Two-Factor Authentication: Guide for Accounting Firms

Why Two-Factor Authentication is Essential in Accounting Firms

Accounting practices handle highly confidential financial data daily: tax returns, balance sheets, payroll slips, and banking coordinates for hundreds of client companies. In 2025, according to ANSSI's annual report, phishing attacks targeting regulated professions increased by 37% in a year. Faced with this threat, two-factor authentication (2FA) — also known as multi-factor authentication (MFA) — is the first recommended line of technical defense.

Two-factor authentication is based on a simple principle: to access a system, the user must prove their identity through two distinct elements. The first is typically "something you know" (a password), the second is "something you have" (a smartphone, a physical key) or "something you are" (biometric data). This mechanism makes password theft attacks virtually impossible, which still account for 81% of data breaches according to the Verizon DBIR 2024 report.

For accounting professionals, compliance with the eIDAS regulation and its strong authentication requirements is no longer optional: it is a regulatory and ethical necessity. This article explains, step by step, how to configure 2FA in your firm, which tools to choose, and how to support your staff through this transition.

---

Two-Factor Authentication Methods Suited to the Accounting Sector

Authentication Apps (TOTP)

The most widespread method in accounting practices is the use of an application that generates temporary time-based codes (TOTP — Time-based One-Time Password). Solutions such as Google Authenticator, Microsoft Authenticator, or Authy generate a 6-digit code renewed every 30 seconds. This code is associated with a shared secret stored in the application during the enrollment phase (QR code scan).

Advantages for firms: no additional cost for deployment, works offline, compatible with virtually all accounting software (Sage, Cegid, ACD, MyUnisoft). Disadvantage: if the employee loses their phone, the recovery procedure must be anticipated (backup codes to be stored in a safe place).

Physical Security Keys (FIDO2/WebAuthn)

For firms handling large volumes of sensitive data or subject to frequent audits, hardware security keys (such as YubiKey or Feitian) offer the highest level of protection. Based on FIDO2 and WebAuthn standards, they are phishing-resistant by design: the key cryptographically verifies the domain of the site before authenticating, which neutralizes "man-in-the-middle" attacks.

More and more tax portals and mandatory filing platforms (DGFiP, infogreffe) tend to accept these standards. A firm managing around a hundred mandates can recoup the cost of purchasing keys (approximately 50-80 € per unit) within a few weeks by reducing the time spent managing security incidents.

SMS OTP: To Be Avoided for Sensitive Data

Although codes sent by SMS remain an option in many systems, the American NIST (National Institute of Standards and Technology) downgraded them in 2016 from the category of strong authentication methods. SIM swapping attacks (fraudulent transfer of a phone number to a SIM card controlled by an attacker) have affected several French accounting firms in recent years. For access to tax data or tools for electronic signature for law and accounting firms, SMS OTP should only be considered as a last resort.

---

How to Configure Two-Factor Authentication: Step-by-Step Guide

Step 1 — Inventory of Applications and Definition of Scope

Before any technical deployment, draw up a comprehensive inventory of all applications used in your firm:

• Accounting software: Cegid Loop, Sage 100 Cloud, ACD Inforce, Quadratus, MyUnisoft
• Email and collaboration tools: Microsoft 365, Google Workspace, Slack
• Document management and signature tools: filing platforms, workflow tools
• Remote access: VPN, RDP, virtual desktops
• Client portals: document exchange spaces with clients

For each application, check whether 2FA is available (in the "Security" section of settings) and which method is supported (TOTP, FIDO2, SMS). Classify applications by criticality based on the sensitivity of the data accessible.

Step 2 — Technical Deployment and Staff Enrollment

For Microsoft 365, configuration is done through the Azure Active Directory (Entra ID) portal. Enable "Security Defaults" or, for firms with more than 10 employees, configure Conditional Access policies (available from Business Premium license). These policies make it possible to require 2FA only under certain conditions: access from outside the office, login from an unknown device, unusual time of day.

