Two-Factor Authentication: A Guide for Accountancy

Why Two-Factor Authentication Is Essential in Accountancy

Accountancy firms handle highly confidential financial data daily: tax returns, balance sheets, payroll slips, and banking details of hundreds of client companies. In 2025, according to the ANSSI annual report, phishing attacks targeting regulated professions increased by 37 % in a year. Faced with this threat, two-factor authentication (2FA) — also known as multi-factor authentication (MFA) — constitutes the first recommended line of technical defence.

Two-factor authentication is based on a simple principle: to access a system, the user must prove their identity via two distinct elements. The first is usually "something you know" (a password), the second is "something you have" (a smartphone, a physical key) or "something you are" (biometric data). This mechanism makes attacks involving password theft alone virtually impossible, which still account for 81 % of data breaches according to the Verizon DBIR 2024 report.

For chartered accountants, compliance with the eIDAS regulation and its strong identification requirements is no longer optional: it is a regulatory and ethical necessity. This article explains to you, step by step, how to configure 2FA in your firm, which tools to choose and how to support your team through this transition.

---

Two-Factor Authentication Methods Suited to the Accountancy Sector

Authentication Applications (TOTP)

The most widespread method in accounting firms is the use of an application generating temporal codes (TOTP — Time-based One-Time Password). Solutions such as Google Authenticator, Microsoft Authenticator or Authy generate a 6-digit code renewed every 30 seconds. This code is associated with a shared secret stored in the application during the enrolment phase (QR code scan).

Advantages for firms: deployment at no additional cost, works offline, compatible with almost all accountancy software (Sage, Cegid, ACD, MyUnisoft). Disadvantage: if the team member loses their phone, the recovery procedure must be anticipated (backup codes to be kept in a safe place).

Physical Security Keys (FIDO2/WebAuthn)

For firms handling large volumes of sensitive data or subject to frequent audits, physical security keys (such as YubiKey or Feitian) offer the highest level of protection. Based on FIDO2 and WebAuthn standards, they are resistant to phishing by design: the key cryptographically verifies the domain of the site before authenticating, which neutralises man-in-the-middle attacks.

Increasingly, tax portals and mandatory filing platforms (DGFiP, infogreffe) tend to accept these standards. A firm managing around one hundred mandates can recoup the cost of purchasing keys (approximately 50-80 € per unit) in a few weeks through the reduction in security incident management time.

SMS OTP: To Be Avoided for Sensitive Data

Although codes sent by SMS remain an option in many systems, the US NIST (National Institute of Standards and Technology) downgraded them in 2016 from the category of strong authentication methods. SIM swapping attacks (fraudulent transfer of a phone number to a SIM card controlled by an attacker) have affected several French accounting firms in recent years. For access to tax data or tools for electronic signature for legal and accounting firms, SMS OTP should only be considered as a last resort.

---

How to Configure Two-Factor Authentication: A Step-by-Step Guide

Step 1 — Inventory of Applications and Definition of Scope

Before any technical deployment, draw up an exhaustive inventory of all applications used in your firm:

• Accountancy software: Cegid Loop, Sage 100 Cloud, ACD Inforce, Quadratus, MyUnisoft
• Email and collaborative tools: Microsoft 365, Google Workspace, Slack
• Document management and signature tools: filing platforms, workflow tools
• Remote access: VPN, RDP, virtual desktops
• Client portals: document exchange spaces with clients

For each application, check whether 2FA is available (in the "Security" settings section) and which method is supported (TOTP, FIDO2, SMS). Classify applications by criticality based on the sensitivity of the data accessible.

Step 2 — Technical Deployment and Enrolment of Team Members

For Microsoft 365, configuration is carried out via the Azure Active Directory (Entra ID) portal. Activate "Security Defaults" or, for firms with more than 10 team members, configure Conditional Access policies (available from Business Premium licence onwards). These policies allow you to require 2FA only under certain conditions: access from outside the office, connection from an unknown device, unusual time of day.

For accountancy software, the procedure varies according to the publisher:

• Cegid Loop: security settings > enable two-factor authentication > generate QR codes for each user
• MyUnisoft: administration > security > strong authentication > enforce 2FA for all profiles
• Sage 100 Cloud: contact your Sage administrator or reseller to activate the MFA module

Schedule an enrolment session with each team member (15 to 20 minutes per person). Provide each user with a summary sheet containing their recovery codes, to be kept in a secure and physical location (firm safe, for example).

