Two-factor authentication (2FA), also called multi-factor authentication (MFA), is a security measure that requires two separate forms of verification before granting access to an account. For accounting practices holding client financial data across cloud software, email, and practice management systems, 2FA is one of the most effective and most accessible security controls available.

This guide covers how 2FA works, which method is most secure, how to enable it across the platforms most commonly used by UK accountants, and how to manage 2FA across a team.

How two-factor authentication works

When you log in to an account with 2FA enabled, the process has two stages:

  1. First factor: you enter your username and password (something you know).
  2. Second factor: you verify your identity using a separate method ā€” typically a code from an authenticator app, a push notification on your phone, or a hardware security key.

Even if an attacker has your username and password ā€” obtained through phishing, a data breach at another service, or social engineering ā€” they cannot log in without completing the second factor. The second factor is tied to a physical device in your possession, not to information that can be guessed or stolen from a database.

This breaks the most common attack chain against cloud-based accounting software: steal credentials through phishing, use credentials to log in, access and exfiltrate client data.

2FA methods: which is most secure?

Not all 2FA methods provide equal protection. Understanding the differences helps you make the right choice for your practice.

Authenticator app (TOTP)

Time-based One-Time Password (TOTP) apps generate a six-digit code that changes every 30 seconds. You enter this code during login. The code is generated locally on your device ā€” it is not transmitted over the network until you enter it.

Leading authenticator apps:

  • Google Authenticator: widely used, simple interface, does not back up codes by default.
  • Microsoft Authenticator: backs up codes to your Microsoft account, useful for device migration.
  • Authy: backs up codes and syncs across devices; useful if you regularly switch phones.
  • 1Password: integrates TOTP generation within the password manager, convenient for teams already using 1Password.

TOTP is strong 2FA. It is resistant to SIM swapping and SMS interception attacks. It is the recommended method for accounting practices.

Hardware security keys (FIDO2 / WebAuthn)

A physical hardware key (YubiKey, Google Titan Key) plugged into a USB port or tapped against a phone completes the second factor. This is the most secure 2FA method available ā€” it is phishing-resistant because the authentication is cryptographically bound to the specific website's domain. Even if a user visits a convincing phishing site, the security key will not authenticate for the fake domain.

Hardware keys are the gold standard for high-security environments. For accounting practices handling particularly sensitive data, deploying hardware keys for partners and senior staff is a worthwhile investment.

SMS / text message

An SMS containing a one-time code is sent to your registered mobile number. This is the most widely supported 2FA method but also the least secure:

  • SIM swapping: an attacker can convince your mobile carrier to transfer your phone number to a SIM they control, intercepting your SMS codes.
  • SMS interception: in some network configurations, SMS messages can be intercepted in transit.
  • Social engineering: support staff at mobile carriers have been manipulated into SIM swaps through social engineering.

Use SMS 2FA only when it is the only option available on a given platform. Prefer TOTP or hardware keys wherever they are available.

Push notifications (Microsoft Authenticator, Duo)

A push notification sent to an authenticated mobile app asks you to approve or deny a login request. This is convenient and provides good security, but is vulnerable to "MFA fatigue" attacks ā€” an attacker who knows your password repeatedly sends push notifications, hoping you will accidentally approve one out of frustration.

Microsoft has addressed MFA fatigue with "number matching" in Microsoft Authenticator ā€” you must enter a number displayed on the login screen into the app, preventing accidental approvals.

Enabling 2FA on key accounting platforms

Xero

2FA in Xero is enabled per user account. Log in to Xero, go to Profile > My Profile > Security, and follow the prompts to set up an authenticator app. Xero supports TOTP authenticator apps.

Xero Practice Manager allows practice administrators to enforce 2FA for all staff accessing the practice's Xero organisation, preventing staff from bypassing the requirement.

QuickBooks Online

In QuickBooks Online, 2FA is enabled through Account Settings > Security. Intuit supports authenticator apps and SMS. Enable authenticator app-based 2FA rather than SMS.

Intuit has been progressively rolling out mandatory 2FA requirements; some accounts may already be required to have it enabled.

Microsoft 365 (email and Copilot)

Microsoft 365 admin accounts and user accounts both support 2FA. For practices on Microsoft 365 Business or Enterprise, the admin can enforce MFA for all users through the Microsoft Entra (formerly Azure AD) conditional access policies, or through the simpler Security Defaults setting.

