SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Learn
guide

How to Set Up MFA for Your School (Google Workspace & Microsoft 365)

Step-by-step instructions for enabling multi-factor authentication on your school's Google Workspace or Microsoft 365 accounts.

8 min readMFA, 2FA, Google Workspace

Why MFA Is Non-Negotiable for Schools

Multi-factor authentication (MFA) is the single most effective security measure your school can implement. Microsoft reports that MFA blocks over 99.9% of account-compromise attacks.

After the Catholic School Google Workspace breach — where a teacher's reused password led to 1,200 student records being exposed — the message is clear: if your school doesn't have MFA, you're one stolen password away from a breach.

Google Workspace for Education

For Admins: Enabling MFA for Your School

Step 1: Sign in to your Google Admin console (admin.google.com)

Step 2: Go to Security → Authentication → 2-Step Verification

Step 3: Check "Allow users to turn on 2-Step Verification"

Step 4: Under Enforcement, select "Turn on enforcement"

Step 5: Set the enrollment period:

  • Give staff 1-2 weeks to set up MFA before enforcement
  • New users should be required to set up MFA immediately

Step 6: Choose allowed methods:

  • Recommended: Google Authenticator app or Google prompts
  • Acceptable: Physical security keys
  • Not recommended: SMS (vulnerable to SIM swapping)

Step 7: Click Save

Heads-up: Google is rolling out mandatory 2-Step Verification for Workspace administrators, including Workspace for Education. Super admins are notified roughly 90 days before enforcement begins — enrol early and confirm everyone has a backup method to avoid lockouts.

For Teachers/Staff: Setting Up MFA

Step 1: Go to myaccount.google.com → Security

Step 2: Under "Signing in to Google," click 2-Step Verification

Step 3: Click Get Started and enter your password

Step 4: Choose your method:

  • Google Prompts (easiest — tap "Yes" on your phone)
  • Authenticator App (scan QR code with Google Authenticator)

Step 5: Add a backup method (backup codes or backup phone)

Step 6: Save your backup codes in a safe place

Microsoft 365 for Education

For Admins: Enabling MFA

2025 update: Microsoft retired the legacy per-user MFA portal (the old Enabled / Enforced states under Org settings) on September 30, 2025. MFA is now turned on with Security Defaults or Conditional Access, and methods are managed in the Microsoft Entra admin center (entra.microsoft.com).

Option A — Security Defaults (free, simplest, good for most schools):

Step 1: Sign in to the Microsoft Entra admin center (entra.microsoft.com) as a Global Administrator

Step 2: Go to Entra ID → Overview → Properties

Step 3: Select Manage security defaults

Step 4: Set Security defaults to Enabled and save — this requires MFA for every user and blocks legacy (password-only) sign-in protocols

Option B — Conditional Access (more control; needs a Microsoft Entra ID P1 license, included with many Education plans):

Step 1: In the Microsoft Entra admin center, first turn off Security Defaults — the two can't run at the same time

Step 2: Go to Protection → Conditional Access → Policies

Step 3: Select + New policy from template and pick the Require multifactor authentication template

Step 4: Scope it to All users (exclude one break-glass admin account), then set Grant → Require multifactor authentication

Step 5: Switch the policy from Report-only to On and save

Microsoft now also mandates MFA to sign in to its own admin centers (Entra, Azure, Intune), so enrol admin accounts first.

For Teachers/Staff: Setting Up MFA

Step 1: Sign in at microsoft365.com (formerly office.com)

Step 2: When prompted for additional verification, click Next

Step 3: Install the Microsoft Authenticator app on your phone

Step 4: In the app, tap + → Work or school account → scan the QR code

Step 5: Complete the test verification

Tips for a Smooth Rollout

  1. 1Communicate early — send an email explaining why MFA is being enabled and what staff need to do
  2. 2Set a deadline — give staff 1-2 weeks, then enforce
  3. 3Offer help sessions — set up a time for staff who need hands-on help
  4. 4Have backup codes ready — help staff save their backup codes
  5. 5Be prepared for lockouts — admins should know how to temporarily disable MFA for locked-out users
  6. 6Start with admins — enable for admin accounts first, then all staff

Common Objections (and Responses)

"It's too inconvenient" → MFA prompts are needed only on new devices or every 30 days. It takes 5 seconds.

"I don't have a smartphone" → Hardware security keys work too. Or use backup codes.

"Our staff won't learn it" → Authenticator apps are straightforward — setup takes under 5 minutes, and daily use is just tapping "approve" on a notification.

"We've never been hacked" → That you know of. 80% of breaches involve compromised credentials.

What's Next

After enabling MFA, consider checking the rest of your security posture:

  • Email Security Checklist — verify your email authentication
  • Security Scorecard — comprehensive security assessment
  • DPA Compliance Checker — check your DPA compliance
More ArticlesTry the Password Strength Tester →