If you only do one thing to improve your Google Workspace security, make it this. Multi-factor authentication — MFA, 2FA, two-step verification, whatever you want to call it — is the single most effective control available to a small business. It stops account takeover attacks even when a password is compromised. And passwords get compromised constantly.
Credential stuffing, phishing, data breaches from other services your team has used — there are dozens of ways an attacker can end up with a valid username and password for one of your accounts. Without MFA, that's all they need. With MFA, it's not enough. The attacker needs the second factor too, and they almost certainly don't have it.
Here's how to set it up properly — not just "available", but enforced.
The difference between "available" and "enforced"
This is the most common mistake. Google Workspace lets you make MFA available without requiring it. In that configuration, users can choose to set it up — but they don't have to. In practice, most won't. The friction of learning a new login step isn't a good enough motivator for people who just want to get their work done.
"Available but not required is functionally the same as off. You need enforcement — the whole point is that users don't get a choice."
Enforcement means no user can access their Workspace account without completing MFA. Existing users get a grace period to set it up before they're locked out. New users are prompted on first login. Nobody slips through.
Step-by-step: enforcing MFA on Google Workspace
1 Log into the Admin Console
Go to admin.google.com and sign in with your Super Admin account. If you don't have Super Admin access, you'll need someone who does — you cannot change this setting from a regular user account.
2 Navigate to 2-Step Verification settings
In the left navigation: Security → Authentication → 2-step verification. You'll see the current policy for your organisation.
3 Set the policy to "On"
Under "Authentication", change the setting from "Off" or "Optional" to On. This is the enforcement switch. Once set, users who haven't enrolled will be prompted to do so on their next login.
New user enrolment period: Set to 3–7 days. This is the grace period new users get before they're required to complete setup. Don't set it to 0 — that can lock users out before they've had a chance to enrol.
Frequency: Under "Authentication", you can set how often users need to re-verify. "Allow users to trust the device" is reasonable — this means they won't be asked for a second factor every single time they log in from a known device.
4 Choose which methods to allow
Google supports several MFA methods. In order of security strength:
- Google Prompt (recommended): A push notification to the Google app on a phone. The easiest for users, and reasonably secure.
- Authenticator app: A time-based one-time code from an app like Google Authenticator or Authy. More secure than SMS.
- Security key (most secure): A physical hardware key like a YubiKey. Best for admin accounts and high-privilege users.
- SMS codes: A code sent by text message. Available but weakest — SMS can be intercepted or SIM-swapped. Enable it as a fallback, not a primary method.
For most small businesses, Google Prompt plus an authenticator app option strikes the right balance between security and usability.
5 Apply to all users and save
Make sure the policy applies to your entire organisation (not just a specific organisational unit). Save the settings. Enforcement is now active.
Want to check your current MFA status?
The free GetBulwark audit covers MFA enforcement as one of 20 checks — plus gives you a written report on every other security setting in your Workspace.
Book the free auditCommunicating the change to your team
Before you flip the switch, tell your team what's happening and why. A brief message explaining that MFA is being enforced for everyone, what to expect, and how to set it up goes a long way toward avoiding frustrated calls on the morning it kicks in.
The message doesn't need to be long. Something like: "We're turning on two-step verification for all Google accounts next week. When you next log in, you'll be asked to set it up — it takes about 2 minutes. Here's a short guide." That's enough.
Give people 5–7 days after enforcement goes live before the grace period ends. Check the Admin Console reporting (Security → Authentication) to see who has and hasn't enrolled. Follow up with anyone who hasn't set it up before the deadline.
What about admin accounts?
Admin accounts — especially Super Admin — should be held to a higher standard. For these accounts, consider requiring a hardware security key rather than app-based MFA. A Super Admin can change any setting in your Workspace, add or remove users, and access all data. If that account is compromised, everything else is at risk too.
Go to Security → Advanced settings → Manage access to less secure apps and ensure it's disabled for admin accounts. Also review the list of Super Admins in Admin → Account → Admin roles — there should be as few as possible, ideally one primary and one backup.
After MFA: what's next
MFA is the most impactful single change you can make, but it's one of 20 controls in a properly secured Workspace. Once MFA is enforced, the next priorities are email authentication (SPF, DKIM, DMARC), external sharing settings in Drive, and making sure former employees' accounts have been properly offboarded.
If you've followed the steps above and want to know where else your Workspace has gaps, the free audit covers everything. The report tells you exactly what's in place and what isn't — no jargon, no obligation.
