A Step-by-Step Guide to Setting Up Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of security beyond your password. Even if someone steals your password, they can't access your account without the second factor. For tax professionals handling sensitive client data, 2FA is essential. Here's how to set it up.

What Is Two-Factor Authentication?

Two-factor authentication requires two different types of verification to access an account. The first factor is usually something you know (your password). The second factor is typically something you have (like your phone) or something you are (like a fingerprint). This combination makes unauthorized access much more difficult.

Common second factors include text message codes, authenticator app codes, hardware keys, and biometrics. Each has advantages and disadvantages, but any 2FA is significantly better than password alone.

Setting Up Text Message (SMS) Codes

SMS-based 2FA sends a code to your phone via text message when you try to log in. To set this up, go to the security settings of the service you want to protect. Look for options like "Two-Factor Authentication," "Two-Step Verification," or "Login Verification." Choose the SMS option and enter your phone number. The service will send a test code to verify your number is correct.

While SMS is better than no 2FA, it's not the most secure option because text messages can potentially be intercepted. For services containing your most sensitive data, consider using an authenticator app instead.

Using an Authenticator App

Authenticator apps generate time-based codes on your device. Popular options include Microsoft Authenticator, Google Authenticator, and Authy. These apps don't require cell service to work and are more secure than SMS.

To set up an authenticator app, first download the app to your phone. Then, in the security settings of the service you want to protect, choose the authenticator app option. The service will show you a QR code. Open your authenticator app and scan the code. The app will start generating six-digit codes that change every 30 seconds. Enter the current code to confirm setup is complete.

Important: Save Your Backup Codes

Most services provide backup codes when you set up 2FA. These are one-time codes you can use if you lose access to your phone. Save these codes somewhere secure—print them and store them in a safe, or save them in a password manager. Without backup codes, losing your phone could lock you out of your accounts.

Some services also let you set up multiple devices or backup phone numbers. Taking advantage of these options gives you more ways to access your accounts if your primary method fails.

Which Accounts Need 2FA?

At minimum, enable 2FA on your email accounts, tax software, client portal or document management system, and any financial accounts. Your email is especially critical because it's often used to reset passwords for other services—if someone compromises your email, they can potentially access many other accounts.

Consider enabling 2FA on any service that offers it, especially those containing personal or client information. The small inconvenience of an extra login step is worth the significant security improvement.

Tips for Smooth 2FA Use

Keep your phone charged and with you when you'll need to log in. If you're using an authenticator app, the codes work without internet, but you do need your phone physically accessible. For services you use frequently on trusted devices, you can often check "remember this device" to reduce how often you need to enter codes.

When you get a new phone, remember to transfer your authenticator app or re-set up 2FA before deactivating the old device. Some apps, like Authy, allow backup and sync across devices, making this transition easier.

Helping Clients Understand 2FA

If your client portal uses 2FA, be prepared to help clients set it up and understand why it matters. Create simple instructions they can follow, and be patient with those who find technology challenging. Frame 2FA as a protection for their sensitive tax information, not an inconvenience.

Some clients may resist the extra step. Explain that the same password policies that protect their bank account should protect their tax information. Most people understand once they realize how much sensitive data is involved.