How to Set Up 2FA: Step-by-Step Guide

Two-factor authentication (2FA) blocks 99.9% of automated attacks on your accounts. This guide walks you through setting it up on the platforms you use most - Microsoft 365, Google Workspace, and banking apps. You'll be protected in under 5 minutes.

Smartphone with authenticator app for 2FA setup
Setting up 2FA takes just 5 minutes and blocks 99.9% of attacks

What You Need Before Starting

  • A smartphone (iOS or Android) - For the authenticator app
  • Admin access to your accounts - Microsoft 365 Global Admin or Google Workspace Super Admin
  • 5-10 minutes of uninterrupted time - Per platform you want to secure
  • A secure place for backup codes - Password manager or physical safe

Choosing Your Authenticator App

Both major authenticator apps work well. Here's how they compare:

Microsoft Authenticator

Pros
  • Push notifications (just tap to approve)
  • Password manager built-in
  • Best for Microsoft 365 users
  • Backup to cloud
Cons
  • Slightly larger app size
  • Cloud backup requires Microsoft account

Recommended if you use Microsoft 365

Google Authenticator

Pros
  • Simple and lightweight
  • Works with any service
  • No account required
  • Cloud backup available
Cons
  • No push notifications
  • Codes only (must type them)

Good choice for Google Workspace or multiple services

Setting Up 2FA on Microsoft 365

Microsoft 365 uses Azure Active Directory for authentication. Here's how to enable 2FA:

For Administrators: Enable 2FA Organization-Wide

1
Go to the Microsoft 365 Admin Center

Sign in at admin.microsoft.com with your Global Admin account

2
Navigate to Azure Active Directory

Click "Show all" in the left menu, then "Azure Active Directory"

3
Open Security settings

Click "Security" in the Azure AD menu

4
Select Authentication methods

Under "Manage", click "Authentication methods"

5
Configure Microsoft Authenticator

Click "Microsoft Authenticator", enable it, and set target users to "All users"

6
Enable Security Defaults (recommended)

Go back to "Properties" in Azure AD, click "Manage Security defaults", and enable it

For Users: Set Up Your Authenticator

1
Download Microsoft Authenticator

Get it from App Store (iOS) or Play Store (Android)

2
Sign in to your Microsoft account

Go to mysignins.microsoft.com

3
Add security method

Click "Security info", then "Add sign-in method"

4
Select Authenticator app

Choose "Authenticator app" from the dropdown

5
Scan the QR code

Open the Authenticator app, tap "+", choose "Work or school account", and scan the code

6
Approve the test notification

Microsoft will send a test notification - approve it to complete setup

Setting Up 2FA on Google Workspace

Google Workspace calls this "2-Step Verification". Here's the setup process:

For Administrators: Enable 2FA Organization-Wide

1
Open Google Admin Console

Sign in at admin.google.com with your Super Admin account

2
Navigate to Security settings

Click "Security" in the left menu

3
Open Authentication settings

Click "Authentication" then "2-step verification"

4
Allow 2-step verification

Check "Allow users to turn on 2-step verification"

5
Set enforcement (optional)

To require 2FA, select "Enforcement" and choose when it starts

6
Set grace period

Give users time to set up - 7-14 days is typical for new enrollments

For Users: Set Up Your Authenticator

1
Download Google Authenticator

Get it from App Store (iOS) or Play Store (Android)

2
Go to your Google Account

Visit myaccount.google.com and sign in

3
Open Security settings

Click "Security" in the left menu

4
Set up 2-Step Verification

Under "Signing in to Google", click "2-Step Verification"

5
Choose Authenticator app

Click "Authenticator app" and select your phone type

6
Scan the QR code

Open Google Authenticator, tap "+", select "Scan QR code", and scan it

7
Enter the verification code

Type the 6-digit code from the app to confirm setup

Setting Up 2FA on Banking Apps

Belgian banks have strong authentication built in. Here's general guidance:

Most Belgian banks Card reader or itsme

Banks like KBC, BNP Paribas, Belfius use card readers or itsme by default

International banks SMS or authenticator app

Check your bank's security settings for "Two-factor authentication" or "Login verification"

Important Tips

  • Never share authentication codes with anyone - banks will never ask for them
  • Keep your card reader batteries charged
  • Register a backup phone number if your bank offers it
  • Enable login notifications to spot unauthorized access

Backup Codes: Your Safety Net

Backup codes are one-time passwords that work when you can't use your authenticator. Save them carefully:

How to Get Backup Codes

Microsoft 365: In Microsoft 365: Go to mysignins.microsoft.com > Security info > Add method > "App passwords" for legacy apps or write down recovery code during setup
Google: In Google: Go to myaccount.google.com > Security > 2-Step Verification > Backup codes > Generate

Good places

  • Password manager (like Bitwarden, 1Password)
  • Printed and stored in a physical safe
  • Encrypted document on a secure backup drive

Bad places

  • Sticky notes on your monitor
  • Unencrypted files on your computer
  • Email to yourself
  • Photos on your phone (same device as authenticator)

What If You Lose Your Phone?

