Tech Tips

MFA Everywhere in 90 Minutes: The Complete Setup Guide for Microsoft 365, Google Workspace, QuickBooks, and Shopify

- by ByteTalk - Leave a Comment

Exact navigation paths. Plain English. No IT degree required. This weekend, lock down every cloud account your business depends on — before a hacker does it for you.

TL;DR — What You’ll Get From This Guide
  • Step-by-step MFA setup for Microsoft 365, Google Workspace, QuickBooks Online, and Shopify — with exact menu paths
  • Total time: roughly 90 minutes for all four platforms
  • Works for solo business owners, side hustlers, and teams of up to 25
  • A printable 90-minute checklist at the bottom so nothing gets missed
Platform Who Needs It Est. Time Difficulty
Microsoft 365 Any business using Outlook, Teams, or OneDrive 15–20 min Easy
Google Workspace Any business using Gmail or Google Drive 15–20 min Easy
QuickBooks Online Anyone using QBO for accounting or payroll 10 min Very Easy
Shopify Any e-commerce store owner or staff 10 min Very Easy

1. Why MFA Is Your Most Powerful Security Move (With One Stat That Changes Everything)

Multi-factor authentication (MFA) means that logging in to an account requires two things instead of one: something you know (your password) and something you have (a code from your phone or an authenticator app). Even if a hacker steals, guesses, or buys your password from a data breach, they cannot get in without that second factor.

📊

The stat that matters most: Enabling MFA blocks approximately 99% of automated account takeover attacks, according to data from both Microsoft and CISA. It is not a perfect shield, but it is the single highest-return security action any business owner can take — and it costs nothing beyond 90 minutes of setup time.

Here is the problem most small business owners face: they enabled MFA on their email years ago and assumed they were done. But your financial data, your customer records, and your revenue now live across multiple cloud platforms — and each one is a separate door that a hacker can walk through if it is left unlocked.

As cybersecurity firm Decypher Technologies notes, “MFA needs to be layered into cloud apps, remote access, and admin accounts — not just email or bank logins.” That is exactly what this guide covers.

Important: MFA is not the same as a strong password. Passwords can be stolen in data breaches — and in 2025, IBM’s X-Force team found over 300,000 stolen business account credentials listed for sale on the dark web. MFA protects you even after your password has been compromised.

2. Before You Start: Download Your Authenticator App First (5 Minutes)

An authenticator app generates a new 6-digit code every 30 seconds, tied specifically to your account. It is safer than receiving codes by text message (SMS can be intercepted) and works even when you have no cell signal.

You only need one of these — pick one and stick with it:

  • Microsoft Authenticator — Best choice if you use Microsoft 365. Works for all other platforms too. Free on iOS and Android.
  • Google Authenticator — Simple and reliable. Best choice if you are primarily a Google Workspace user. Free on iOS and Android.
  • Authy — Recommended if you want cloud backup of your codes (useful if you ever lose your phone). Free on iOS and Android.

Download the app now, before proceeding. You will use it across all four platforms in this guide. Once it is on your phone, move to Step 3.

Pro Tip Once setup is complete across all platforms, generate and securely store backup codes for each account. These are one-time-use emergency codes that let you regain access if you ever lose your phone. Keep them in a password manager or a secure printed document — not in your email.

3. Microsoft 365 — MFA Setup (15–20 Minutes)

Microsoft 365 is the front door to your entire business for most small business owners — email, files, Teams calls, and more all run through one login. Here is how to lock it down.

🟦

Microsoft 365

admin.microsoft.com  ·  Microsoft Entra Admin Center

⏱ 15–20 min

Option A: Security Defaults (Recommended for Most Small Businesses)

Security Defaults is Microsoft’s one-toggle solution that forces MFA for all users in your organization. It is the right choice if you have a small team, a Microsoft 365 Business Basic or Standard plan, and do not need custom login rules. It takes under 5 minutes to turn on.

  1. Go to entra.microsoft.com and sign in with your admin account credentials.
    entra.microsoft.com Sign in with admin account
  2. In the left sidebar, navigate to Identity, then Overview, then click the Properties tab at the top of the page.
    Identity Overview Properties tab
  3. Scroll to the very bottom of the Properties page. You will see a section called Security defaults. Click Manage security defaults.
  4. In the panel that slides out from the right, set the Security defaults dropdown to Enabled.
  5. Click Save. That is it — every user in your organization will now be prompted to set up MFA via the Microsoft Authenticator app on their next login.
Once Security Defaults is on, your users have 14 days to complete their MFA setup before the system locks them out. Give your team a heads-up so no one is caught off guard.

