SpaceStack
Menu
Best software Workflows Glossary Tools About
Workflow

How to set up MFA across your stack in one weekend

A practical, no-jargon workflow to enable multi-factor authentication on every important account in a small team — without locking yourself out, losing recovery codes or skipping the accounts that actually matter.

Published May 24, 2026 • Updated May 24, 2026

Stylized cyberpunk illustration used as the editorial avatar for Daniel P.
By Daniel P.
Tech Lead Senior Software Engineer · Oslo, Norway
Outcome
Every critical account behind MFA, with documented recovery, a backup admin and a quarterly review date.
For
Freelancers, solo founders and small teams up to ~15 people.
Read time
~12 min

Why most small teams do MFA badly

Most small teams enable MFA the same way they buy software: in a rush, on the wrong accounts first, with no plan for the day someone loses a phone.

Doing it well is not harder. It just needs an hour of inventory, one method picked on purpose and a place to keep recovery codes that is not a sticky note.

The goal of this workflow is simple: at the end of one weekend, every account that could ruin your week is protected, you have a backup admin and you can prove it.

The full flow at a glance

From scattered logins to a calm baseline
  1. 1
    Inventory
    List every account that touches money, identity, code or customer data.
  2. 2
    Rank by blast radius
    What breaks if this one account is compromised?
  3. 3
    Pick a method
    TOTP, security key or platform passkey — choose one default.
  4. 4
    Enable top-down
    Domain, email and admin first. Everything else second.
  5. 5
    Test recovery
    Pretend you lost the phone. Can you get back in?

Step 1: Inventory before you enable anything

Open a doc. List every account, not every tool — same vendor often means several accounts (admin, billing, personal).

A useful frame is the four categories of damage:

  • Money. Bank, payment processor, accounting, payroll.
  • Identity. Domain registrar, email, password manager, SSO provider.
  • Code and data. Source control, cloud, customer database, file storage.
  • Customer-facing. CRM, help desk, marketing, e-signature, anything your buyers see.

If an account does not fit any of these, it is probably not urgent. Park it.

Inventory worksheet structure
Money
Bank, Stripe, PayPal, Wise, accounting, payroll.
Identity
Domain, primary email, password manager, SSO.
Code & data
GitHub, cloud account, file storage, database.
Customer-facing
CRM, help desk, e-sign, marketing tools.
A flat list is fine. The point is to see everything in one place before you turn any toggle on.

Step 2: Rank by blast radius

Not every account deserves the same care. Score each one quickly:

  1. Catastrophic — if compromised, the business stops. Domain registrar, primary email, password manager, bank.
  2. Severe — if compromised, recovery is days of work. Cloud account, source control, payment processor, customer database.
  3. Annoying — if compromised, you fix it in an afternoon. Marketing tools, analytics, random SaaS trials.

Catastrophic accounts get protected this weekend. Severe accounts get protected this month. Annoying accounts get cleaned up during your next quarterly SaaS audit.

Step 3: Pick one MFA method and stick to it

Picking three methods at once is how you confuse the team. Pick one default and accept the trade-offs.

  • Authenticator apps (TOTP). Free, works almost everywhere, easy to roll out. Good default for most small teams.
  • Security keys. Strongest protection against phishing. Worth it for catastrophic accounts and tech-savvy teams.
  • Passkeys. The smoothest modern experience when both sides support it. Coverage is growing fast.
  • SMS. Better than nothing. Worse than everything above. Avoid as your primary method.

Most small teams should standardize on TOTP for everything, then layer security keys or passkeys on the catastrophic tier. The password manager you picked already supports both — that is part of why it matters.

1Password product screenshot
1Password logo
1Password
Best for: Default vault + TOTP for small teams

Stores TOTP codes alongside passwords, supports passkeys and makes shared-account MFA workable for small teams.

Open 1Password
Authy product screenshot
Authy logo
Authy
Best for: Standalone TOTP app

A dedicated authenticator app with multi-device backup, useful when you want TOTP separate from the password manager.

Open Authy
YubiKey product screenshot
YubiKey logo
YubiKey
Best for: Catastrophic-tier accounts

Hardware security keys for phishing-resistant MFA on the highest-value accounts — domain, email, banking.

Open Yubico

Use these as authenticator or recovery options. The password manager is usually the calmest place to store TOTP seeds.

Step 4: Enable MFA top-down

Order matters. Protect identity first, because losing identity means losing recovery for everything else.

  1. Domain registrar. If someone steals this, they own your business name.
  2. Primary email. The reset link target for almost everything else.
  3. Password manager. The vault you are about to fill with secrets.
  4. Payment and banking. Stripe, PayPal, Wise, bank, accounting.
  5. Cloud and code. AWS, Google Cloud, GitHub, source control.
  6. Customer-facing tools. CRM, help desk, marketing platform.
  7. Everything else during the next sweep.

For each one, the rollout looks the same:

Per-account MFA enable
  1. 1
    Open security settings
    Find the MFA or two-factor section.
  2. 2
    Enable your chosen method
    TOTP first, security key or passkey when supported.
  3. 3
    Save recovery codes
    Store them in the password manager, in a separate note from the login.
  4. 4
    Sign out and back in
    Confirm the new flow works on the device you actually use.
  5. 5
    Mark the row done
    Update the inventory doc. No row should be ambiguous.

Step 5: Test recovery and name a backup admin

This is the step most teams skip. Two things must be true before you call MFA done:

  • You can recover access if your phone dies, using only the recovery codes or backup method you saved.
  • A second human can recover access if you are unreachable.

If either is fuzzy, you have an outage waiting to happen.

For shared accounts, decide explicitly who is the backup admin, write it down and rotate every six months. For solo founders, give a trusted person sealed recovery instructions — a will-style envelope is unglamorous but works.

What usually goes wrong

  • Recovery codes in screenshots. Storing recovery codes as screenshots in cloud photos defeats most of the protection. Use the password manager.
  • One person owns everything. If only one teammate can recover anything, MFA is a single point of failure with extra steps.
  • SMS as the primary factor. SIM-swap attacks are not rare. Use SMS only when nothing else is supported.
  • Shared logins behind personal MFA. Move shared accounts to the password manager’s shared vaults so MFA travels with the role, not the person.

Next steps

Keep reading