Two-Factor Authentication: A Guide for Accounting Professionals

Why Two-Factor Authentication Is Essential in Accounting Practice

Accounting firms handle highly confidential financial data daily: tax returns, balance sheets, payslips, and banking details of hundreds of client companies. In 2025, according to the ANSSI annual report, phishing attacks targeting regulated professions increased by 37% in a year. Faced with this threat, two-factor authentication (2FA) — also called multi-factor authentication (MFA) — constitutes the first recommended line of technical defence.

Two-factor authentication is based on a simple principle: to access a system, the user must prove their identity via two distinct elements. The first is generally "something you know" (a password), the second is "something you have" (a smartphone, a physical key) or "something you are" (biometric data). This mechanism makes attacks based on password theft alone virtually impossible, which still account for 81% of data breaches according to the Verizon DBIR 2024 report.

For accounting professionals, compliance with the eIDAS regulation and its strong identification requirements is no longer optional: it is a regulatory and ethical necessity. This article explains, step by step, how to configure 2FA in your firm, which tools to choose, and how to guide your team through this transition.

---

Two-Factor Authentication Methods Suited to the Accounting Sector

Authentication Applications (TOTP)

The most widespread method in accounting firms is the use of an application generating temporary time-based codes (TOTP — Time-based One-Time Password). Solutions such as Google Authenticator, Microsoft Authenticator, or Authy generate a 6-digit code renewed every 30 seconds. This code is associated with a shared secret stored in the application during the enrolment phase (QR code scan).

Advantages for firms: no additional cost, works offline, compatible with nearly all accounting software (Sage, Cegid, ACD, MyUnisoft). Disadvantage: if the employee loses their phone, the recovery procedure must be anticipated (backup codes to be kept in a safe place).

Physical Security Keys (FIDO2/WebAuthn)

For firms handling large volumes of sensitive data or subject to frequent audits, hardware security keys (such as YubiKey or Feitian) offer the highest level of protection. Based on FIDO2 and WebAuthn standards, they are resistant to phishing by design: the key cryptographically verifies the website domain before authenticating, which neutralises "man-in-the-middle" attacks.

Increasingly, tax portals and mandatory filing platforms (DGFiP, infogreffe) are accepting these standards. A firm managing a hundred mandates can recover the cost of purchasing keys (approximately €50-80 per unit) within a few weeks thanks to the reduction in security incident management time.

SMS OTP: To Be Avoided for Sensitive Data

Although SMS codes remain an option in many systems, the American NIST (National Institute of Standards and Technology) downgraded them in 2016 from the category of strong authentication methods. SIM swapping attacks (fraudulent transfer of a telephone number to a SIM card controlled by an attacker) have affected several French accounting firms in recent years. For access to tax data or tools for electronic signature for legal and accounting firms, SMS OTP should only be considered as a last resort.

---

How to Configure Two-Factor Authentication: A Step-by-Step Guide

Step 1 — Inventory of Applications and Scope Definition

Before any technical deployment, draw up a comprehensive inventory of all applications used in your firm:

• Accounting software: Cegid Loop, Sage 100 Cloud, ACD Inforce, Quadratus, MyUnisoft
• Email and collaboration tools: Microsoft 365, Google Workspace, Slack
• Document management and signature tools: filing platforms, workflow tools
• Remote access: VPN, RDP, virtual desktops
• Client portals: document exchange spaces with clients

For each application, check if 2FA is available (in the "Security" section of settings) and which method is supported (TOTP, FIDO2, SMS). Classify applications by criticality based on the sensitivity of the data they access.

Step 2 — Technical Deployment and Employee Enrolment

For Microsoft 365, configuration is done via the Azure Active Directory (Entra ID) portal. Enable "Security Defaults" or, for firms with more than 10 employees, configure Conditional Access policies (available from Business Premium licence onwards). These policies allow you to require 2FA only under certain conditions: access from outside the office, connection from an unknown device, unusual time of day.

For accounting software, the procedure varies by publisher:

• Cegid Loop: security settings > enable two-factor authentication > generate QR codes for each user
• MyUnisoft: administration > security > strong authentication > enforce 2FA for all profiles
• Sage 100 Cloud: contact your Sage administrator or reseller to activate the MFA module

Plan an enrolment session with each employee (15 to 20 minutes per person). Give each user a summary card with their recovery codes, to be kept in a secure physical location (firm safe, for example).