Option B: Conditional Access (For Microsoft 365 Business Premium)

If you have a Business Premium license and want more control — for example, requiring MFA only when users are signing in from outside the office — use Conditional Access instead.

  1. In the Entra admin center, navigate to Protection → Conditional Access → Policies.
    Protection Conditional Access Policies New policy
  2. Click New policy and give it a clear name — for example, “MFA — All Users.”
  3. Under Assignments → Users, select All users. Then under Exclude, add at least one emergency admin account so you cannot accidentally lock yourself out.
  4. Under Target resources, select All resources (formerly All cloud apps).
  5. Under Access controls → Grant, check Require multifactor authentication, then click Select.
  6. Set the policy toggle to On and click Create.
Do not enable both Security Defaults AND Conditional Access at the same time. They conflict with each other. If you activate Conditional Access, Security Defaults must be turned off first.
Pro Tip Always create at least one “break glass” emergency admin account that is excluded from your MFA policy. Store its credentials in a secure, offline location. If your MFA device is ever lost, this account is your way back in.

4. Google Workspace — MFA Setup (15–20 Minutes)

Google Workspace is the hub for millions of small businesses — it controls your email, shared files, and often serves as the login identity for dozens of other tools you use. Locking it down with MFA is non-negotiable.

🔴

Google Workspace

admin.google.com  ·  Super Admin access required

⏱ 15–20 min

Step 1: Enable and Enforce 2-Step Verification (Admin Console)

  1. Go to admin.google.com and sign in as a Super Administrator.
  2. In the left menu, navigate to Security → Authentication → 2-Step Verification.
    Security Authentication 2-Step Verification
  3. Check the box labeled “Allow users to turn on 2-Step Verification.” This is required before you can enforce it.
  4. Under Enforcement, select “On (mandatory for everyone)” from the dropdown. For teams of 25 or fewer, you can enforce immediately. For larger teams, set a grace period of 7–14 days to give employees time to enroll without getting locked out.
  5. Under Methods, choose which verification types are allowed. The recommended setting is “Any except verification codes via text or phone call.” This blocks SMS (the weakest option) while keeping authenticator apps, hardware keys, and push notifications available.
  6. Click Save.
Pro Tip Before enforcing, create an “Emergency 2SV Disabled” group in the Google Admin Group Management Panel. Add your own super admin account to it temporarily. This gives you an emergency exit if something goes wrong during rollout — then remove yourself once all users are enrolled.

Step 2: Individual User Setup

Once the admin has turned on enforcement, each team member needs to complete the setup on their own account. Share these instructions with your team:

  1. Go to myaccount.google.com/security and sign in.
  2. Under the “How you sign in to Google” section, click 2-Step Verification, then click Get started.
  3. Follow the prompts. When asked for your verification method, choose Authenticator app — scan the QR code with the app you downloaded earlier.
  4. Enter the 6-digit code shown in the app to confirm it is working, then click Turn On.
  5. Save your backup codes when prompted. Store them somewhere safe and offline.
Google Workspace also supports physical security keys (like YubiKey) for your highest-privilege admin accounts. If budget allows, a $25–$50 hardware key for your super admin is an excellent upgrade from an authenticator app.

5. QuickBooks Online — MFA Setup (10 Minutes)

Your QuickBooks account holds your bank connections, payroll data, tax documents, and financial history. A hacker who gets in can change payment routing numbers, create fraudulent invoices, or lock you out entirely. This setup takes about 10 minutes per user.

🟢

QuickBooks Online

accounts.intuit.com  ·  Each user must set up individually

⏱ ~10 min per user
Important note: QuickBooks Online currently does not allow admins to force MFA enrollment for all users from a single toggle. Each user must set it up individually through their Intuit account portal. Share the steps below with every person who has access to your QuickBooks account.
  1. Log in to quickbooks.intuit.com with your username and password.
  2. Click your profile icon in the top right corner of the screen, then select “Manage your Intuit Account” from the dropdown menu.
    Profile icon (top right) Manage your Intuit Account
  3. You will be taken to the Intuit Account portal at accounts.intuit.com. In the left sidebar, click Sign-in & Security.
    accounts.intuit.com Sign-in & Security
  4. Find the Two-step verification section and click Turn On to expand it.
  5. Choose your verification method:
    • Authenticator App — Most secure. Use Google Authenticator, Microsoft Authenticator, or Authy. Scan the QR code with your app when prompted.
    • Text message (SMS) — Easier to set up but slightly less secure than an app. Enter your mobile number and verify with the code sent to you.
    • Email verification — Least secure of the three. Use only if you have no other option.
  6. Follow the on-screen prompts to verify your chosen method and complete setup. Click Turn On when prompted.
Pro Tip As the business owner, contact every person who has access to your QuickBooks account and ask them to confirm they have completed these steps. There is no admin dashboard to verify who has enrolled, so a direct conversation or a quick team message is the only way to confirm coverage.

