Two-Factor Authentication: Guide for Accounting

Why two-factor authentication is essential in accounting

Accounting firms handle highly confidential financial data daily: tax returns, balance sheets, payroll records, and banking details for hundreds of client companies. In 2025, according to ANSSI's annual report, phishing attacks targeting regulated professions increased by 37% year-on-year. Faced with this threat, two-factor authentication (2FA) — also called multifactor authentication (MFA) — constitutes the first recommended technical line of defence.

Two-factor authentication is based on a simple principle: to access a system, the user must prove their identity via two distinct elements. The first is generally "something you know" (a password), the second is "something you possess" (a smartphone, a physical key) or "something you are" (biometric data). This mechanism makes attacks involving password theft alone virtually impossible, which still account for 81% of data breaches according to the Verizon DBIR 2024 report.

For accountants, compliance with the eIDAS regulation and its strong authentication requirements is no longer optional: it is a regulatory and ethical necessity. This article explains, step by step, how to configure 2FA in your firm, which tools to choose, and how to support your team members through this transition.

---

Two-factor authentication methods suited to the accounting sector

Authentication applications (TOTP)

The most widespread method in accounting firms is the use of an application that generates time-based codes (TOTP — Time-based One-Time Password). Solutions such as Google Authenticator, Microsoft Authenticator, or Authy generate a 6-digit code renewed every 30 seconds. This code is associated with a shared secret stored in the application during the enrolment phase (QR code scan).

Benefits for firms: deployment at no additional cost, works offline, compatible with virtually all accounting software (Sage, Cegid, ACD, MyUnisoft). Disadvantage: if the employee loses their phone, the recovery procedure must be planned in advance (backup codes to be kept in a safe place).

Physical security keys (FIDO2/WebAuthn)

For firms handling large volumes of sensitive data or subject to frequent audits, hardware security keys (such as YubiKey or Feitian) offer the highest level of protection. Based on FIDO2 and WebAuthn standards, they are resistant to phishing by design: the key cryptographically verifies the domain of the website before authenticating, which neutralises man-in-the-middle attacks.

An increasing number of tax portals and mandatory filing platforms (DGFiP, infogreffe) are beginning to accept these standards. A firm managing around a hundred mandates can recoup the cost of purchasing keys (approximately £50-80 per unit) within a few weeks through the reduction in time spent managing security incidents.

SMS OTP: to be avoided for sensitive data

Although codes sent by SMS remain an option in many systems, the American NIST (National Institute of Standards and Technology) reclassified them in 2016 from the category of strong authentication methods. SIM swapping attacks (fraudulent transfer of a phone number to a SIM card controlled by an attacker) have affected several French accounting firms in recent years. For access to tax data or electronic signature tools for law and accounting firms, SMS OTP should only be considered as a last resort option.

---

How to configure two-factor authentication: a step-by-step guide

Step 1 — Application inventory and scope definition

Before any technical deployment, draw up a comprehensive inventory of all applications used in your firm:

• Accounting software: Cegid Loop, Sage 100 Cloud, ACD Inforce, Quadratus, MyUnisoft
• Email and collaboration tools: Microsoft 365, Google Workspace, Slack
• Document management and signature tools: filing platforms, workflow tools
• Remote access: VPN, RDP, virtual desktops
• Client portals: document exchange spaces with clients

For each application, check whether 2FA is available (in the "Security" section of settings) and which method is supported (TOTP, FIDO2, SMS). Classify applications by criticality based on the sensitivity of the data they provide access to.

Step 2 — Technical deployment and employee enrolment

For Microsoft 365, configuration is done via the Azure Active Directory (Entra ID) portal. Enable "Security Defaults" or, for firms with more than 10 employees, configure Conditional Access policies (available from Business Premium licence onwards). These policies allow you to require 2FA only under certain conditions: access from outside the office, login from an unknown device, unusual time of day.

For accounting software, the procedure varies depending on the publisher:

• Cegid Loop: security settings > enable dual authentication > generate QR codes for each user
• MyUnisoft: administration > security > strong authentication > enforce 2FA for all profiles
• Sage 100 Cloud: contact your Sage administrator or reseller to activate the MFA module

Plan an enrolment session with each employee (15 to 20 minutes per person). Provide each user with a summary card containing their recovery codes, to be kept in a secure and physical location (the firm's safe, for example).

