📖 You Are Already a Target book coming soon. Join waitlist
Free · No Credit Card · 5 Minutes

Set Up MFA the Right Way

A 5-minute, step-by-step walkthrough to lock down your work email with phishing-resistant multi-factor authentication. No SMS codes. Just your authenticator app.

🔒 Works for Microsoft 365 and Google / Gmail

Why this matters more than anything else

Your email is the master key to your whole digital life.

If an attacker gets into your email, they can reset the password on almost every other account you own: your bank, your ad accounts, your CRM, your payroll. The vast majority of business breaches start with one stolen or guessed password. A second factor is what stops a stolen password from becoming a stolen company.

Passwords leak constantly. Reused and breached passwords are bought and sold in bulk. Yours may already be out there.
MFA blocks the takeover. Even with your password, an attacker cannot get in without the second factor on your device.

MFA is not optional anymore. It is table stakes.

The data has been screaming this for years.

~68%of breaches involve the human element: stolen credentials, phishing, or simple mistakes. Verizon Data Breach Investigations Report (DBIR)
Stolen loginsare among the most common ways attackers break in, year after year, and the DBIR repeatedly finds MFA would have stopped a large share of them. Verizon DBIR
$55B+in reported losses from business email compromise worldwide since 2013. FBI Internet Crime Complaint Center (IC3), 2024
$12.5Bin cybercrime losses reported by Americans in a single year, a record high. FBI IC3 Internet Crime Report

Why we call it table stakes

The Verizon DBIR has shown for years that the fastest, cheapest way for an attacker to get in is a stolen or reused password, and that MFA would have blocked most of those intrusions. It is now the baseline expectation: most cyber insurance carriers will not write a policy, or pay a claim, unless MFA is in place. If you do one thing for your security this quarter, make it this.

What account takeover actually looks like

One stolen email password rarely stays one problem. Here is how it cascades.

1

Ransomware foothold

A stolen login is often the attacker's first step inside. From one inbox they move laterally, find what matters, and deploy ransomware across the business. Most incidents start with a compromised account, not a movie-style hack.
2

Business email compromise (BEC)

The attacker sits quietly in your inbox, learns how you write and who pays you, then emails your client or your finance team as you and redirects a payment. BEC is one of the costliest crimes the FBI tracks, and the average loss runs well into six figures.
3

The account-takeover (ATO) cascade

Your email is the reset button for everything else. With it, an attacker walks into your bank, payroll, ad accounts, and password manager. One inbox becomes the keys to the company.

MFA breaks the chain at step one

Every one of these scenarios starts the same way: someone logs in as you with a password that was never meant to be enough on its own. An authenticator app or a passkey is the wall that stops a stolen password from ever becoming a stolen company.

Not all MFA is equal: skip SMS

Why text-message (SMS) codes are the weakest option

  • SIM swapping. Attackers call your carrier, move your number to their phone, and receive your codes.
  • Network interception. The aging SS7 phone network lets sophisticated attackers grab texts in transit.
  • Phishable. A fake login page simply asks you for the code and relays it in real time.
  • Officially discouraged. The U.S. standards body (NIST) has steered organizations away from SMS as a second factor for years.

SMS is still better than nothing. But if you are setting it up today, do it once and do it right.

Use an authenticator app instead

An authenticator app generates a fresh 6-digit code on your device every 30 seconds. Nothing travels over the phone network, so there is nothing to swap or intercept. It is free, takes two minutes to set up, and works offline.

Microsoft AuthenticatoriOS / Android
Google AuthenticatoriOS / Android
AuthyiOS / Android
1Passwordif you use it

Even stronger: a passkey (Face ID / fingerprint / security key) cannot be phished at all. Both Microsoft and Google support passkeys, and we point you to them at the end of each path.

The strongest option: passkeys

If you remember one thing from this page, make it this.

A passkey is a cryptographic login tied to your device. You unlock it with your face, your fingerprint, or a small hardware security key. There is no code to type, so there is no code to phish or steal. A passkey also checks the real web address before it works, so it simply will not unlock on a fake login page.

Phishing-proof by design. A passkey only works on the genuine site. A look-alike page cannot trick it, and there is no one-time code an attacker can capture.
Beats adversary-in-the-middle. The kits that sit between you and the real login page to steal codes and session cookies cannot complete a passkey challenge.
Supported everywhere that matters. Microsoft, Google, and Apple all support passkeys today, on the devices you already carry.
Faster than a password. A glance or a touch and you are in. Nothing to remember, nothing to mistype.

Do not use SMS text codes

Whatever you do, do not rely on text-message (SMS) codes as your second factor. They can be SIM-swapped, intercepted, and phished in real time. Use a passkey if you can, an authenticator app if you cannot, and remove SMS everywhere it is offered.

Use a password manager

The single best habit behind every account you own.

Reusing one password across accounts is the root cause of most account takeovers: one site gets breached, and attackers try that same password everywhere else. A password manager fixes this by generating and storing a unique, strong password for every account, so a single leak can never cascade into your whole digital life.