Step 3 — Management Policy and Emergency Procedures

Technical implementation is only half the work. A documented security policy must specify:

• Who can temporarily disable 2FA (only the system administrator, never the team member themselves)
• Device loss procedure: immediate account lockdown, recovery code regeneration, supervised re-enrolment
• Review frequency: six-monthly audit of access and authentication methods
• Management of departures: immediate revocation of access and 2FA secrets upon any team member departure

This policy integrates naturally into your business continuity plan (BCP) and into your data processing register within the meaning of GDPR. Consulting the Certyneo help centre can provide you with policy templates tailored to small and medium-sized organisations.

---

Integration of 2FA with Electronic Signature Tools

Advanced or qualified electronic signature, as defined by the eIDAS regulation, requires strong identification of the signatory. Concretely, when your firm sends a letter of engagement or service agreement to be signed to a client, the signature platform must verify the signatory's identity in a robust manner. This is precisely where 2FA comes in.

On signature platforms compliant with eIDAS (advanced or qualified level), the signatory receives a link by email, then must validate their identity via a second channel (SMS, authentication application or qualified certificate). This process creates an auditable trail with timestamps and cryptographically verifiable, which constitutes irrefutable proof in case of dispute — a crucial issue for accountants who commit their professional liability on each engagement.

To understand the different signature levels and choose the one suited to your document workflows, reading the complete guide to electronic signature is recommended. Firms using Certyneo benefit from native integration of 2FA into the signature process, which reduces friction for the signatory while maintaining the required compliance level.

Particular attention must be paid to letters of engagement (mandatory under OEC professional standard 2400) and audit reports: these documents commit the professional's personal liability and require an unimpeachable authentication traceability. You can also use an AI-powered contract generator to automate the creation of these documents whilst integrating strong authentication requirements from the outset.

---

Training and Raising Awareness among Team Members: The Human Factor

The most rigorous technical deployment is rendered ineffective if team members do not understand the issues or circumvent security mechanisms. In accountancy, teams are often composed of very varied profiles: senior partners, junior team members, interns, administrative assistants. Training must be tailored to each profile.

Recommended awareness programme for a firm of 5 to 30 people:

1. Launch session (1 hour): presentation of concrete risks (anonymised real-life examples of incidents in the sector), live configuration demonstration, questions and answers
2. Short video tutorials (3-5 minutes each): one tutorial per critical application, available on the firm's intranet
3. Simulated phishing exercise: sending a false phishing email 3 months after deployment to measure actual vigilance and identify team members requiring additional support
4. Integration into onboarding: every new team member sets up their 2FA on their first day, with a dedicated contact

The French Institute of Chartered Accountants (OEC) also provides training resources on cybersecurity as part of mandatory annual training requirements (40 hours for chartered accountants registered on the roll). These trainings can be valued in your quality approach if your firm is ISO 9001 certified or seeking cybersecurity certification (ExpertCyber label from ANSSI, for example).

Legal Framework Applicable to Strong Authentication in Accountancy

The implementation of two-factor authentication in an accounting firm is part of a dense regulatory framework, centred around several fundamental texts.

The eIDAS Regulation No. 910/2014 and its eIDAS 2.0 revision (EU Regulation 2024/1183) constitute the reference framework for anything concerning electronic identification in Europe. Article 8 defines three levels of assurance for means of electronic identification: low, substantial and high. For acts engaging the professional liability of a chartered accountant (signature of reports, validation of tax returns online), the level of assurance "substantial" or "high" is required, which necessarily implies multi-factor authentication.

The GDPR (EU Regulation 2016/679), in its article 32, requires controllers to implement "appropriate technical and organisational measures" to guarantee the security of personal data. An accounting firm processes sensitive personal data (financial data, health data via payroll slips with sick leave, etc.). The absence of 2FA on access to accountancy software very likely constitutes a breach of this article, exposing the firm to penalties of up to 4 % of annual global turnover (article 83 GDPR).

