phone number, print backup codes, or register a security key. Also, you can remove a device from MFA through the admin panel and set up a new one. It's a 10-minute fix, not a crisis.

What MFA does not protect against

MFA is excellent, but it's not a silver bullet. It does not protect against:

  • Malware already on your computer that captures data after you've logged in
  • Phishing attacks that proxy your MFA in real-time (advanced "adversary-in-the-middle" attacks, still rare against small offices)
  • Physical access to an unlocked, logged-in machine
  • Other accounts that don't have MFA enabled (bank accounts, software subscriptions, social media)

MFA is one layer. You still need good passwords, patched systems, working backups, and awareness. But it's the most important single layer.

Getting started

If your office hasn't enabled MFA yet, do it this week. Not next quarter. Not when you "have time." This week.

The setup takes less than an hour for a typical small office. The risk reduction is enormous. And every day you wait is a day your email accounts are protected by nothing more than a password that may already be compromised.

If you want help implementing MFA or aren't sure where to start, get in touch. We can walk your team through it or handle the entire rollout as part of a broader IT assessment.

Jonathan Caruso is the founder of Safe Shield IT, providing managed IT and security oversight for small professional offices in Central Georgia.

Get Your IT Shield Report