Skip to main content
SVDY Logo

How a 25-Person Business Deploys Two-Factor Auth Without an IT Team

2FA used to need an IT department. Modern tools changed that — here's the 30-minute setup any office manager can run, plus what to expect when a phone gets lost.

Security
May 26, 2026· 7 min read· SVDY Team, Product

If you run a 25-person business, you've probably been told you need two-factor authentication. The advice usually comes with a price tag attached: hire a security consultant, buy a SIEM, deploy hardware tokens. None of that is a good fit when your "IT team" is the office manager who also handles payroll.

Two things changed in the last few years that make 2FA a 30-minute setup rather than a 30-day project:

  1. TOTP (Time-based One-Time Passwords) became the universal standard. Every modern authenticator app — Google Authenticator, Microsoft Authenticator, Authy, 1Password — speaks the same protocol (RFC 6238). Your team doesn't need to install anything custom.
  2. Self-service enrollment is now table stakes. You don't need an admin to "provision" 2FA for someone — they scan a QR code in their authenticator app, type a 6-digit code to confirm, and they're done. Recovery codes (10 single-use codes) handle the lost-phone case.

This post walks through the actual rollout for a small business. We'll be specific about what to do this week vs what to do next quarter.

Why 2FA matters for SMBs

The data is unambiguous. Microsoft's threat intel team reports that enabling MFA blocks 99.2% of automated account-compromise attempts. The remaining 0.8% require sophisticated targeted attacks — phishing kits with real-time relay, SIM-swap, etc. For a 25-person company that mostly fights password-spraying bots and credential-stuffing from leaked databases, 2FA is the single highest-leverage security control you can deploy.

The cost-side equation also flipped. SaaS apps (your accounting, HR, CRM, payroll) have all rolled out 2FA support; using it is free. Phone-based authenticator apps are free. The only real cost is the 30 minutes per employee for enrollment.

The 30-minute rollout (this week)

You don't need a project plan. You need:

  1. A list of business-critical apps. Start with: email (Google Workspace / Microsoft 365), accounting, HR/payroll, file sharing, password manager (you do have one, right?), and your customer database. That's usually 5-8 systems for a 25-person business.

  2. A short document — three sections:

    • Why we're doing this (1 paragraph; ours says: "If our email gets compromised, an attacker can reset every other password and impersonate the company. 2FA prevents that.")
    • What employees need to do (download an authenticator app — list the four mainstream ones — and follow the per-app prompts when they next sign in)
    • What happens if I lose my phone (use recovery codes; if those are gone, contact the office manager who will reset 2FA for you)
  3. A 15-minute all-hands to walk through it. The single biggest predictor of rollout success is whether the leadership team has 2FA visibly enabled before everyone else.

After the all-hands, give everyone two weeks. Then audit: which employees still don't have 2FA on the must-have apps? Two more weeks of grace, then start enforcing.

What to expect when a phone gets lost

Recovery codes are the answer. They're 10 single-use codes shown ONCE during 2FA setup. The user prints them, screenshots them to their password manager, or both.

When a phone breaks or is lost:

  1. The user signs in with their email + password.
  2. Instead of typing the authenticator code, they enter one of the recovery codes.
  3. They get full access. The recovery code they used is invalidated.
  4. They re-enroll 2FA on the new phone (the system will let them do this once they've signed in).

Out of recovery codes? That's when an admin needs to manually disable 2FA on the user's account, the user signs in with password only, and re-enrolls fresh. Plan to handle ~1 such case per quarter for a 25-person team.

Things to avoid

  • SMS-based 2FA. SMS is better than nothing, but SIM-swap attacks have made it untrustworthy. Use TOTP (authenticator app) wherever possible. Many apps support both — pick TOTP.
  • Shared 2FA tokens. If three people share a single Google Workspace admin account, the temptation is to share the 2FA token. Don't. Create separate admin accounts.
  • Forcing one specific authenticator app. Let people use whatever — Google, Microsoft, Authy, 1Password all work. Forcing one creates resistance.
  • Disabling 2FA on individual accounts as a courtesy. The single most common breach vector for SMBs is the executive whose 2FA was "temporarily disabled" because they were traveling and never re-enabled. Don't do this.

When you outgrow this approach

At about 50-100 employees, the office-manager-as-IT model breaks down. Symptoms:

  • Multiple help requests per week about lost phones
  • Inconsistent enforcement across teams
  • Onboarding / offboarding becomes a checklist nobody runs

That's when you need either a dedicated IT person or a tool that handles enrollment, recovery, and audit centrally — usually called an Identity Provider (IdP) like Okta, Microsoft Entra, or JumpCloud. Cost is typically $5-10/employee/month.

If you're using SVDY, the IdP work is built in: SCIM-based provisioning, SAML SSO, and central 2FA management ship with the platform on Pro and above. You get the centralized identity layer without paying for two systems.

Bottom line

For a 25-person business in 2026: TOTP-based 2FA is a 30-minute rollout that blocks 99% of credential attacks, costs nothing in software, and the only real friction is the lost-phone case which recovery codes handle. There is essentially no excuse not to do it.

Pick a date in the next two weeks. Send the all-hands invite today.

two-factor authentication
small business security
TOTP
authenticator app
security for SMBs
← Back to all posts