Step 3 — Management Policy and Emergency Procedures

Technical implementation is only half the work. A documented security policy must specify:

• Who can temporarily disable 2FA (only the system administrator, never the employee themselves)
• Procedure for device loss: immediate account lockdown, recovery code regeneration, supervised re-enrolment
• Review frequency: audit of access and authentication methods every six months
• Departure management: immediate revocation of access and 2FA secrets when any employee leaves

This policy naturally integrates into your business continuity plan (BCP) and into your data processing register under the GDPR. Consulting the Certyneo help centre can provide you with policy templates suited to small and medium-sized organisations.

---

Integration of 2FA with Electronic Signature Tools

Advanced or qualified electronic signature, as defined by the eIDAS regulation, requires strong identification of the signatory. Concretely, when your firm sends a letter of engagement or service contract to a client for signing, the signature platform must verify the signatory's identity in a robust manner. This is precisely where 2FA comes in.

On eIDAS-compliant signature platforms (advanced or qualified level), the signatory receives a link by email and must then validate their identity via a second channel (SMS, authentication application, or qualified certificate). This process creates an auditable trail that is timestamped and cryptographically verifiable, which constitutes irrefutable evidence in case of dispute — a crucial issue for accounting professionals who engage their professional civil liability on each engagement.

To understand the different signature levels and choose the one suited to your document flows, reading the complete guide to electronic signature is recommended. Firms using Certyneo benefit from native 2FA integration in the signature journey, which reduces friction for the signatory while maintaining the required compliance level.

Particular attention should be paid to letters of engagement (mandatory under OEC professional standard 2400) and audit reports: these documents engage the personal responsibility of the professional and require impeccable authentication traceability. You can also use an AI-powered contract generator to automate the creation of these documents while integrating strong authentication requirements from the outset.

---

Training and Raising Awareness Among Staff: The Human Factor

The most rigorous technical deployment is rendered ineffective if employees do not understand the issues or bypass security measures. In accounting practice, teams are often composed of very diverse profiles: senior partners, junior employees, trainees, administrative assistants. Training must be adapted to each profile.

Recommended awareness programme for a firm of 5 to 30 people:

1. Launch session (1 hour): presentation of concrete risks (anonymised examples of real incidents in the sector), live configuration demonstration, Q&A
2. Short video tutorials (3-5 minutes each): one tutorial per critical application, available on the firm's intranet
3. Simulated phishing exercise: sending a fake phishing email 3 months after deployment to measure actual vigilance and identify employees needing additional support
4. Integration into onboarding: every new employee configures their 2FA on their first day, with a dedicated mentor

The Order of Chartered Accountants (OEC) also offers continuing education resources on cybersecurity as part of mandatory annual training obligations (40 hours for accountants registered in the register). These trainings can be valued in your quality approach if your firm is ISO 9001 certified or pursuing a cybersecurity certification (ANSSI's ExpertCyber label, for example).

Legal Framework Applicable to Strong Authentication in Accounting Practice

The implementation of two-factor authentication in an accounting firm is part of a dense regulatory framework, structured around several fundamental texts.

The eIDAS Regulation No. 910/2014 and its eIDAS 2.0 revision (EU Regulation 2024/1183) constitute the reference foundation for everything concerning electronic identification in Europe. Article 8 defines three levels of assurance for electronic identification means: low, substantial, and high. For acts engaging the professional responsibility of an accounting professional (signing of reports, validation of tax returns online), the "substantial" or "high" level of assurance is required, which mandatorily implies multi-factor authentication.

The GDPR (EU Regulation 2016/679), in its article 32, requires controllers to implement "appropriate technical and organisational measures" to guarantee the security of personal data. An accounting firm handles sensitive personal data (financial data, health data via payslips with sick leave, etc.). The absence of 2FA on access to accounting software is very likely a breach of this article, exposing the firm to penalties of up to 4% of annual worldwide turnover (article 83 GDPR).

