Password leaks, compromised email accounts, and unauthorized logins aren't just problems for large corporations; they're also commonplace in small and medium-sized businesses. A single weak password is enough to give an intruder access to the entire infrastructure—from email to the company's hard drive.
Fortunately, there is an easy way to stop this: two-factor authentication (2FA)This is an extra step when logging in, making a password alone insufficient. Even if someone knows it, they won't be able to log in without a second confirmation, such as a code from an app or a notification on their phone.
In this short guide we will show you, How to enable 2FA in your company in less than an hour, without complicated configuration and without paralyzing the team's work. You will learn why it's worth it, which methods are the safest, and how to configure verification step by step in Microsoft 365 and Google Workspace – with descriptions and screenshots.
Let's start with a simple question: What exactly is 2FA and why is it worth having in every company, regardless of its size?
What is 2FA in a nutshell and why it matters for SMEs
Two-factor authentication (2FA) It's an extra layer of security when logging in – in addition to your password (something you know), it requires a second confirmation, such as a code from an app, a notification on your phone, or a hardware key (something you have). This means that even if someone knows your password, they won't be able to log in without the second factor.
For small and medium-sized businesses, it's one of the simplest and most effective data protection tools. It protects accounts from phishing attacks, secures email and customer files, and meets basic GDPR and IT audit requirements. Importantly, most systems, such as Microsoft 365 Whether Google Workspace, offers 2FA at no extra cost.
In practice, 2FA takes a few seconds longer to log in, but makes a huge difference in security. According to Microsoft, it even blocks 99% attempted intrusions resulting from password theft. Implementation is quick and virtually maintenance-free on the user side.
Our experience shows that after activating it in SMEs, the number of security incidents drops significantly. This proves that one simple solution can effectively protect an entire enterprise.
Which 2FA method to choose
Choosing a 2FA method doesn't have to be complicated—it's important to tailor it to your company's specific needs. Each option works on the same principle: after entering your password, you need to confirm it's really you. The only differences are: by way of second confirmation.
• SMS – the simplest and quickest to set up, but the least secure. SMS codes can be intercepted, so it's best to treat this method as a temporary or backup.
• Authenticator app (e.g., Microsoft Authenticator, Google Authenticator) – generates single-use codes offline, so it works even without network coverage. This is currently the best compromise between safety and convenience.
• Push notification – Instead of entering a code, you confirm your login with a single click within the app. Convenient and very popular in Microsoft 365.
• Hardware dongle (e.g. YubiKey) – a physical USB/NFC device. The highest level of protection, but requires purchase and configuration, so it's only recommended for administrative roles or critical accounts.
• Backup codes – one-time emergency login codes, which should be printed out and kept in a safe place.
For most SME companies the optimal solution is authentication app or push notificationIt's best to leave SMS as an emergency option, and reserve hardware keys for people with access to sensitive systems or data.
Microsoft 365: enabling 2FA step by step
In Microsoft 365, two-factor authentication is available to every user in just a few clicks. You don't need any additional tools or advanced permissions.
How to check if you have 2FA enabled
Log in to your Microsoft 365 account: https://mysignins.microsoft.com/security-info
Choose "Security Information" (Security info).
You will see a list of login methods – if you see e.g. Authenticator app or Phone, 2FA is already active.
If not – click "Add method"to configure it.
How to enable 2FA (for yourself or employees)
Choose Authentication app and click "Next".
Install on your phone Microsoft Authenticator (available on the App Store and Google Play).
Scan the QR code that appears on the screen.
Approve the test notification and you're done – 2FA is working.
From now on, every time you log in, you'll be asked to confirm your account. This only takes a second and significantly increases the security of your account.
For company administrators
If you manage multiple accounts in Microsoft 365, you can enable 2FA for your entire organization in your dashboard:
Choose Users → Active Users → Multi-Factor Authentication.
Select the desired accounts and click "Enable multi-factor authentication".
After this change, users will be prompted to add a login method the next time they access the system.
Tip
Always encourage employees to add two methods (e.g. app and phone) – this will make it easier to regain access if someone loses their phone.
That's all it takes - in practice, configuring 2FA in Microsoft 365 takes no more than 5 minutes and it can be implemented even independently, without an IT department.
