This is how quickly every backend user can independently activate and set up 2FA for the Google Authenticator and many other multi-factor authentication services:
1) After logging into the backend, you can simply click on your username. There you have to switch to the "Account security" tab. Then click the "Manage multi-factor authentication" button.
If you want to force 2FA for your backend users, you can easily do this with an AdditionalConfiguration.php:
# Enforce for all backend users $GLOBALS['TYPO3_CONF_VARS']['BE']['requireMfa'] = 1; # Enforce for non-admin backend users only $GLOBALS['TYPO3_CONF_VARS']['BE']['requireMfa'] = 2; # Enforce for admin backend users only $GLOBALS['TYPO3_CONF_VARS']['BE']['requireMfa'] = 3;
If you only want to activate 2FA for a special user group, you can do this via User TSConfig:
# User TSConfig auth.mfa.required = 1
When for some special reason you need the exact opposite. So you don't want to offer 2FA for your backend users. Then the option can also be completely deactivated in the user profile:
# User TSConfig setup.fields.mfaProviders.disabled = 1
How to add own 2FA service into TYPO3 is explained in the official documentation.