Two-Factor Authentication: A Guide for Accounting

Why Two-Factor Authentication is Essential in Accounting

Accounting firms handle highly confidential financial data daily: tax returns, balance sheets, payroll slips, and banking details for hundreds of client companies. In 2025, according to ANSSI's annual report, phishing attacks targeting regulated professions increased by 37% year-over-year. Faced with this threat, two-factor authentication (2FA) — also called multifactor authentication (MFA) — constitutes the first recommended line of technical defense.

Two-factor authentication is based on a simple principle: to access a system, users must prove their identity through two distinct elements. The first is usually "something you know" (a password), the second is "something you have" (a smartphone, a physical key) or "something you are" (biometric data). This mechanism makes password theft attacks nearly impossible, which still account for 81% of data breaches according to the Verizon DBIR 2024 report.

For accounting professionals, compliance with the eIDAS regulation and its strong identification requirements is no longer optional: it is a regulatory and ethical necessity. This article explains, step by step, how to configure 2FA in your firm, which tools to choose, and how to support your team through this transition.

---

Two-Factor Authentication Methods Suited to the Accounting Sector

Authentication Applications (TOTP)

The most widespread method in accounting firms is using an application that generates time-based codes (TOTP — Time-based One-Time Password). Solutions like Google Authenticator, Microsoft Authenticator, or Authy generate a 6-digit code renewed every 30 seconds. This code is linked to a shared secret stored in the application during the enrollment phase (QR code scan).

Advantages for accounting firms: deployment at no extra cost, works offline, compatible with virtually all accounting software (Sage, Cegid, ACD, MyUnisoft). Disadvantage: if a team member loses their phone, the recovery procedure must be anticipated (backup codes should be kept in a safe place).

Physical Security Keys (FIDO2/WebAuthn)

For firms handling large volumes of sensitive data or subject to frequent audits, physical security keys (such as YubiKey or Feitian) offer the highest level of protection. Based on FIDO2 and WebAuthn standards, they are resistant to phishing by design: the key cryptographically verifies the website domain before authenticating, which neutralizes "man-in-the-middle" attacks.

Increasingly, tax portals and mandatory filing platforms (DGFiP, infogreffe) are adopting these standards. A firm managing one hundred mandates can recoup the cost of keys (approximately €50-80 per unit) within weeks by reducing security incident management time.

SMS OTP: To Be Avoided for Sensitive Data

Although SMS-sent codes remain an option in many systems, the American NIST (National Institute of Standards and Technology) downgraded them in 2016 from the category of strong authentication methods. SIM swapping attacks (fraudulent transfer of a phone number to a SIM card controlled by an attacker) have affected several French accounting firms in recent years. For access to tax data or electronic signature tools for legal and accounting firms, SMS OTP should only be considered as a last resort.

---

How to Configure Two-Factor Authentication: Step-by-Step Guide

Step 1 — Inventory of Applications and Scope Definition

Before any technical deployment, draw up a comprehensive inventory of all applications used in your firm:

• Accounting software: Cegid Loop, Sage 100 Cloud, ACD Inforce, Quadratus, MyUnisoft
• Email and collaboration tools: Microsoft 365, Google Workspace, Slack
• Document management and signature tools: filing platforms, workflow tools
• Remote access: VPN, RDP, virtual desktops
• Client portals: document exchange spaces with clients

For each application, verify whether 2FA is available (in the "Security" section of settings) and which method is supported (TOTP, FIDO2, SMS). Classify applications by criticality based on the sensitivity of accessible data.

Step 2 — Technical Deployment and Team Enrollment

For Microsoft 365, configuration is done via the Azure Active Directory (Entra ID) portal. Enable "Security Defaults" or, for firms with more than 10 team members, configure Conditional Access policies (available from Business Premium licensing). These policies allow you to require 2FA only under certain conditions: access from outside the office, login from an unknown device, unusual time of day.

