Enabling two-factor authentication (2FA) on company email and software accounts protects your small business against data theft and account takeovers. 2FA verifies two distinct identity factors before letting employees log into online services. Business tools, including Google Workspace, Microsoft 365, and QuickBooks Online, offer various two-factor verification methods, like authenticator apps and passkeys.
Below, we’ll examine what 2FA is, how it works, and why your small business should use it. Explore the most secure login methods and learn how to set up 2FA on major platforms.
What is two-factor authentication?
2FA is a security method that checks two types of proof to verify that a person is who they claim to be. Cloud applications often confirm identity before users sign in by requiring credentials, like an account password (the first factor) and a unique, one-time code from an authenticator app (the second factor). Enforcing 2FA on company accounts reduces the risk of account takeover and is a low-cost, small business identity and access strategy.
Multifactor authentication vs. two-factor authentication
2FA is a type of multifactor authentication (MFA). While MFA requires two or more distinct credentials, 2FA needs exactly two. Some two-step verification services aren’t true 2FA processes because they rely on two pieces of evidence from the same category, like a password and security questions, which are things you know.
Types of authentication factors for 2FA
An authentication factor is a category of evidence used to prove one’s identity. The U.S. National Institute of Standards and Technology (NIST) Digital Identity Guidelines list three types of authentication factors:
- Knowledge (something you know): Information known only by the user, such as a password, PIN, or numeric passphrase.
- Possession (something you have): A registered device, like a smartphone with an authenticator app, a passkey, a USB security key, or a smartcard (previously called hardware tokens).
- Inherence (something you are): Biometrics that confirm a unique characteristic, such as a fingerprint, facial features, or a retina scan.
Some online services offer geolocation (somewhere you are) or behavior-based (something you do) authentication options. NIST describes these elements as risk signals or fraud indicators. They can spot suspicious activity, which is crucial to preventing ransomware attacks, but don’t replace an authentication factor or change the authentication assurance level, which rates login strength on a scale of 1 to 3.
Verizon’s '2025 Data Breach Investigations Report' found that stolen credentials are the source of about 88% of basic web application attacks. These breaches lead to account takeovers and data theft.
How does 2FA work?
2FA uses an authentication process to ensure that the two factors (things a user has, knows, or is) are valid and linked to their account. When you enable 2FA, the service shares a secret with your authenticator app or device. The site checks your password at each login, then verifies the second factor, such as a time-based code or push approval, to confirm it’s you. For many small businesses, enabling two-factor verification is the first step toward a zero-trust approach.
Biometric vs. app-based authentication methods
In NIST's model, biometrics don’t count as a full login method. When paired with an authenticator, like a passkey or FIDO2/WebAuthn-compatible security key, fingerprints or face scans are part of the actual authentication process. App-based authentication works differently.
Authenticator apps, like Google Authenticator or Microsoft Authenticator, generate time-based codes or send push prompts. Unlocking a device with a face ID isn’t part of the verification process. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), app-based authentication codes are more secure than SMS codes, which are vulnerable to SIM-swap fraud. But authenticator apps aren’t phishing-resistant.
For the highest security level, choose device-bound hardware keys and passkeys. These methods are phishing-resistant and recommended by CISA. Consider setting up the strongest 2FA for admins and accounts with access to high-value or sensitive data and enabling app-based authentication methods for employees using third-party apps.
Why small businesses should enforce 2FA now
CISA advises small businesses: “Any form of MFA is better than no MFA.” Indeed, password-only logins leave your company vulnerable. Verizon’s “2025 Data Breach Investigations Report” found that stolen credentials are the source of about 88% of basic web application attacks. These breaches lead to account takeovers and data theft.
According to the FBI’s “2024 Internet Crime Report,” Americans recorded 859,532 cybercrime complaints and “reported losses exceeding $16 billion — a 33% increase in losses from 2023.” Once attackers compromise business software, you must determine if customer data was exposed and communicate breaches quickly. The damage can affect your business finances and reputation, causing long-term harm. Use a layered approach by combining strong authentication methods with small business firewalls.
How to set up 2FA on major platforms
Many online services support 2FA. You can set up two-factor verification in your account’s security or privacy settings. Before deploying 2FA companywide, install security patches and updates on software and hardware. It’s also important to educate employees about new login processes and phone policies for data security.
Here’s how to set up 2FA on the following platforms:
- Google Workspace and Gmail: Sign in to the Google Admin console as a super administrator and turn on 2-step verification for employees. Users complete the setup in their Google accounts, and admins can track enrollment via user reports. You can enforce 2FA for all or certain employees, select enforcement methods, and establish new hire grace periods.
- Microsoft 365. Enable Microsoft’s security defaults in the Entra admin center to require MFA for all employees. Users must register the Microsoft Authenticator app and agree to sign in via push with number matching or use six-digit codes from a TOTP app. Upgrade to Business Premium for Conditional Access, including additional MFA methods and exceptions.
- Meta Business Suite: Set up 2FA in Meta Business Suite for admins or everyone. Users can get a code or approve logins from recognized devices, third-party apps, security keys, or SMS codes.
- QuickBooks Online. Enable 2FA for QuickBooks Online through your Intuit account's "Sign in & security" section. Choose from SMS or voice codes, passkeys, or an MFA app like Google Authenticator. Intuit doesn’t offer 2FA enforcement options.
Recovery options if you lose access
Follow 2FA best practices for storing backup codes and documenting recovery options so that a single lost phone or security key doesn’t lock you out of your admin or payroll tools.
Take these steps to ensure fast account recovery:
- Print backup codes for 2FA. Admin and shared codes stay with your company’s physical records, and employees maintain offline copies for their accounts.
- Register recovery contacts or devices. Add a second phone number, email address, or smartphone to accounts as a recovery backup option.
- Document recovery steps. Have checklists for different scenarios, including lost phones and hacked business accounts. Test recovery options quarterly.
Top two-step authentication apps for small businesses
Free authenticator apps and password managers support standard TOTP codes and are easy to use. For maximum security, equip admins and finance teams with passwordless, phishing-resistant sign-in tools.
Popular app-based authenticators include:
- Authy: Store encrypted 2FA data in the cloud while managing access locally on devices with Authy.
- Microsoft Authenticator: Use Microsoft Authenticator for passwordless sign-in from multiple devices.
- LastPass Authenticator: Manage logins, including passkeys, through a central LastPass vault.
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.