For accounting software, the procedure varies by publisher:

• Cegid Loop: security settings > enable double authentication > generate QR codes for each user
• MyUnisoft: administration > security > strong authentication > enforce 2FA for all profiles
• Sage 100 Cloud: contact Sage administrator or your reseller to enable the MFA module

Plan an enrollment session with each employee (15 to 20 minutes per person). Provide each user with a summary sheet with their recovery codes, to be kept in a secure physical location (firm safe, for example).

Step 3 — Management Policy and Emergency Procedures

Technical implementation is only half the work. A documented security policy must specify:

• Who can temporarily disable 2FA (system administrator only, never the employee themselves)
• Procedure for device loss: immediate account blocking, regeneration of backup codes, supervised re-enrollment
• Review frequency: semi-annual audit of access and authentication methods
• Management of departures: immediate revocation of access and 2FA secrets when any employee leaves

This policy naturally integrates into your business continuity plan (BCP) and into your data processing register under the GDPR. Consulting the Certyneo help center can provide you with policy templates adapted to small and medium-sized structures.

---

Integration of 2FA with Electronic Signature Tools

Advanced or qualified electronic signature, as defined by the eIDAS regulation, requires strong authentication of the signer. In practical terms, when your firm sends a letter of engagement or service contract to a client for signature, the signature platform must verify the identity of the signer in a robust manner. This is precisely where 2FA comes in.

On signature platforms that comply with eIDAS (advanced or qualified level), the signer receives a link by email, then must verify their identity through a second channel (SMS, authentication app, or qualified certificate). This process creates an audited trail with timestamps and cryptographic verification, which constitutes irrefutable evidence in case of dispute — a crucial issue for accounting experts who commit their professional civil liability on every engagement.

To understand the different levels of signature and choose the one suited to your document workflows, reading the complete guide to electronic signature is recommended. Firms using Certyneo benefit from native integration of 2FA in the signature flow, which reduces friction for the signer while maintaining the required level of compliance.

Particular attention should be paid to letters of engagement (required under professional standard 2400 of the OEC) and auditor reports: these documents commit the professional's personal responsibility and require flawless authentication traceability. You can also use an AI-powered contract generator to automate the creation of these documents while integrating strong authentication requirements from the outset in the design.

---

Training and Raising Awareness Among Staff: The Human Factor

Even the most rigorous technical deployment becomes ineffective if staff do not understand the issues or circumvent security measures. In accounting, teams are often composed of very diverse profiles: senior partners, junior staff, interns, office managers. Training must be adapted to each profile.

Recommended awareness program for a firm of 5 to 30 people:

1. Launch session (1 hour): presentation of concrete risks (anonymized real incident examples in the sector), live configuration demonstration, Q&A
2. Short video tutorials (3-5 minutes each): one tutorial per critical application, available in the firm's intranet
3. Simulated phishing exercise: send a fake phishing email 3 months after deployment to measure actual vigilance and identify staff needing additional support
4. Integration into onboarding: every new employee configures their 2FA on their first day, with a dedicated contact

The Order of Accounting Experts (OEC) also provides continuing education resources on cybersecurity as part of annual training obligations (40 hours for accounting experts registered on the roll). These trainings can be valued in your quality approach if your firm is ISO 9001 certified or is pursuing a cybersecurity certification (ExpertCyber label from ANSSI, for example).

Legal Framework Applicable to Strong Authentication in Accounting Firms

The implementation of two-factor authentication in an accounting firm is part of a dense regulatory framework, built around several fundamental texts.

The eIDAS Regulation No. 910/2014 and its eIDAS 2.0 revision (EU Regulation 2024/1183) form the reference basis for everything related to electronic identification in Europe. Article 8 defines three levels of assurance for electronic identification means: low, substantial, and high. For acts that engage an accounting professional's responsibility (signature of reports, validation of tax returns online), the level of assurance "substantial" or "high" is required, which necessarily implies multi-factor authentication.

The GDPR (EU Regulation 2016/679), in its article 32, requires controllers to implement "appropriate technical and organizational measures" to ensure the security of personal data. An accounting firm handles sensitive personal data (financial data, health data via payroll slips with sick leave, etc.). The absence of 2FA on access to accounting software very likely constitutes a breach of this article, exposing the firm to fines up to 4% of global annual turnover (article 83 GDPR).

