iKonyk Solutions - Providing Canadian Businesses with Dependable IT Services iKonyk Solutions - Dependable IT Services (403) 775-0500 info@ikonyk.ca

How to Set Up Two-Factor Authentication on Everything That Matters

by

Your password got stolen. You just don’t know it yet.

That’s not a scare tactic — it’s statistics. Billions of usernames and passwords have leaked in data breaches over the past decade, and many of them are still being tested against business accounts right now, quietly, by automated tools running around the clock.

Two-factor authentication (2FA) is the single most effective thing you can do to stop that from turning into a real problem.

What it actually is

When you log in somewhere with 2FA turned on, your password is step one. Step two is proving you’re actually you — usually by entering a short code, approving a prompt on your phone, or using a hardware key.

Even if someone has your password, they can’t get in without that second step. That’s the whole point.

Not all 2FA is equal

Here’s the part most guides skip: the type of second factor matters.

SMS text codes are the most common and the weakest. They work, and they’re better than nothing — but text messages can be intercepted or redirected if someone targets you specifically. For most small businesses it’s still a meaningful improvement, just not the ceiling.

Authenticator apps (like Microsoft Authenticator, Google Authenticator, or Apple’s built-in authenticator) are significantly better. The code is generated on your device and changes every 30 seconds. Nothing travels over the phone network. This is what we recommend for most business accounts.

Passkeys are the newest option and increasingly the best one. Instead of a code, your device (phone or laptop) handles the verification automatically using biometrics or a PIN — and because it’s tied to the legitimate website, a fake login page can’t steal it. Google, Microsoft, Apple, and most major platforms now support them. If a service offers passkeys, use them.

Hardware keys (like a YubiKey) are the gold standard for high-value accounts. You plug in a physical device or tap it to your phone. Very difficult to compromise remotely. Typically overkill for most small business accounts, but worth it for admin accounts and financial systems.

What to turn it on for first

You can’t do everything at once. Here’s the order that matters most:

  1. Email — this is the master key. Whoever controls your email can reset every other password. Microsoft 365 and Gmail both support 2FA and passkeys. Do this one today.
  2. Microsoft 365 / Google Workspace — if your team uses it, every account should have 2FA. Full stop.
  3. Banking and financial accounts — online banking, accounting software (QuickBooks, Xero, Wave), payment processors.
  4. Your domain registrar — whoever manages your business domain (GoDaddy, Namecheap, etc.). Losing control of your domain is catastrophic.
  5. Any software that stores client data — CRM, practice management, cloud storage.
  6. Social media accounts — lower stakes but still worth it. A hijacked business Facebook page is an embarrassing mess to untangle.

How to set it up

Every platform is slightly different, but the pattern is almost always the same:

  1. Go to your account settings — look for “Security” or “Privacy”
  2. Find the 2FA or two-step verification option
  3. Choose your method (authenticator app is the default recommendation)
  4. Follow the setup steps — usually involves scanning a QR code with the app
  5. Save your backup codes somewhere secure (not in your email inbox)

For Microsoft 365 specifically, an administrator can enforce 2FA for all users — which means no one on your team can skip it. That’s how it should be set up.

A word on backup codes

When you set up 2FA, most services give you a set of one-time backup codes to use if you lose access to your second factor. Print them. Put them somewhere physical and secure. If you lose your phone and don’t have backup codes, getting back into your accounts is a painful process.

The bottom line

Two-factor authentication won’t make you bulletproof. But it closes the door on the most common type of account takeover — someone using a stolen password. That’s worth 10 minutes of setup per account.

If you want help rolling this out across your team — including enforcing it in Microsoft 365 — give us a call. It’s one of the easiest wins in cybersecurity.

Leave a comment