Enable Security Defaults in the Microsoft 365 admin centre if your plan supports it ā€” this enables baseline MFA requirements for all users without requiring detailed conditional access policy configuration.

Microsoft Authenticator push with number matching is the recommended method for Microsoft 365.

Google Workspace

In Google Workspace, the admin can enforce 2-step verification for all users via the Admin Console under Security > 2-step verification. Users can use the Google Authenticator app, hardware security keys, or Google prompts on their Android or iOS device.

Enforcing 2SV at the admin level means users cannot disable it for their own account, ensuring consistent protection across the practice.

Xero Practice Manager, Karbon, TaxDome, Iris

Each practice management platform has its own 2FA settings. Review the security settings in each platform you use and enable TOTP-based 2FA. For platforms that support admin-level enforcement, enforce it for all users.

Managing 2FA across a team

Backup codes

When setting up 2FA, most platforms generate backup codes ā€” single-use codes that can be used if the primary 2FA device is unavailable. Store these codes securely (in a password manager, not in the same email account they protect) and ensure they are accessible if the primary device is lost.

Device loss

If a staff member loses their phone (the primary 2FA device), they need to recover account access through backup codes or an admin reset. Establish a clear procedure for this before it happens:

  1. The staff member contacts the designated IT or admin contact.
  2. The admin resets the 2FA for the affected account using admin tools.
  3. The staff member re-enrols with their new device.
  4. Backup codes from the affected accounts are invalidated and regenerated.

Offboarding

When a staff member leaves, revoke their access to all systems and ensure their 2FA enrolment on shared accounts is removed. If the staff member has set up 2FA on a shared account using their personal device, the shared account credentials must be changed or the 2FA re-enrolled on a firm-controlled device.

For more on AI tools and technology for UK accountants, including how to manage team access security across your practice tech stack, see our AI and Tech hub.

Key takeaways

  • TOTP authenticator app-based 2FA (Google Authenticator, Microsoft Authenticator, Authy) is the recommended second factor for accounting practice systems; SMS 2FA should be used only as a last resort.
  • Hardware security keys (YubiKey) are the most phishing-resistant 2FA method and are appropriate for high-risk roles (partners, anyone with admin access).
  • Enable 2FA on all critical practice platforms ā€” Xero, QuickBooks, email (Microsoft 365 / Google Workspace), and practice management software ā€” and enforce it at the admin level where possible.
  • Store backup codes securely in a password manager and establish a clear procedure for device loss before it happens.
  • 2FA is the single most effective control against credential theft ā€” it protects against phishing, credential stuffing, and brute force attacks simultaneously.

Frequently asked questions

What is the difference between 2FA and MFA?

They are effectively the same thing. 2FA (two-factor authentication) specifically means two factors; MFA (multi-factor authentication) is the broader term that includes any combination of two or more factors. Most business contexts use the terms interchangeably. Both refer to requiring a second verification step beyond the password before granting access.

Can I use the same authenticator app for all my accounts?

Yes. A single authenticator app (Google Authenticator, Microsoft Authenticator, Authy) can hold TOTP codes for as many accounts as you need. When setting up 2FA on each service, you scan a QR code with the app, which adds that account's TOTP to your code list. There is no technical limit on the number of accounts in an authenticator app.

What happens to my 2FA codes if I get a new phone?

This depends on the authenticator app. Google Authenticator codes can be transferred to a new phone using the app's export/import feature. Microsoft Authenticator backs up codes to your Microsoft account (opt in). Authy syncs codes across devices via cloud backup. If you use Google Authenticator without exporting, and your old phone is lost before the transfer, you need backup codes or an admin reset to recover each account. Plan device migration before you get a new phone.

Should my clients enable 2FA on their accounting software?

Yes. Advise clients to enable 2FA on their Xero, QuickBooks, or Sage accounts. If a client's accounting software account is compromised, the attacker may be able to raise fraudulent invoices, access bank feed data, or change payment details. Client account security is the client's responsibility, but advising them on basic security measures is consistent with your professional duty of care.

Is 2FA enough on its own to secure my practice systems?

2FA significantly reduces the risk of unauthorised access through compromised credentials, which is the most common attack vector. However, it does not protect against: malware on the device that captures keystrokes or screenshots after login, an attacker who tricks a user into approving a push notification, physical access to an unlocked device, or insider threats. 2FA is a critical layer of defence but should be combined with other controls: strong passwords, regular patching, anti-malware, phishing awareness training, and access controls.