How to Set Up MFA for Your School (Google Workspace & Microsoft 365)

Why MFA Is Non-Negotiable for Schools

Multi-factor authentication (MFA) is the single most effective security measure your school can implement. Google reports that MFA blocks 99.9% of automated attacks.

After the Catholic School Google Workspace breach — where a teacher's reused password led to 1,200 student records being exposed — the message is clear: if your school doesn't have MFA, you're one stolen password away from a breach.

Google Workspace for Education

For Admins: Enabling MFA for Your School

Step 1: Sign in to your Google Admin console (admin.google.com)

Step 2: Go to Security → Authentication → 2-Step Verification

Step 3: Check "Allow users to turn on 2-Step Verification"

Step 4: Under Enforcement, select "Turn on enforcement"

Step 5: Set the enrollment period:

• Give staff 1-2 weeks to set up MFA before enforcement
• New users should be required to set up MFA immediately

Step 6: Choose allowed methods:

• Recommended: Google Authenticator app or Google prompts
• Acceptable: Physical security keys
• Not recommended: SMS (vulnerable to SIM swapping)

Step 7: Click Save

For Teachers/Staff: Setting Up MFA

Step 1: Go to myaccount.google.com → Security

Step 2: Under "Signing in to Google," click 2-Step Verification

Step 3: Click Get Started and enter your password

Step 4: Choose your method:

• Google Prompts (easiest — tap "Yes" on your phone)
• Authenticator App (scan QR code with Google Authenticator)

Step 5: Add a backup method (backup codes or backup phone)

Step 6: Save your backup codes in a safe place

Microsoft 365 for Education

For Admins: Enabling MFA

Step 1: Sign in to the Microsoft 365 admin center

Step 2: Go to Settings → Org settings → Security & privacy

Step 3: Select Multi-factor authentication

Step 4: Click Configure multi-factor authentication

Step 5: Select users or "All users" and enable MFA

Step 6: Choose enforcement options:

• Enabled: Users are enrolled but not yet required
• Enforced: Users must use MFA at every sign-in

For Teachers/Staff: Setting Up MFA

Step 1: Sign in to office.com

Step 2: When prompted for additional verification, click Next

Step 3: Install the Microsoft Authenticator app on your phone

Step 4: In the app, tap + → Work or school account → scan the QR code

Step 5: Complete the test verification

Tips for a Smooth Rollout

1. 1Communicate early — send an email explaining why MFA is being enabled and what staff need to do
2. 2Set a deadline — give staff 1-2 weeks, then enforce
3. 3Offer help sessions — set up a time for staff who need hands-on help
4. 4Have backup codes ready — help staff save their backup codes
5. 5Be prepared for lockouts — admins should know how to temporarily disable MFA for locked-out users
6. 6Start with admins — enable for admin accounts first, then all staff

Common Objections (and Responses)

"It's too inconvenient" → MFA prompts are needed only on new devices or every 30 days. It takes 5 seconds.

"I don't have a smartphone" → Hardware security keys work too. Or use backup codes.

"Our staff won't learn it" → Authenticator apps are straightforward — setup takes under 5 minutes, and daily use is just tapping "approve" on a notification.

"We've never been hacked" → That you know of. 80% of breaches involve compromised credentials.

What's Next

After enabling MFA, consider checking the rest of your security posture:

• Email Security Checklist — verify your email authentication
• Security Scorecard — comprehensive security assessment
• DPA Compliance Checker — check your DPA compliance