Two-Factor Authentication — Set It Up for Every Business Account

If there's one single thing you can do today to dramatically improve the security of your business, it's this: turn on two-factor authentication on every account that offers it. Full stop. It's free, it takes minutes to set up, and it stops the vast majority of account takeover attacks dead in their tracks.

And yet, a surprising number of sole traders and small business owners haven't done it. Maybe it feels like a hassle, maybe you're not sure how it works, or maybe you just haven't got round to it. Whatever the reason, this guide is here to walk you through everything you need to know — what two-factor authentication is, why it matters so much, and exactly how to set it up on the accounts that matter most.

What Is Two-Factor Authentication?

Two-factor authentication — often shortened to 2FA — adds a second layer of security to your login process. Instead of just entering your password (something you know), you also need to provide a second form of verification (something you have or something you are).

The most common types of second factor are:

• A time-based code from an authenticator app. Apps like Google Authenticator, Microsoft Authenticator, or Authy generate a six-digit code that changes every thirty seconds. When you log in, you enter your password and then the current code from the app.
• An SMS text message code. The service sends a code to your phone number, which you enter alongside your password. This is better than no 2FA, but it's the weakest form because SIM-swapping attacks can intercept the texts.
• A hardware security key. A physical device (like a YubiKey) that you plug into your computer or tap on your phone. This is the most secure form of 2FA.
• A push notification. Some services send a notification to an app on your phone, and you simply tap "Approve" to confirm it's you.
• Biometric verification. Fingerprint or face recognition, often used on mobile devices.

The principle behind all of these is the same: even if someone has stolen your password, they can't log in without the second factor. Since they'd need physical access to your phone, your security key, or your fingerprint, the password alone becomes useless to them.

Why It Matters for Your Business

You might think, "I'm just a sole trader — who'd bother hacking my accounts?" Unfortunately, the answer is: quite a lot of people. Automated bots try thousands of username/password combinations every day, using credentials leaked from data breaches at other services. If you've ever reused a password (and most of us have at some point), your accounts are at risk.

The consequences of an account takeover for a sole trader can be devastating:

• Email compromise. A hacker in your email account can read your correspondence, impersonate you to clients, intercept invoices, and reset passwords for your other accounts.
• Banking fraud. Direct access to your business banking could mean money simply disappearing.
• Loss of client data. A breach of your accounting or CRM system could expose sensitive client information, leading to legal liability and reputational damage.
• Accounting software access. If someone gets into your bookkeeping software, they could alter financial records, submit fraudulent tax returns, or steal financial data.
• Social media hijacking. Your business social media accounts could be used to post spam, scams, or inappropriate content — damaging your reputation.

Two-factor authentication prevents the vast majority of these attacks. According to Microsoft, accounts with 2FA enabled are over 99.9 per cent less likely to be compromised. That's not a marginal improvement — it's a near-total defence against the most common attack vector.

Which Accounts Need 2FA?

The short answer: all of them. But if you're going to prioritise, start with the accounts where a breach would hurt the most:

1. Email accounts (Gmail, Outlook, Yahoo, etc.) — your email is the master key to everything else
2. Business bank accounts — most banks require 2FA for online banking already, but check your settings
3. Accounting and bookkeeping software — Accounted, Xero, QuickBooks, or whatever you use
4. HMRC Government Gateway — your tax account
5. Payment processors — PayPal, Stripe, GoCardless, etc.
6. Cloud storage — Google Drive, Dropbox, OneDrive, iCloud
7. Social media accounts — Facebook, Instagram, LinkedIn, Twitter/X
8. Domain registrar and web hosting — if someone takes over your domain, they control your website and email
9. Password manager — if you use one (and you should), it absolutely must have 2FA
10. Any other platform containing sensitive business or client data

Work through this list methodically. It might take an hour or two to set everything up, but it's an hour that could save you thousands of pounds and countless headaches.

Setting Up 2FA — A Step-by-Step Guide

The exact steps vary slightly between services, but the general process is the same. Here's how to do it using an authenticator app, which is the recommended method for most accounts.

Step 1: Download an authenticator app. If you don't already have one, download Google Authenticator, Microsoft Authenticator, or Authy from your phone's app store. Authy has the advantage of backing up your codes to the cloud, so you don't lose everything if you lose your phone. Google and Microsoft Authenticator are simpler but require manual backup.

Step 2: Go to the security settings of the account you want to protect. This is usually under "Account Settings" > "Security" or "Login & Security". Look for options like "Two-factor authentication", "Two-step verification", or "Multi-factor authentication".

Step 3: Choose your 2FA method. Select "Authenticator app" (sometimes called "TOTP" or "Time-based one-time password"). The service will display a QR code.