Step 3 — Management policy and emergency procedures

Technical implementation is only half the work. A documented security policy must specify:

• Who can temporarily disable 2FA (only the system administrator, never the employee themselves)
• Procedure for device loss: immediate account lockdown, regeneration of backup codes, supervised re-enrolment
• Review frequency: six-monthly audit of access and authentication methods
• Departure management: immediate revocation of access and 2FA secrets when any employee leaves

This policy naturally integrates into your business continuity plan (BCP) and your data processing register under GDPR. Consulting the Certyneo support centre can provide you with policy templates tailored to small and medium-sized organisations.

---

Integrating 2FA with electronic signature tools

Advanced or qualified electronic signature, as defined by the eIDAS regulation, requires strong identification of the signatory. Specifically, when your firm sends a letter of engagement or service contract to a client for signature, the signature platform must verify the signatory's identity robustly. This is precisely where 2FA comes in.

In eIDAS-compliant signature platforms (advanced or qualified level), the signatory receives a link by email, then must verify their identity via a second channel (SMS, authentication application, or qualified certificate). This process creates an audit trail that is timestamped and cryptographically verifiable, which constitutes irrefutable proof in the event of a dispute — a crucial issue for accountants who engage their professional civil liability on every assignment.

To understand the different signature levels and choose the one suited to your document flows, reading the comprehensive electronic signature guide is recommended. Firms using Certyneo benefit from native 2FA integration in the signature process, which reduces friction for the signatory whilst maintaining the required compliance level.

Particular attention should be paid to letters of engagement (mandatory under OEC professional standard 2400) and auditor reports: these documents engage the personal responsibility of the professional and require an impeccable authentication traceability. You can also use an AI-powered contract generator to automate the creation of these documents whilst incorporating strong authentication requirements from the outset.

---

Training and raising awareness among employees: the human factor

The most rigorous technical deployment is rendered ineffective if employees do not understand the issues or circumvent security devices. In accounting, teams are often made up of very diverse profiles: senior partners, junior staff, trainees, administrative assistants. Training must be adapted to each profile.

Recommended awareness programme for a firm of 5 to 30 people:

1. Launch session (1 hour): presentation of concrete risks (anonymised real-world incident examples in the sector), live configuration demonstration, questions and answers
2. Short video tutorials (3-5 minutes each): one tutorial per critical application, available in the firm's intranet
3. Simulated phishing exercise: send a fake phishing email at 3 months after deployment to measure actual vigilance and identify employees requiring additional support
4. Integration into onboarding: every new employee configures their 2FA on their first day, with a dedicated point of contact

The Order of Accountants (OEC) also offers continuing training resources on cybersecurity as part of annual training obligations (40 hours for accountants registered with the board). These trainings can be valued in your quality approach if your firm is ISO 9001 certified or is seeking a cybersecurity certification (ExpertCyber label from ANSSI, for example).

Legal framework applicable to strong authentication in accounting

The implementation of two-factor authentication in an accounting firm sits within a dense regulatory framework, centred around several fundamental texts.

The eIDAS Regulation No. 910/2014 and its eIDAS 2.0 revision (EU Regulation 2024/1183) form the reference basis for everything concerning electronic identification in Europe. Article 8 defines three assurance levels for means of electronic identification: low, substantial, and high. For acts engaging the professional responsibility of an accountant (signature of reports, validation of online tax returns), the "substantial" or "high" assurance level is required, which necessarily implies multifactor authentication.

The GDPR (EU Regulation 2016/679), in its article 32, requires controllers to implement "appropriate technical and organisational measures" to ensure the security of personal data. An accounting firm processes sensitive personal data (financial data, health data through payroll records with sick leave, etc.). The absence of 2FA on access to accounting software almost certainly constitutes a breach of this article, exposing the firm to sanctions that could reach 4% of global annual turnover (article 83 GDPR).