6. Shopify — MFA Setup (10 Minutes)

Your Shopify account is connected to your payment processor, your customer database, your shipping integrations, and in many cases your business bank account. It is one of the highest-value targets for attackers, and Shopify actually requires two-step authentication to use Shopify Payments. If you have not set this up yet, you may also be at risk of having payments blocked.

🟣

Shopify

admin.shopify.com  ·  Each staff account sets up their own

⏱ ~10 min per user

For the Store Owner (Your Account)

  1. Log in to your Shopify admin at admin.shopify.com.
  2. Click on your account name or email address in the top right corner of the Shopify admin dashboard. Select “Manage Account” from the dropdown.
    Account name (top right) Manage Account
  3. In the left menu of the account settings page, click Security.
    Account Settings Security
  4. Scroll down to the “Two-step authentication” section. Click the “Turn on two-step” button.
  5. A popup will appear with your authentication options. Select “Authentication app” — this is the most secure option and the one we recommend for store owners.
  6. Open your authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) and scan the QR code displayed on screen.
  7. Enter the 6-digit code generated by the app to confirm it is synced correctly, then click Turn On.
  8. Save your recovery codes. Shopify will display one-time backup codes — copy them and store them somewhere secure and offline. You will need these if you ever lose your phone.

For Staff Accounts

Each staff member must set up two-step authentication on their own account using the same steps above. Store owners cannot activate it on behalf of staff — but you can (and should) make it a policy requirement.

Settings Users and Permissions Locate staff account Review security status

As an owner, you can see your staff’s security settings from Settings → Users and Permissions. Review this page to confirm all staff accounts have two-step authentication active before their next login session.

Shopify also supports physical security keys (USB hardware tokens) as a two-step method. If you process high transaction volumes, a hardware key for the store owner account provides an extra layer of protection against the most sophisticated attacks.

7. After Setup: 3 Things To Do in the Next 24 Hours

Turning on MFA is the biggest step. But there are three follow-up actions that make your protection complete.

1. Store Your Backup Codes Somewhere Safe

Every platform you set up above generates emergency backup codes during the setup process. These single-use codes let you regain access if you ever lose your phone or cannot access your authenticator app. Store them in one of the following places — never in your email inbox or a regular notes app:

  • A password manager (Bitwarden, 1Password, Dashlane)
  • A printed document locked in a physical safe or filing cabinet
  • An encrypted USB drive stored off-site

2. Tell Your Team — And Why It Matters

Your team needs to understand two things before MFA goes live. First, they should know what the approval prompts look like so they do not panic when one appears. Second, and more importantly, they need to know: if they receive an MFA prompt they did not initiate, they should deny it immediately and notify you. That unsolicited prompt means someone else has their password and is trying to log in right now.

3. Check Your Other Business-Critical Accounts

You have now secured your four biggest platforms. But take 15 more minutes to check these common weak spots that get overlooked:

  • Your domain registrar (GoDaddy, Namecheap, Google Domains) — a hacker who gets into this account can redirect your entire website and email.
  • Your web hosting account (WP Engine, Bluehost, SiteGround)
  • Your social media accounts (especially Facebook Business Manager and LinkedIn)
  • Your payment processor if it is separate from Shopify (Stripe, Square, PayPal)
  • Your email marketing platform (Mailchimp, Klaviyo, Constant Contact)
💡

The rule of thumb: If a hacker getting into that account would cost you money, damage your reputation, or expose your customers’ data — it needs MFA. Work your way through that list over the next two weekends.

8. Your 90-Minute MFA Checklist (Print This)

Use this checklist to track your progress. Print it, work through it in one sitting, and check each box before you move to the next platform.

📋 MFA Setup Checklist — Byte-Talk.com

Complete all four platforms in 90 minutes or less. Check each item as you go.

