A Bathgate small business tends to ring us about two-factor login for one of two reasons. Either the owner has just read a Cyber Essentials questionnaire from an insurer or a client and realised the practice has been skating by without MFA, or somebody in the office has been phished and the panic switch has been flipped. In both cases the answer is to turn on two-factor login across the team. The order you do that in decides whether the rollout is a smooth week's work or a Monday morning where nobody in the office can sign in to their email.
If you want a hand actually running the rollout for a Bathgate or wider West Lothian team, this is exactly the sort of thing our business IT support handles day to day. This post is written for the small-team problem — three to fifteen people, one shared IT stack, and nobody willing to be the person who locked everyone out.
Why "Just Turn It On for Everyone" Backfires
The default advice online is "enable MFA everywhere, today." For one person that's fine. For a team of ten it is a rough week. The reasons we see it go wrong on the bench are always the same:
- One person's phone runs flat on enrolment day and they can't complete the setup.
- Someone enrols at the office and then can't remote-in from home the next evening.
- The Microsoft 365 admin gets locked out because MFA was configured on a personal phone with no saved recovery codes.
- Sales staff on the road can't receive SMS codes at a client site with weak signal.
Every one of those is fixable, but stacking four of them into a single Monday is where the reputation for "MFA breaks everything" comes from. The trick is the sequence.
Start With a Break-Glass Admin Account
The first thing we set up on a Bathgate rollout — before anyone else's account is touched — is a break-glass admin. That means:
- A separate global-admin account for Microsoft 365 or Google Workspace.
- A strong, unique passphrase stored in the shared password manager and printed on paper.
- MFA enrolled to a hardware security key or an authenticator on a device that lives in the office safe.
- The MFA recovery codes printed and stored in the same safe.
You never sign in with this account day to day. Its only job is to rescue the business if the main admin's phone is lost, stolen, resets itself, or the admin leaves the company. Missing this step is the single most common thing we're called in to sort out — usually when someone has genuinely locked themselves out of the tenant and there is no other admin. For the shared-vault side, our password manager guide covers the setup; the break-glass entry lives there, and the recovery codes ideally live on paper as well.
App-Based Codes Beat SMS Nearly Every Time
Once the break-glass account exists, the next decision is what "second factor" everyone else will use. The three practical options are an authenticator app (Microsoft Authenticator, Google Authenticator, Authy or 1Password), an SMS code, or a hardware security key like a YubiKey.
For a Bathgate small business we recommend an authenticator app for the whole team as the default, with hardware keys reserved for admin accounts, and SMS avoided unless there is genuinely no alternative. The reasons are practical. SMS fails at client sites with weak signal — a real problem for anyone driving out to Whitburn or Broxburn for meetings. SIM-swap fraud is a live and growing threat, and we have seen a Microsoft 365 account bypassed firsthand after a mobile number was ported to a new SIM overnight. Authenticator apps work offline and can't be intercepted the same way. Adding a new work account to an existing app takes about thirty seconds each.
Which Accounts to Enable First
The order that limits disruption is:
- Microsoft 365 or Google Workspace admin — via the break-glass and the main admin account.
- Every team member's email.
- Banking, HMRC and payroll portals.
- The finance stack — Xero, Sage or whichever ledger you use.
- The domain registrar, which is routinely forgotten.
- Line-of-business systems — practice management, CRM, case management.
- Cloud file storage where it sits outside the main tenant.
Enable email first because that's the account most attacks go for and the one most often used as the recovery route for everything else. Enable the domain registrar early because owners routinely forget they even have it — losing that account lets an attacker repoint every service to their own servers, which is much worse than losing a single mailbox.
Rolling It Out Without Lockouts
The script we use for a Bathgate team of three to fifteen people: pick a Tuesday or Wednesday morning, gather everyone in the office (not remote), and enrol accounts at their own desks. Fifteen minutes per person is realistic. During enrolment we install the authenticator app on their phone with them watching, save their recovery codes, hand them the paper to lock in a home drawer, and sign in fresh on both the office laptop and the phone to prove the flow works end to end.
Doing it together in the office matters. Half the failures we see are people who "enrolled at home" and then couldn't produce the second factor at the office the next morning, or vice versa. When the whole team is enrolled in one sitting, questions get answered once and habits form together.
The Staff Turnover Problem — and the Fix
The most predictable follow-up call, three to six months after a rollout, is a staff turnover situation. A member of staff has left, their work account was disabled, but their MFA was on their personal phone and nobody kept the recovery codes for the business — and now that same phone number is being used to try to reset the account back.
The fix is boring but effective. On every enrolment, business-owned recovery codes are saved to the shared vault by whoever runs IT. On offboarding, MFA and active sessions are revoked centrally, the account is disabled but not deleted, and the shared vault entry is rotated. This is the same discipline we describe in the IT onboarding checklist — the offboarding column belongs on the same page as the onboarding one, not on a separate sheet nobody looks at.
A Real West Lothian Example
One anonymised job for context. A West Lothian consultancy — six staff, Microsoft 365 tenant, no dedicated IT — enabled MFA in a rush after a phishing email actually reached a director's inbox. They set it up in one afternoon, everyone used SMS, no break-glass account.
Two months later the director's phone was pickpocketed in Edinburgh. The replacement SIM took twenty-four hours to activate, and during that day nobody in the business could sign in as an administrator to reset her account or grant temporary access. Payroll ran that Friday only because the ledger happened to sit outside the tenant.
The rebuild took a morning: create the break-glass admin, move everyone to an app-based second factor, save the recovery codes to the shared vault. Real-world downtime the following year, when a phone was replaced routinely, was under fifteen minutes for the affected user — done during a coffee break rather than a working day.
Getting Help Locally in Bathgate
If you'd rather have someone else run the rollout — build the break-glass admin, enrol the team, save and secure the recovery codes, and leave you with the shared-vault documentation — that's exactly what our business IT support covers for Bathgate, Livingston, Broxburn, Whitburn and the wider West Lothian belt. If a phone has already been lost and someone can't sign in on Monday morning, our same-day help in Bathgate can usually get an account back the same working day, and remote support handles the fastest cases without a callout. For the pieces that sit next to MFA — a documented backup plan, a controlled leaver process — our small-business backup plan pairs cleanly with the security work here.
Last updated: 15 July 2026