A stolen password alone should not be enough to compromise your account. That's the entire promise of multi-factor authentication (MFA). Despite being widely supported, it remains the most commonly skipped security step.

This guide covers every major platform that remote IT workers touch, with exact steps for each.

Before You Start

Get an authenticator app first. You'll need it for most of these:

• Ente Auth — open-source, encrypted backup, recommended
• Google Authenticator — simple, works, no backup (risk)
• Authy — cloud backup, multi-device
• Bitwarden — handles TOTP codes alongside passwords (premium plan)

Key concepts:

• TOTP — Time-based One-Time Password. A 6-digit code that refreshes every 30 seconds. Generated by your authenticator app.
• FIDO2/Passkey — Phishing-resistant hardware or software key. Strongest option where available.
• SMS — One-time codes sent by text. Weakest option, but better than nothing.

Always use TOTP or hardware keys over SMS when available.

Gmail / Google Account

Google is often the root account for everything else. Protecting it is critical.

1. Go to myaccount.google.com → Security
2. Under "How you sign in to Google," click 2-Step Verification
3. Click Get started
4. You'll be asked to verify your identity first
5. Scroll past "Google prompts" and click Authenticator app
6. Click Set up authenticator → scan the QR code with your authenticator app
7. Enter the 6-digit code to verify
8. Click Turn on

Additional hardening:

• Go back to 2-Step Verification → scroll to Backup codes → generate and save these offline
• Consider adding a physical security key (YubiKey) as a second method
• Under Advanced Protection: if you're high-risk, enroll in Google's Advanced Protection Program

Cloudflare

Cloudflare controls your DNS — if compromised, an attacker can redirect your entire domain.

1. Log into dash.cloudflare.com
2. Click your profile picture (top right) → My Profile
3. Click Authentication in the left sidebar
4. Under Two-Factor Authentication, click Enable
5. You'll see a QR code — scan it with your authenticator app
6. Enter the 6-digit code and click Verify Code
7. Save your backup codes — download or copy them to your password manager

Account security settings (also do these):

• Profile → Sessions → review active sessions, terminate unknown ones
• If using an API token in any app, go to My Profile → API Tokens → audit what exists

GitHub

GitHub hosts your code. An attacker with access can push malicious code or wipe repositories.

1. Go to github.com → click your avatar → Settings
2. In the left sidebar: Password and authentication
3. Under "Two-factor authentication," click Enable two-factor authentication
4. Choose Authenticator app (recommended over SMS)
5. Scan the QR code with your authenticator app
6. Enter the 6-digit code → Continue
7. Download your recovery codes → save them in your password manager and a secure offline location
8. Click I have saved my recovery codes → confirm

Additional GitHub security:

• Settings → SSH and GPG keys → review what's authorized; remove unknown keys
• Settings → Applications → review OAuth apps; revoke anything unrecognized
• For organizations: Org Settings → Authentication security → require 2FA for all members

Formspree

Formspree handles your contact form submissions — worth securing.

1. Log into formspree.io
2. Click your email/avatar → Account Settings
3. Find the Security or Two-Factor Authentication section
4. Enable TOTP-based 2FA
5. Scan QR code, enter verification code
6. Save backup codes

Microsoft 365

Microsoft 365 is often the most business-critical account in any remote team. MFA here is non-negotiable.

For Individual Users

1. Go to mysignins.microsoft.com → Security info
2. Click + Add sign-in method
3. Select Authenticator app
4. Click Add → choose "Use a different authenticator app" if not using Microsoft Authenticator
5. Scan QR code with your app → click Next
6. Enter the code shown → Next → Done

For Microsoft 365 Admins (Enabling for Everyone)

Modern method — Conditional Access (recommended for M365 Business Premium and above):

1. Go to admin.microsoft.com → Security → Conditional Access
2. Create a new policy requiring MFA for all users
3. Set it to report-only first, then enforce after reviewing

Legacy method — Per-user MFA:

1. admin.microsoft.com → Users → Active users
2. Click Multi-factor authentication in the top menu
3. Select all users → Enable
4. Users will be prompted to set up MFA on next sign-in

Security Defaults (simplest for small orgs):

1. Azure AD (Entra ID) → Properties → Manage Security Defaults
2. Toggle to Enabled → Save
3. This automatically enables MFA for all users and blocks legacy auth protocols

Apple ID

Apple ID controls device management, iCloud backup, Find My, and App Store purchases.

1. Go to appleid.apple.com or Settings on iPhone → [Your Name]
2. Tap Sign-In & Security
3. Tap Two-Factor Authentication → Turn On
4. Follow the prompts to verify a trusted phone number
5. Apple sends verification codes to trusted devices — no separate authenticator app needed for basic use

For stronger Apple ID security:

• Settings → [Your Name] → Sign-In & Security → Account Recovery → set a recovery contact
• Use a strong, unique password (Bitwarden can generate this)
• Review trusted devices regularly: appleid.apple.com → Devices

Bank Accounts

Every bank does this differently, but the pattern is the same.

1. Log into your bank's website → find Settings, Security, or Profile
2. Look for: Two-factor authentication, Two-step verification, Login verification
3. Enable TOTP (app-based) if available — many banks still only offer SMS
4. If SMS is the only option, use it — it's still better than nothing
5. Note the backup phone/email recovery options and keep them current

Banks that offer app-based TOTP: Check your bank's security settings. Large US banks (Chase, Bank of America, Wells Fargo) mostly use proprietary apps or SMS. Credit unions often support TOTP via third-party apps.

If your bank only supports SMS: that's their limitation. Use a dedicated phone number for banking SMS that isn't shared anywhere else.

Your Password Manager

This is the most important one — your password manager holds everything.

Bitwarden

1. bitwarden.com → My Account → Security → Two-step Login
2. Click Manage next to Authenticator App
3. Scan QR code with your authenticator app
4. Enter the 6-digit code → Enable
5. Copy recovery code → store it somewhere separate from Bitwarden (written on paper, or in a truly offline location)

1Password

1. Profile → More Actions → Two-Factor Authentication
2. Click Set Up App → scan QR code
3. Enter code → Confirm
4. Remember: 1Password already requires your Secret Key, which functions as a second factor at the account level

KeePass

KeePass doesn't have cloud authentication — it uses a local key file as a second factor:

1. File → Change Master Key
2. Check "Key file / provider" → Create
3. Save the key file to a different location than your database (e.g., a USB drive)

After Enabling MFA Everywhere

Test your recovery codes. Don't assume they work — actually test one on an account where you have a backup method.

Store backup codes properly:

• Print and store in a fireproof location, OR
• Store in your password manager in an encrypted note (not ideal if you're locked out of the password manager too), OR
• Use a second device as a recovery authenticator

The critical scenario: If you lose your phone and your only MFA device, can you still get in? Make sure the answer is yes before you need it.

Recommended MFA hierarchy:

1. FIDO2 hardware key (YubiKey) — most secure, phishing-proof
2. TOTP authenticator app — strong, widely supported
3. Email-based OTP — acceptable fallback
4. SMS — use only when nothing else is available

Enabling MFA on everything in this list takes about two hours. It's the highest-ROI security work you can do today.