Before You Start

  • Downloaded Microsoft Authenticator, Google Authenticator, or Authy on my phone
  • Set aside 90 uninterrupted minutes for setup

Microsoft 365 (15–20 min)

  • Logged in to entra.microsoft.com as admin
  • Enabled Security Defaults (or set up Conditional Access policy)
  • Created one emergency admin “break glass” account excluded from MFA
  • Notified all team members to expect an MFA setup prompt on next login

Google Workspace (15–20 min)

  • Logged in to admin.google.com as Super Admin
  • Enabled 2-Step Verification: Security → Authentication → 2-Step Verification
  • Set Enforcement to “On (mandatory)”
  • Set Methods to “Any except verification codes via text or phone call”
  • Set grace period (7–14 days for teams; skip for teams under 25)
  • Created emergency “2SV Disabled” group for break-glass situations

QuickBooks Online (10 min per user)

  • Logged in → Profile icon → Manage your Intuit Account → Sign-in & Security
  • Enabled Two-step verification using an authenticator app
  • Messaged all QuickBooks users to complete their individual setup
  • Verified with each user that their setup is complete

Shopify (10 min per user)

  • Logged in → Account name → Manage Account → Security → Turn on two-step
  • Selected Authentication app and scanned QR code
  • Saved recovery codes in secure, offline location
  • Confirmed all staff accounts have two-step active via Settings → Users and Permissions

After Setup (Next 24 Hours)

  • Backup codes saved securely for all four platforms
  • Team briefed: what MFA prompts look like and what to do if one appears unexpectedly
  • Domain registrar MFA checked and enabled
  • Web hosting account MFA checked and enabled
  • Payment processors (Stripe, Square, PayPal) MFA checked and enabled

The Bottom Line

You just did something that roughly 47% of small businesses with fewer than 50 employees have never done: you actually secured your business accounts against the most common attack your competitors are ignoring. A single compromised login — to your email, your accounting software, or your store — can undo months of hard work and cost thousands of dollars in recovery.

MFA will not stop every threat. But it stops the vast majority of them, including the automated credential-stuffing attacks that run 24 hours a day targeting accounts exactly like yours. It costs nothing, it takes 90 minutes, and it works.

Set a calendar reminder to revisit this checklist in six months. Add any new platforms your business starts using. And if you found this guide helpful, share it with another business owner who has been putting this off. They will thank you for it.

Was This Guide Helpful?

Byte-Talk.com publishes plain-English tech guides for small business owners and side hustlers every week. No jargon, no filler — just actionable steps you can complete this weekend.

Get the Weekly Byte-Talk Newsletter →

Frequently Asked Questions About MFA

What is the difference between MFA and 2FA?

Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that requires exactly two verification factors. MFA is the broader term — it can mean two or more factors. In practice, most small business implementations use two factors, so the terms are often used interchangeably. Both are vastly more secure than a password alone.

Is SMS text message verification safe enough for MFA?

SMS is better than no MFA at all, but it is the weakest MFA option. Text messages can be intercepted through SIM-swapping attacks, where a hacker convinces your mobile carrier to transfer your number to their SIM card. For business accounts holding financial data, use an authenticator app instead. It is free, works offline, and is significantly harder to compromise.

What happens if I lose my phone after setting up MFA?

This is why backup codes are critical. Every platform in this guide generates emergency backup codes during setup — one-time-use codes that bypass MFA and let you regain access. Store them somewhere secure before you need them. If you did not save your backup codes and you lose your phone, you will need to contact each platform’s support team to verify your identity and reset your MFA settings. This process can take days.

Can QuickBooks Online admins force all users to use MFA?

Not yet as of 2026. QuickBooks Online allows each individual user to enable MFA through their Intuit Account portal, but admins cannot currently mandate it or see a dashboard of who has enrolled. The workaround is to directly require it as a written policy for anyone with access to your account, and to verify completion by asking each user individually.

Does enabling MFA slow down my team’s daily logins?

Minimally. Most authenticator apps require about 5–10 seconds to open and copy a code. Many platforms also allow you to mark your personal device as “trusted” so you are only prompted for MFA once every 30 days on that device, not every single login. The slight inconvenience is a very fair trade for the level of protection you get in return.

Sources & Further Reading: Microsoft Entra documentation (learn.microsoft.com); Google Workspace Admin Help (support.google.com/a); QuickBooks Community (quickbooks.intuit.com); Shopify Help Center (help.shopify.com); Decypher Technologies cybersecurity guidance (decyphertech.com); CISA MFA fact sheet; IBM X-Force Threat Intelligence Index 2026.

This article is for informational purposes only. Navigation paths may change as platforms update their interfaces. Always refer to official platform documentation for the most current steps. Byte-Talk.com is not a cybersecurity firm. For complex organizational environments, consult a qualified IT security professional.

Related Posts

Security Guide

The 8 Biggest Threats Facing Small Businesses in 2026 (And Your Weekend Protection Plan)

Holiday Scams

Holiday Scams to Watch Out for — and How to Stay Protected in the New Year

How to Fix DNS Settings Breaking Your WiFi Connection in Windows 11

About ByteTalk

View all posts by ByteTalk →

Leave a Reply

Your email address will not be published. Required fields are marked *