The Civil Code, articles 1366 and 1367, regulate the legal validity of electronic signatures. Article 1367 specifies that "the reliability of an electronic signature process is presumed, unless proven otherwise, when that process implements a qualified electronic signature." Strong authentication is an essential component of this presumption of reliability.

The NIS2 Directive (EU Directive 2022/2555), transposed into French law by Law No. 2024-449 of May 21, 2024 and its implementing decrees, extends cybersecurity obligations to a wide range of entities. Although accounting firms are not directly listed as essential entities, those providing digital services to essential or important entities (healthcare facilities, local authorities, critical infrastructure companies) may be subject to obligations indirectly through their service contracts.

Professional Standard 2400 of the Order of Accounting Experts furthermore imposes a strengthened obligation to ensure the security of information systems for firms handling statutory missions. ANSSI explicitly recommends MFA as a minimum measure in its guide "Securing Information Systems for SMEs/Small Businesses" (2024 edition).

Professional civil liability: in the event of a data breach affecting clients resulting from the absence of 2FA, the firm's PRC insurer may invoke gross negligence to reduce or deny coverage. It is strongly advised to keep technical deployment documentation for 2FA as proof of diligence.

Use Cases: 2FA in Practice in Accounting Firms

Scenario 1 — A Medium-Sized Accounting Firm

A firm with about fifteen employees managing approximately 400 active mandates decided to deploy 2FA across all its tools following a phishing incident that almost compromised access to its payroll software. Management opted for Microsoft Authenticator on Microsoft 365 (email, SharePoint, Teams) and native TOTP applications from its cloud accounting software.

The deployment was completed in three weeks: one week of inventory and configuration, one week of staff enrollment in groups of five, one week of monitoring and troubleshooting. Result: zero account compromise incidents in the following 12 months, compared to two incidents the previous year. Time spent managing security incidents was reduced by approximately 70%. The firm was also able to demonstrate to several large corporate clients (including one industrial SME customer imposing a supplier security charter) that its systems complied with MFA requirements.

Scenario 2 — A Firm Specializing in the Legal Audit of SMEs

An audit firm managing around sixty statutory audit mandates was confronted with a specific requirement: its clients increasingly ask for proof of GDPR compliance when renewing missions. The firm chose to deploy FIDO2 security keys for partners (access to the most sensitive files) and TOTP applications for senior staff, while maintaining SMS OTP only for low-sensitivity access.

At the same time, the firm integrated advanced electronic signature into its audit report workflows, with systematic strong authentication of the signer. Thanks to the audit trail generated, two potential disputes with clients contesting the effective date of report delivery were resolved in the firm's favor by producing time-stamped authentication logs. The reduction in report signature delays (from an average of 5 days to less than 24 hours) also streamlined billing and improved firm cash flow by approximately 15%.

Scenario 3 — A Growing Regional Network

A regional network of accounting firms that absorbed three independent structures in two years found itself with significant system heterogeneity: some absorbed firms had no 2FA policy, others used SMS OTP. The group took advantage of this integration to standardize with a unified identity management solution (IAM — Identity and Access Management) with mandatory 2FA.

The initial investment (IAM licenses, training, support) was estimated at around 8,000 € for the entire group (approximately 45 employees). In return, the reduction in costs related to security incidents (IT service provider interventions, crisis management) was estimated at 15,000-20,000 € in the first year. The group was also able to negotiate a 20% reduction in its cyber insurance premium by providing its insurer with documentation of the 2FA deployment.

Conclusion

Two-factor authentication is no longer a luxury reserved for large firms: it is a security and compliance imperative for any accounting practice, regardless of its size. Between GDPR requirements, ANSSI recommendations, eIDAS obligations for electronic signature, and growing client pressure on security standards for their service providers, 2FA has become an essential industry standard.

The good news: deployment is now accessible, quick, and cost-effective. By following the steps described in this article — inventory of applications, choice of appropriate method, staff enrollment, drafting of a documented policy — your firm can achieve a robust level of security within a few weeks.

Certyneo natively integrates strong authentication into its electronic signature workflows, allowing you to combine eIDAS compliance and MFA security without additional complexity. Discover our offers and pricing or contact our team for personalized support in bringing your firm into compliance.