The Civil Code, articles 1366 and 1367, govern the legal value of electronic signature. Article 1367 specifies that "the reliability of an electronic signature procedure is presumed, unless proven otherwise, when that procedure implements a qualified electronic signature". Strong authentication is an essential component of this presumption of reliability.

The NIS2 Directive (EU Directive 2022/2555), transposed into French law by Law No. 2024-449 of 21 May 2024 and its implementing decrees, extends cybersecurity obligations to a wide spectrum of entities. Although accounting firms are not directly listed as essential entities, those providing digital services to essential or important entities (healthcare facilities, local authorities, critical infrastructure companies) may be subject to obligations indirectly through their service contracts.

The OEC's professional standard 2400 additionally imposes a strengthened duty of care regarding information systems security for firms handling legal engagements. The ANSSI explicitly recommends MFA as a minimum measure in its "Information Systems Security for SMEs" guide (2024 edition).

Professional civil liability: in the event of a client data breach resulting from the absence of 2FA, the firm's professional liability insurer may invoke gross negligence to reduce or refuse coverage. It is strongly advised to keep technical documentation of 2FA deployment as evidence of diligence.

Use Cases: 2FA in Practice in Accounting Firms

Scenario 1 — A Medium-Sized Accounting Firm

A firm with around fifteen employees and managing approximately 400 active mandates decided to deploy 2FA across all its tools following a phishing incident that nearly compromised access to its payroll software. Management opted for Microsoft Authenticator on Microsoft 365 (email, SharePoint, Teams) and native TOTP applications in its cloud accounting software.

The deployment was completed in three weeks: one week for inventory and configuration, one week for enrolling employees in groups of five, one week for follow-up and troubleshooting. Result: zero account compromise incidents in the following 12 months, compared to two incidents the previous year. The time spent managing security incidents was reduced by approximately 70%. The firm was also able to justify to several major clients (including an industrial SME client imposing a supplier security charter) that its systems complied with MFA requirements.

Scenario 2 — A Firm Specialising in Statutory Audit of SMEs

A statutory audit firm managing around sixty audit mandates was faced with a specific requirement: its clients increasingly request proof of GDPR compliance when renewing engagements. The firm chose to deploy FIDO2 security keys for partners (access to the most sensitive files) and TOTP applications for senior employees, while maintaining SMS OTP only for low-sensitivity access.

In parallel, the firm integrated advanced electronic signature into its audit report workflows, with systematic strong authentication of the signatory. Thanks to the audit trail generated, two potential disputes with clients contesting the effective date of report delivery were resolved in the firm's favour by producing timestamped authentication logs. The reduction in report signing times (from an average of 5 days to less than 24 hours) also improved fluidity in invoicing and improved firm cash flow by approximately 15%.

Scenario 3 — A Firm in External Growth Phase

A regional network of accounting firms that had absorbed three independent structures in two years found itself with significant heterogeneity in systems: some absorbed firms had no 2FA policy, others used SMS OTP. The group took advantage of this integration to standardise on a unified identity management solution (IAM — Identity and Access Management) with mandatory 2FA.

The initial investment (IAM licences, training, support) was estimated at approximately €8,000 for the entire group (approximately 45 employees). In return, the reduction in costs related to security incidents (IT service provider interventions, crisis management) was estimated at €15,000-20,000 over the first year. The group was also able to negotiate a reduction in its cyber insurance premium of around 20% by providing its insurer with documentation of 2FA deployment.

Conclusion

Two-factor authentication is no longer a luxury reserved for large organisations: it is a security and compliance imperative for any accounting firm, regardless of size. Between GDPR requirements, ANSSI recommendations, eIDAS obligations for electronic signature, and increasing client pressure on their service providers' security standards, 2FA has become an inescapable standard in the sector.

The good news: deployment is now accessible, quick, and low-cost. By following the steps outlined in this article — inventory of applications, choice of appropriate method, employee enrolment, drafting of a documented policy — your firm can achieve a robust level of security within a few weeks.

Certyneo natively integrates strong authentication into its electronic signature workflows, allowing you to combine eIDAS compliance and MFA security without additional complexity. Discover our offers and pricing or contact our team for personalised support in bringing your firm into compliance.