Microsoft Two-Factor Authentication Setup:
2. After logging in, you'll be taken to your account settings (by default, you'll see 1 option in the login methods section). Then click "Add login method":
3. We select our preferred login method and complete the registration.
Google Workspace: Enabling 2FA Step by Step
Enabling two-step verification (2FA) in Google Workspace is as easy as in Microsoft 365 – the entire setup takes just a few minutes and does not require IT assistance.
How to check if you have 2FA active
Log in to your Google account: https://myaccount.google.com/security
In the section "Logging in to Google" find a position "Two-step verification".
If you see the status “Enabled” – 2FA is already working.
If not – click "Two-Step Verification" → Get Started and go to configuration.
How to enable 2FA for your account
After clicking "Get Started" log in again to confirm.
Select security method: notification on the phone (Google Prompt) or authentication application (e.g. Google Authenticator).
If you choose notification, simply approve the login on your device.
If you choose the app – scan the QR code in the app and enter the generated code.
After activation you can add backup phone number or one-time codes – in case you lose your phone.
How to enable 2FA for your entire company (Admin)
Go to https://admin.google.com and log in as administrator.
Go to: Security → Authentication → Two-Step Verification.
Select an option "Allow users to enable 2FA" or force it for selected groups.
Save settings – users will be prompted to add the method the next time they log in.
Tip
The most convenient solution in Google Workspace is Google Prompt – just one click on the phone is enough, without entering codes. For administrative roles, it's worth adding an authentication app or hardware key. The entire setup takes approximately 5 minutes per user, and significantly increases the security of accounts and company data in the Google cloud.
Set up Google two-factor authentication:
2. Go to the "Secuirty" or (in Polish) "Bezpieczeństwo" tab:
3. The highlighted rectangle shows the verification methods that need to be completed (for maximum security, it's worth completing all methods, but 2-step verification alone will also be sufficient security). P.S. I personally use Google Authenticator, which doesn't require advanced knowledge and really secures your account 😉
Post-implementation safety and hygiene maintenance
Enabling 2FA is just the beginning – for it to work effectively, it's worth following a few simple maintenance rules.
• Update login methods – When changing your phone or number, always add a new method in your account settings.
• Store backup codes in a safe place (e.g., a safe or password manager) and refresh them every few months.
• Check logins – Once a quarter, review the history of login attempts in your account panel to detect suspicious activity.
• Train new employees – a short, 5-minute training course on logging in and regaining access eliminates most problems.
• The Two-Method Rule – each user should have at least two active forms of 2FA (e.g. app and phone).
Small habits like these ensure two-factor authentication remains effective for years, without hindering your daily work.
Frequently asked questions
No. Verification takes literally seconds – most often, just confirming the notification on your phone is enough. Log in on trusted devices without any additional steps.
It's a good idea to add a second method (like a phone number or backup codes) during setup. If you lose your phone, you can log in using an alternative method or ask your administrator to reset 2FA.
Better than no security, but not perfect – SMS messages can be intercepted. An authenticator app (Microsoft or Google Authenticator) or push notifications are more secure.
Yes, most business plans offer it at no additional cost. Only hardware keys or premium solutions require a fee, but these are usually only available to administrators.
Yes. An administrator can enforce two-factor authentication only for specific accounts, such as the accounting department or individuals with access to customer data.
Typically, this only happens after logging out, switching devices, or after several days of inactivity. The system remembers trusted devices so they don't interfere with daily work.
Two-factor authentication is one of those changes that delivers a huge impact with minimal effort. Implementation takes just a few minutes and can protect a company from the consequences of a hack, data loss, and costly downtime.
In small and medium-sized companies, 2FA is not a whim, but real security shield – runs quietly in the background and effectively blocks unauthorized logins. Thanks to applications such as Microsoft Authenticator Whether Google Authenticator you can turn them on yourself, without specialist knowledge and without interrupting the team's work.
If your company doesn't already have 2FA active on its email or cloud accounts, it's worth doing so. still todayThis is the simplest step towards cybersecurity that really works.
If you need help with setup or want to implement 2FA across your entire team without any hassle – we will help you do it quickly and safely.
English 
Polski