The Civil Code, articles 1366 and 1367, regulate the legal value of electronic signature. Article 1367 specifies that "the reliability of an electronic signature process is presumed, unless otherwise proven, when this process implements a qualified electronic signature". Strong authentication is an essential component of this presumption of reliability.

The NIS2 Directive (EU Directive 2022/2555), transposed into French law by Law No. 2024-449 of 21 May 2024 and its implementing decrees, extends cybersecurity obligations to a wide range of entities. Although accounting firms are not directly listed as essential entities, those providing digital services to essential or important entities (health facilities, local authorities, critical infrastructure enterprises) may be subject to obligations indirectly through their service agreements.

Professional Standard 2400 of the French Institute of Chartered Accountants furthermore imposes an obligation of enhanced means in terms of information systems security for firms handling legal assignments. ANSSI explicitly recommends MFA as a minimum measure in its guide "Information Systems Security for SMEs/SMBs" (2024 edition).

Professional civil liability: in the event of a client data breach resulting from an absence of 2FA, the firm's PLC insurer may invoke gross negligence to reduce or refuse cover. It is strongly advised to keep documentation of 2FA deployment as proof of due diligence.

Use Cases: 2FA in Practice in Accounting Firms

Scenario 1 — A Medium-Sized Accounting Firm

An accounting firm with around fifteen team members managing approximately 400 active mandates decided to deploy 2FA across all its tools following a phishing incident that nearly compromised access to its payroll software. The management opted for Microsoft Authenticator on Microsoft 365 (email, SharePoint, Teams) and for native TOTP applications from its cloud accounting software.

The deployment was completed in three weeks: one week for inventory and configuration, one week for enrolment of team members in groups of five, one week for monitoring and troubleshooting. Result: zero account compromise incidents in the following 12 months, compared with two incidents in the previous year. Time spent managing security incidents was reduced by approximately 70 %. The firm was also able to justify to several large enterprise clients (including an industrial SME client imposing a supplier security charter) that its systems met MFA requirements.

Scenario 2 — A Firm Specialising in the Statutory Audit of SMEs

An audit firm managing around sixty statutory audit mandates faced a specific requirement: its clients increasingly requested proof of GDPR compliance when renewing assignments. The firm chose to deploy FIDO2 security keys for partners (access to the most sensitive files) and TOTP applications for senior team members, whilst maintaining SMS OTP only for low-sensitivity access.

In parallel, the firm integrated advanced electronic signature into its audit report workflows, with systematic strong authentication of the signatory. Thanks to the generated audit trail, two potential disputes with clients contesting the actual date of report delivery were resolved in the firm's favour by producing timestamped authentication logs. The reduction in report signing delays (from an average of 5 days to less than 24 hours) also helped streamline invoicing and improve the firm's cash flow by approximately 15 %.

Scenario 3 — A Firm in the Phase of External Growth

A regional network of accounting firms that absorbed three independent structures over two years found itself with significant heterogeneity of systems: some acquired firms had no 2FA policy, others used SMS OTP. The group took advantage of this integration to standardise on a unified identity management solution (IAM — Identity and Access Management) with mandatory 2FA.

The initial investment (IAM licences, training, support) was estimated at approximately 8,000 € for the entire group (approximately 45 team members). In return, the reduction in costs related to security incidents (IT provider interventions, crisis management) was estimated at 15,000-20,000 € in the first year. The group also managed to negotiate a reduction in its cyber insurance premium of around 20 % by providing its insurer with documentation of 2FA deployment.

Conclusion

Two-factor authentication is no longer a luxury reserved for large organisations: it is a security and compliance imperative for any accounting firm, regardless of size. Between the requirements of GDPR, ANSSI recommendations, eIDAS obligations for electronic signature and increasing client pressure regarding the security standards of their service providers, 2FA has become an inescapable industry standard.

The good news: deployment is now accessible, rapid and low-cost. By following the steps described in this article — inventory of applications, choice of suitable method, enrolment of team members, drafting of a documented policy — your firm can achieve a robust level of security in a few weeks.

Certyneo natively integrates strong authentication into its electronic signature workflows, allowing you to combine eIDAS compliance and MFA security without additional complexity. Discover our offers and pricing or contact our team for personalised support in bringing your firm into compliance.