For accounting software, the procedure varies by publisher:

• Cegid Loop: security settings > enable double authentication > generate QR codes for each user
• MyUnisoft: administration > security > strong authentication > enforce 2FA for all profiles
• Sage 100 Cloud: contact your Sage administrator or reseller to enable the MFA module

Plan an enrollment session with each team member (15 to 20 minutes per person). Distribute recovery codes to each user to keep in a secure physical location (the firm's safe, for example).

Step 3 — Management Policy and Emergency Procedures

Technical implementation is only half the work. A documented security policy must specify:

• Who can temporarily disable 2FA (only the system administrator, never the employee themselves)
• Device loss procedure: immediate account lockdown, recovery code regeneration, supervised re-enrollment
• Review frequency: biannual audit of access and authentication methods
• Offboarding procedure: immediate revocation of access and 2FA secrets when any employee leaves

This policy naturally integrates into your business continuity plan (BCP) and your data processing register under GDPR. Consulting the Certyneo help center can provide you with policy templates adapted to small and medium-sized organizations.

---

Integrating 2FA with Electronic Signature Tools

Advanced or qualified electronic signature, as defined by the eIDAS regulation, requires strong identification of the signatory. Concretely, when your firm sends a letter of engagement or service contract to a client for signature, the signature platform must verify the signatory's identity robustly. This is precisely where 2FA comes in.

On eIDAS-compliant signature platforms (advanced or qualified level), the signatory receives a link by email, then must validate their identity via a second channel (SMS, authentication app, or qualified certificate). This process creates an auditable trail with timestamp and cryptographic verification, which constitutes irrefutable evidence in case of dispute — a crucial issue for accounting professionals who commit their professional liability on every engagement.

To understand the different signature levels and choose the one suited to your document workflows, reading the comprehensive guide to electronic signature is recommended. Firms using Certyneo benefit from native 2FA integration in the signature process, which reduces friction for the signatory while maintaining the required compliance level.

Special attention should be paid to letters of engagement (required by OEC professional standard 2400) and audit reports: these documents engage the personal responsibility of the professional and require irreproachable authentication traceability. You can also use an AI contract generator to automate the creation of these documents while integrating strong authentication requirements from the design phase.

---

Training and Raising Team Awareness: The Human Factor

The most rigorous technical deployment becomes ineffective if team members do not understand the stakes or circumvent security measures. In accounting, teams often comprise diverse profiles: senior partners, junior staff, interns, administrative assistants. Training must be adapted to each profile.

Recommended awareness program for a 5-to-30 person firm:

1. Launch session (1 hour): presentation of concrete risks (anonymized real incidents in the sector), live configuration demo, Q&A
2. Short video tutorials (3-5 minutes each): one tutorial per critical application, available in the firm's intranet
3. Simulated phishing exercise: sending a fake phishing email 3 months after deployment to gauge real vigilance and identify employees needing extra support
4. Onboarding integration: every new employee configures their 2FA on their first day, with a dedicated mentor

The Order of Accounting Experts (OEC) also offers continuing education resources on cybersecurity as part of annual training obligations (40 hours for registered accounting experts). These trainings can be valued in your quality approach if your firm is ISO 9001 certified or pursuing cybersecurity certification (ANSSI's ExpertCyber label, for example).

Legal Framework Applicable to Strong Authentication in Accounting

The implementation of two-factor authentication in an accounting firm is part of a dense regulatory framework, articulated around several fundamental texts.

The eIDAS Regulation No. 910/2014 and its eIDAS 2.0 revision (EU Regulation 2024/1183) constitute the reference foundation for everything concerning electronic identification in Europe. Article 8 defines three levels of assurance for electronic identification means: low, substantial, and high. For acts engaging the professional liability of an accounting expert (signature of reports, validation of tax returns online), the "substantial" or "high" assurance level is required, which obligatorily implies multifactor authentication.

The GDPR (EU Regulation 2016/679), in its Article 32, requires data controllers to implement "appropriate technical and organizational measures" to ensure the security of personal data. An accounting firm processes sensitive personal data (financial data, health data through payroll slips with sick leave, etc.). The absence of 2FA on access to accounting software almost certainly constitutes a breach of this article, exposing the firm to penalties reaching 4% of annual worldwide turnover (Article 83 GDPR).