Don't panic. You have options:

1
Use backup codes

This is why we told you to save them! Enter a backup code instead of the authenticator code.

2
Use a backup phone

If you registered a second phone number, you can receive codes via SMS.

3
Contact your admin

For work accounts, your IT admin can temporarily disable 2FA or reset your authentication methods.

4
Account recovery

Both Microsoft and Google have account recovery processes, but they take time and require identity verification.

Prevent This Problem

  • Save backup codes before you need them
  • Set up multiple authentication methods
  • Register a backup phone number
  • Enable cloud backup in your authenticator app

Rolling Out 2FA to Your Team

A phased rollout reduces support tickets and resistance:

Week 1
IT and management

Start with people who can troubleshoot issues and set the example

Week 2
Early adopters

Tech-savvy employees who will help their colleagues

Week 3-4
Everyone else

Roll out in groups, with support available during work hours

Communication Template

1 week before

"Send 1 week before: "We're improving security with 2FA. You'll need to download [App name] and set it up. Here's a guide: [link]. IT will be available on [date] to help.""

On the day

"Send on rollout day: "Today's the day! Open [App name] and follow these steps: [simplified steps]. Need help? Contact IT at [contact].""

Support Tips

  • Hold brief training sessions (15 minutes is enough)
  • Create a simple one-page guide with screenshots
  • Have IT available during the rollout period
  • Set up a dedicated Slack/Teams channel for 2FA questions

Common Mistakes to Avoid

Not saving backup codes

Result: Locked out of accounts when phone is lost or broken

Fix: Save backup codes in a password manager before finishing setup

Rolling out to everyone at once

Result: IT overwhelmed with support tickets

Fix: Phase the rollout over 2-4 weeks

Not testing before going live

Result: Discovery of issues during production hours

Fix: Test with 2-3 users first, including one non-technical person

Using SMS only

Result: SMS can be intercepted (SIM swapping attacks)

Fix: Use authenticator apps - they're more secure

Sharing backup codes

Result: Anyone with the codes can bypass 2FA

Fix: Backup codes are personal - never share them

Testing That It Works

Before considering 2FA fully deployed, verify it works:

Normal login

Sign out and sign back in - you should be prompted for 2FA

New device

Try logging in from a different browser or device - 2FA should be required

Backup code

Use one backup code to confirm it works, then generate a new set

Lost phone scenario

Temporarily remove the account from your authenticator and recover using backup code

Admin Verification

  • Check Azure AD/Google Admin to confirm users have 2FA enabled
  • Review sign-in logs for any authentication failures
  • Verify security defaults or conditional access policies are active

Need Help With 2FA Rollout?

Easy Cyber Protection includes step-by-step 2FA setup guides, employee communication templates, and ongoing compliance tracking for NIS2. We help Belgian SMEs implement security that actually works.

Frequently Asked Questions

What if my employees resist using 2FA?

Explain the "why" - their personal accounts (banking, email) likely already use 2FA. Emphasize it takes just 30 seconds per login. Lead by example - have management use it first. Make it mandatory with a reasonable grace period. Most resistance fades after a week of use.

Can I enforce 2FA for the whole organization?

Yes. In Microsoft 365, use Security Defaults or Conditional Access policies. In Google Workspace, use the Enforcement setting. Give users a grace period (1-2 weeks) to set up their authenticators before enforcement kicks in.

What happens if someone loses their phone?

If they saved backup codes, they can use one to log in and then set up a new authenticator. If not, an admin must reset their authentication methods. This is why saving backup codes is critical - make it part of your setup process.

Do I need 2FA on every account?

Start with the most critical: email, admin accounts, cloud storage, and financial systems. These are the accounts attackers target most. Once those are secured, expand to all business accounts. For compliance with NIS2/CyberFundamentals, all critical systems need MFA.

Is biometric (fingerprint/face) the same as 2FA?

Not exactly. Biometrics replace passwords (something you know) with something you are. True 2FA combines two different factors. However, using biometrics to unlock your authenticator app is secure - you're using "something you have" (phone) plus "something you are" (fingerprint) to generate the code.

Related Articles