If you take one piece of security advice from us this year, make it this one: turn on two-factor authentication on every business account that supports it. The acronyms vary — 2FA, MFA, "verification codes," "step-up authentication" — but they all mean the same thing.

A password alone is no longer enough. 2FA is the fix.

What 2FA Actually Is

A password is one factor: something you know.

Two-factor authentication adds a second factor: usually something you have (your phone, a hardware key). Even if a criminal gets your password through a breach or a phishing email, they can't log in without that second factor.

In practical terms, every login looks like this:

  1. Enter username and password
  2. App or website asks for a 6-digit code
  3. You open an app on your phone, copy the code, paste it in
  4. You're in

It adds about 5 seconds to logins. That's the entire cost.

The Three Kinds of Second Factor

Not all 2FA is equal. From weakest to strongest:

1. SMS text message codes. A six-digit code texted to your phone. Better than nothing, but the weakest option — attackers can intercept SMS, especially with "SIM swap" attacks targeting business owners. Use this only when nothing better is offered.

2. Authenticator apps. Apps like Google Authenticator, Microsoft Authenticator, or Authy that generate a new code every 30 seconds. Much stronger than SMS because the codes never leave your phone. This is the default we recommend.

3. Hardware security keys. Small USB or NFC devices (YubiKey is the well-known brand). You tap them to log in. These are the gold standard — they cannot be phished, period — and worth the $30-$50 cost for your most important accounts.

Accounts That MUST Have 2FA On

In rough priority order:

  • Your primary email — This is the master key to almost everything else. Whoever controls your email controls your password resets.
  • Bank and payment processors — Self-explanatory.
  • Cloud storage (Google Drive, Dropbox, OneDrive) — Everything your business runs on probably lives in here.
  • Domain registrar — If someone takes over your domain, they can reroute your email and break your website. Lock this one down.
  • Accounting software (QuickBooks, Xero) — Financial records and bank connections.
  • Microsoft 365 / Google Workspace admin accounts — If you're the admin, your account is more valuable to an attacker than anyone else's.
  • Social media accounts that represent your business.

If you only do five of these, do them in this order. Email first.

What to Do If You Lose Your Phone

The number one reason people don't turn on 2FA is the fear of "what if I lose my phone and get locked out?" Two answers:

1. Save your backup codes. Every service gives you a list of one-time backup codes when you turn on 2FA. Print them. Put them in a safe or a sealed envelope with your important documents. Don't email them to yourself — that defeats the purpose.

2. Use an authenticator app with cloud backup. Authy backs up encrypted to the cloud automatically. Microsoft Authenticator does too. If you lose your phone, install the app on a new one, sign in, and your codes come back.

Quick Check Before You Call Go to your email account's security settings right now. Is 2FA enabled? If yes — when did you last verify that your backup codes are somewhere you can find them? "Probably in an email somewhere" is not an answer.

When It's Time to Set This Up

If you're starting from zero, the right way to do this is one account at a time, not all at once. Set up your authenticator app, do email first, verify it works, save backup codes. Then bank. Then cloud storage. By the end of a week you've covered everything important.

If you'd like help getting this set up across your whole business — including handling the "what about employees' accounts" question — that's exactly the kind of security review we do.