The Civil Code, articles 1366 and 1367, govern the legal value of electronic signature. Article 1367 specifies that "the reliability of a process of electronic signature is presumed, unless proved otherwise, when this process implements a qualified electronic signature". Strong authentication is an essential component of this presumption of reliability.

The NIS2 Directive (EU Directive 2022/2555), transposed into French law by law No. 2024-449 of 21 May 2024 and its implementing decrees, extends cybersecurity obligations to a broad spectrum of entities. Although accounting firms are not directly listed as essential entities, those providing digital services to essential or important entities (healthcare establishments, local authorities, critical infrastructure enterprises) may be subject to obligations indirectly through their service contracts.

The OEC professional standard 2400 furthermore imposes a reinforced duty of care regarding information system security for firms handling legal assignments. ANSSI explicitly recommends MFA as a minimum measure in its guide "Information System Security for SMEs/Microenterprises" (2024 edition).

Professional civil liability: in the event of a data breach resulting from the absence of 2FA, the firm's professional liability insurer may invoke gross negligence to reduce or refuse cover. It is strongly recommended to keep technical documentation of 2FA deployment as proof of due diligence.

Use scenarios: 2FA in practice in accounting firms

Scenario 1 — A medium-sized accounting firm

A firm with around fifteen employees managing approximately 400 active mandates decided to deploy 2FA across all its tools following a phishing incident that nearly compromised access to its payroll software. Management opted for Microsoft Authenticator on Microsoft 365 (email, SharePoint, Teams) and for the native TOTP applications of its cloud accounting software.

The deployment was completed in three weeks: one week for inventory and configuration, one week for employee enrolment in groups of five, one week for follow-up and troubleshooting. Result: zero account compromise incidents in the following 12 months, compared to two incidents the previous year. The time spent managing security incidents was reduced by approximately 70%. The firm was also able to demonstrate to several large corporate clients (including an industrial SME client imposing a supplier security charter) that its systems met MFA requirements.

Scenario 2 — A firm specialising in statutory audits of SMEs

A statutory audit firm managing around sixty audit mandates faced a specific requirement: an increasing number of its clients are asking for proof of GDPR compliance when renewing assignments. The firm chose to deploy FIDO2 security keys for partners (access to the most sensitive files) and TOTP applications for senior staff, while maintaining SMS OTP only for low-sensitivity access.

At the same time, the firm integrated advanced electronic signature into its audit report workflows, with systematic strong authentication of the signatory. Thanks to the audit trail generated, two potential disputes with clients contesting the effective date of delivery of a report were resolved in favour of the firm by producing timestamped authentication logs. The reduction in report signature timescales (from 5 days on average to less than 24 hours) also helped streamline invoicing and improve the firm's cash flow by approximately 15%.

Scenario 3 — A firm in external growth phase

A regional network of accounting firms that had absorbed three independent structures over two years found itself with significant heterogeneity in systems: some absorbed firms had no 2FA policy, whilst others used SMS OTP. The group took advantage of this integration to standardise on a unified identity management solution (IAM — Identity and Access Management) with mandatory 2FA.

The initial investment (IAM licences, training, support) was estimated at approximately £8,000 for the entire group (around 45 employees). In return, the reduction in costs related to security incidents (IT service provider interventions, crisis management) was estimated at £15,000-20,000 in the first year. The group was also able to negotiate a reduction in its cyber insurance premium of around 20% by providing its insurer with 2FA deployment documentation.

Conclusion

Two-factor authentication is no longer a luxury reserved for large structures: it is a security and compliance imperative for any accounting firm, regardless of size. Between GDPR requirements, ANSSI recommendations, eIDAS obligations for electronic signature, and increasing client pressure on the security standards of their service providers, 2FA has become an unavoidable standard in the sector.

The good news: deployment is now accessible, rapid, and low-cost. By following the steps described in this article — application inventory, choice of the appropriate method, employee enrolment, drafting of a documented policy — your firm can achieve a robust level of security within a few weeks.

Certyneo natively integrates strong authentication into its electronic signature workflows, allowing you to combine eIDAS compliance and MFA security without additional complexity. Discover our offers and pricing or contact our team for personalised support in securing your firm.