We recommend Keeper and 1Password. Both create and remember a different strong password for every login, and both can also hold your authenticator (TOTP) codes and your MFA backup / recovery codes in one secure, encrypted place, so your second factor and your recovery plan live somewhere you will actually find them.

KeeperUnique strong passwords, built-in TOTP authenticator, secure storage for backup codes.
1PasswordUnique strong passwords, built-in TOTP authenticator, secure storage for backup codes.

Put a passkey or an authenticator app on the password manager itself, then let it carry the unique passwords for everything else.

MFA Setup Checklist

Work top to bottom. This is the whole job, in order.

  • Pick your second factor. An authenticator app (Microsoft or Google Authenticator, Authy) or a password manager with built-in TOTP (Keeper, 1Password). Best of all: a passkey.
  • Turn on MFA on email first (Microsoft 365 or Google), then every critical account: bank, payroll, ad platforms, domain registrar, and the password manager itself.
  • Remove SMS / phone-text as a method everywhere it is offered.
  • Add a passkey wherever it is supported.
  • Save backup / recovery codes in your password manager.
  • Use a password manager so every account has a unique, strong password.
  • Register a second device or backup authenticator so you are never locked out.

MFA Bypass Prevention Checklist

MFA can still be beaten. Here are the attacks that do it, and how to stop each one.

  • MFA fatigue / push bombing. Turn on number matching. Never approve a push you did not start. Deny and report any unexpected prompt.
  • Adversary-in-the-middle (AiTM) / session-token theft. Use phishing-resistant MFA (passkeys or FIDO2 security keys). Never sign in from a link in an email. For Microsoft 365, enable Conditional Access and token protection.
  • SIM swap. Do not use SMS. Set a port-out PIN with your mobile carrier.
  • Help-desk / reset social engineering. Require identity verification before any MFA reset. Lock down your recovery email and phone, and put MFA on them too.
  • Legacy protocol bypass. Disable legacy / basic authentication (IMAP, POP, SMTP basic) in Microsoft 365 and Google so attackers cannot skip MFA entirely.
  • OAuth consent phishing. Review and limit the third-party app permissions granted to your email account.

The wizard: set it up now

Pick the email you use for work. Tap each step as you finish it.

Microsoft 365 / Outlookwork email ending in your company domain, run on Microsoft
Google / GmailGmail or Google Workspace
1

Install an authenticator app

On your phone, install Microsoft Authenticator (or Google Authenticator / Authy). It is free.
2

Open your security settings

On a computer, go to aka.ms/mfasetup and sign in. This is your Microsoft "Security info" page.
3

Add the authenticator app

Click "Add sign-in method" → "Authenticator app" → "Add account / Work or school". A QR code appears.
4

Scan the QR code

In the phone app tap the plus, choose "Work or school account", and scan the code on your screen. Approve the test prompt.
5

Make it your default and remove SMS

Set the authenticator app as your default sign-in method. If a phone-text method is listed, delete it so codes never go to SMS.
6

Strongest option: add a passkey

Back on the Security info page, add a "passkey" or "Windows Hello / Face ID" method. This is phishing-proof. Optional but recommended.
1

Install an authenticator app

On your phone, install Google Authenticator (or Microsoft Authenticator / Authy). It is free.
2

Open Google security settings

On a computer, go to myaccount.google.com/security and sign in.
3

Open 2-Step Verification

Click "2-Step Verification". If it is off, turn it on. Then find "Authenticator app" and click "Set up".
4

Scan the QR code

In the phone app tap the plus, choose "Scan a QR code", and scan the code on your screen. Enter the 6-digit code to confirm.
5

Remove SMS as a method

Under 2-Step Verification, remove "Voice or text message" so codes never go to SMS. Keep backup codes in a safe place.
6

Strongest option: add a passkey

On the same page add a "Passkey" using Face ID, fingerprint, or a security key. This is phishing-proof. Optional but recommended.
✓ You did it. Your email is now protected with phishing-resistant MFA.

Do this for every critical account, not just email: your bank, payroll, ad platforms, and password manager. Save your backup codes somewhere safe in case you lose your phone.

📥 Download the MFA Hardening Checklist

MFA setup + MFA-bypass-prevention checklist, plus password-manager and passkey guidance. Personalized to your company. Drop your details and we will build your PDF on the spot, ready to circulate to IT, finance, and the team.

  • MFA Setup Checklist: pick a second factor, turn on MFA, kill SMS, add a passkey, save backup codes
  • MFA Bypass Prevention Checklist: stop push bombing, AiTM, SIM swap, help-desk fraud, legacy auth, OAuth consent
  • Password manager guidance: Keeper + 1Password, unique passwords, TOTP, backup codes in one place
  • Passkey + no-SMS guidance: the strongest, phishing-proof option

No follow-up sequence unless you ask. We use your email only to send the checklist + (optionally) walk through it with a Cyvatar advisor.

Need this across your whole team?

Setting up MFA one person at a time is fine. Enforcing it across every employee, every app, and proving it for compliance is what Cyvatar does. We manage multi-factor and identity org-wide so it is on, everywhere, without the chase. Stolen credentials are the number one way ransomware gets in, so identity is the first layer of ransomware continuous remediation.

Talk to Cyvatar Check your security score