The Civil Code, Articles 1366 and 1367, govern the legal value of electronic signature. Article 1367 specifies that "the reliability of an electronic signature process is presumed, until proved otherwise, when the process implements a qualified electronic signature." Strong authentication is an essential component of this presumption of reliability.

The NIS2 Directive (EU Directive 2022/2555), transposed into French law by Law No. 2024-449 of May 21, 2024, and its implementing decrees, extends cybersecurity obligations to a wide spectrum of entities. Although accounting firms are not directly listed as essential entities, those providing digital services to essential or important entities (health facilities, local authorities, critical infrastructure companies) may be subject to obligations indirectly through their service contracts.

OEC Professional Standard 2400 further imposes a strengthened obligation of means regarding information system security for firms handling legal missions. The ANSSI explicitly recommends MFA as a minimum measure in its "Information System Security for SMEs/SMBs" guide (2024 edition).

Professional liability insurance: in case of a data breach resulting from the absence of 2FA, the firm's liability insurer may invoke willful misconduct to reduce or refuse coverage. It is strongly advised to keep documentation of 2FA deployment as evidence of due diligence.

Use Cases: 2FA in Practice in Accounting Firms

Scenario 1 — A Mid-Sized Accounting Firm

A firm with approximately fifteen employees managing about 400 active mandates decided to deploy 2FA across all tools following a phishing incident that nearly compromised access to its payroll software. Management chose Microsoft Authenticator for Microsoft 365 (email, SharePoint, Teams) and native TOTP applications for its cloud accounting software.

The deployment was completed in three weeks: one week for inventory and configuration, one week for team enrollment in groups of five, one week for follow-up and troubleshooting. Result: zero account compromise incidents in the following 12 months, versus two incidents the previous year. Security incident management time was reduced by approximately 70%. The firm was also able to demonstrate to several large-account clients (including an industrial SME client imposing a supplier security charter) that its systems met MFA requirements.

Scenario 2 — A Firm Specializing in Statutory Audit of SMEs

An audit firm managing about sixty statutory audit mandates faced a specific requirement: increasingly, clients asked for proof of GDPR compliance when renewing missions. The firm chose to deploy FIDO2 security keys for partners (access to most sensitive files) and TOTP applications for senior staff, while maintaining SMS OTP only for low-sensitivity access.

In parallel, the firm integrated advanced electronic signature into its audit report workflows, with systematic strong authentication of the signatory. Thanks to the generated audit trail, two potential disputes with clients contesting the effective date of report delivery were resolved in favor of the firm by producing timestamped authentication logs. The reduction in report signature time (from an average of 5 days to less than 24 hours) also streamlined invoicing and improved firm cash flow by approximately 15%.

Scenario 3 — A Growing Firm through External Expansion

A regional network of accounting firms having absorbed three independent structures in two years found itself with significant system heterogeneity: some absorbed firms had no 2FA policy, others used SMS OTP. The group took advantage of this integration to standardize on a unified identity management solution (IAM — Identity and Access Management) with mandatory 2FA.

The initial investment (IAM licenses, training, support) was estimated at approximately €8,000 for the entire group (about 45 employees). In return, the reduction in security incident-related costs (IT service provider interventions, crisis management) was estimated at €15,000-20,000 in the first year. The group was also able to negotiate a reduction in its cyber insurance premium of around 20% by providing its insurer with 2FA deployment documentation.

Conclusion

Two-factor authentication is no longer a luxury reserved for large organizations: it is a security and compliance imperative for any accounting firm, regardless of size. Between GDPR requirements, ANSSI recommendations, eIDAS obligations for electronic signature, and increasing client pressure on their service providers' security standards, 2FA has become an inescapable sector standard.

The good news: deployment is now accessible, fast, and inexpensive. By following the steps described in this article — inventory of applications, choice of appropriate method, team enrollment, documentation of a policy — your firm can achieve robust security in just weeks.

Certyneo natively integrates strong authentication into its electronic signature workflows, allowing you to combine eIDAS compliance and MFA security without added complexity. Discover our offerings and pricing or contact our team for personalized support in bringing your firm into compliance.