Step 4: Scan the QR code with your authenticator app. Open your authenticator app, tap the "+" or "Add account" button, and scan the QR code. The app will start generating six-digit codes for that account.

Step 5: Enter the verification code. The service will ask you to enter the current code from your authenticator app to confirm everything is working.

Step 6: Save your backup codes. Most services provide a set of one-time backup codes. These are your safety net if you lose your phone or can't access your authenticator app. Save them somewhere secure — printed out and stored in a safe, or in an encrypted file. Do not skip this step.

Step 7: Repeat for every account on your priority list.

What About SMS-Based 2FA?

Some services only offer SMS-based 2FA, where they text a code to your phone. While this is far better than having no 2FA at all, it has a known weakness: SIM-swapping.

In a SIM-swap attack, a fraudster convinces your mobile network to transfer your phone number to a SIM card they control. Once they have your number, they receive your 2FA text messages and can bypass the security. It's not hugely common, but it does happen, particularly when the fraudster has already gathered personal information about you.

If SMS is the only 2FA option available, use it. But where you have a choice, prefer an authenticator app or a hardware security key.

Managing 2FA Day-to-Day

One of the reasons people resist 2FA is the perceived inconvenience. Having to pull out your phone and enter a code every time you log in feels like friction. Here are some tips to make it more manageable:

• Most services remember trusted devices. You'll only need to enter the 2FA code when logging in from a new device, a new browser, or after a certain period. On your regular devices, the extra step is infrequent.
• Use biometric unlocking on your authenticator app. A quick fingerprint or face scan opens the app faster than typing a PIN.
• Keep your authenticator app on your home screen for quick access.
• Consider a hardware security key for your most critical accounts. A YubiKey, for instance, just requires a tap — it's faster than typing a code.

The momentary inconvenience of 2FA is trivial compared to the inconvenience of having your business accounts compromised. Think of it like locking your front door — it takes a second, and you'd never dream of skipping it.

What If You Lose Your Phone?

This is the scenario that worries people most, and it's a valid concern. If your authenticator app is on your phone and your phone is lost, stolen, or broken, you could be locked out of your accounts.

Here's how to prepare:

• Save your backup codes. When you set up 2FA, every service gives you a set of one-time backup codes. Store these securely — ideally printed out and kept somewhere physically safe.
• Use Authy or a cloud-backed authenticator. Unlike Google Authenticator, Authy backs up your 2FA tokens to the cloud, so you can restore them on a new device.
• Register a second device. Some services let you add multiple 2FA methods. Consider adding a hardware security key as a backup.
• Keep your recovery phone number and email address up to date on all your accounts.

If you do lose your phone, you'll use your backup codes to log in and then set up 2FA again on your new device. It's a bit of a pain, but it's manageable — and vastly preferable to having no 2FA at all.

2FA and Your Accounting Software

Your accounting and bookkeeping software contains some of the most sensitive data in your business — income figures, expense records, client information, tax submissions. Protecting it with 2FA is essential.

Accounted supports two-factor authentication, and we strongly recommend enabling it. If Penny is helping you manage your finances day-to-day, the last thing you want is an unauthorised person accessing your account and altering your records or viewing your financial data.

When it comes to your HMRC Government Gateway account, 2FA is now effectively mandatory for most actions. Make sure you've set it up properly and that your registered phone number is current. For broader digital security advice tailored to sole traders, our guide on cyber security for sole traders is well worth a read.

A Quick 2FA Checklist

Run through this list and check off each account as you enable 2FA:

• [ ] Personal email
• [ ] Business email
• [ ] Business bank account
• [ ] Accounting software (Accounted, etc.)
• [ ] HMRC Government Gateway
• [ ] PayPal / Stripe / payment processors
• [ ] Google account / Google Drive
• [ ] Apple ID / iCloud
• [ ] Microsoft account / OneDrive
• [ ] Dropbox or other cloud storage
• [ ] Social media (Facebook, Instagram, LinkedIn, Twitter/X)
• [ ] Website hosting / domain registrar
• [ ] Password manager
• [ ] Any other platform with sensitive data

If you tick off everything on this list, you'll have dramatically reduced your exposure to account takeover attacks. Combined with strong, unique passwords managed through a password manager, you'll have a security posture that would make many larger businesses envious.

Related reading:

• Cyber Security for Sole Traders
• Password Managers — A Business Guide
• How to Spot a Phishing Email and Protect Your Business

---

Accounted helps UK sole traders stay on top of their bookkeeping and tax. Start your free 30-day trial at getaccounted.co.uk.

Related Reading

• Exception-First Workflow — Why You Only See What Matters
• The Best Invoicing Apps for UK Sole Traders

Start your free trial and see how Accounted simplifies your bookkeeping.