By Scott Carr.
A staff accountant gets a new phone over the weekend. Monday morning, she can’t log into the firm’s document management system. The authenticator app on her new device shows nothing. There’s a client deadline by noon.
This is a real operational problem for accounting firms, and it happens more often than most partners realize. Multi-factor authentication is one of the most important security controls a firm can maintain — it’s a core requirement under the FTC Safeguards Rule, and it protects client financial data from unauthorized access. But it’s tied to a specific device. Change that device without preparation, and the protection becomes a barrier.
Why Accounting Firms Face Elevated Risk
The FTC Safeguards Rule requires financial services firms, including CPA practices and accounting firms, to implement MFA for any system that accesses customer financial information. The rule does not make exceptions for device transitions.
Beyond compliance, clients trust their accounting firms with tax returns, financial statements, payroll records, and banking information. A lockout that forces a workaround — credential sharing, bypassing MFA, or accessing systems from an unprotected personal device — creates a security exposure that could affect that trust and, depending on the circumstances, put the firm’s compliance posture at risk.
The good news: this is entirely preventable with the right process in place.
Recommended Articles
How the Problem Happens
Authenticator apps like Microsoft Authenticator, Google Authenticator, and Duo Mobile generate time-sensitive codes that are bound to the specific device enrolled during setup. The app and the platform share a secret key established at registration. When a staff member gets a new phone and that registration isn’t properly transferred or reset, the connection breaks — even if the correct password is entered. Without access to the old device or a backup method, recovery requires administrator intervention and can take hours.
For a firm mid-season or in the middle of a client engagement, those hours matter.
What Firms Should Put in Place
The fix doesn’t require new software or significant investment. It requires a documented process communicated to staff before any device change occurs.
First, firms should inventory every system protected by MFA: client portals, tax software, document management platforms, Microsoft 365, cloud storage, and payroll systems. Knowing what requires authentication — and who has access — is the starting point.
Second, authenticator app cloud backup should be enabled before any device transition. Microsoft Authenticator supports encrypted cloud backup, which allows account credentials to be restored on a new device. This setting is off by default and needs to be turned on proactively.
Third, every staff account should have a registered backup authentication method — a secondary phone number, a hardware security key, or admin-assisted reset capability. A single authentication method with no fallback is the configuration most likely to cause an extended lockout.
Fourth, recovery codes should be stored in the firm’s password manager, not on the device itself. Most platforms generate these one-time codes during initial MFA setup. They are the last line of defense when all other methods fail.
Fifth, staff should keep the old phone active through the transition period. The correct sequence is to set up the authenticator app on the new device, confirm that every account authenticates successfully, and only then wipe and trade in the old device. Reversing that order is the most common cause of lockouts.
Finally, old devices should be deregistered from account security settings after the transition is confirmed. Leaving stale device registrations active is both a security exposure and an administrative gap that can complicate future audits.
A Note on Tax Season Timing
Device transitions that aren’t managed carefully carry the most risk during peak periods. A staff lockout in January or March doesn’t just affect that individual — it affects the client work in progress. Firms should conduct a quick review of staff MFA registrations before busy season begins each year, confirm that backup methods are active and recovery codes are stored, and verify that the firm has admin-level reset capability for each platform it uses.
Some platforms, particularly practice management and EHR-adjacent systems, manage authentication at their own identity layer rather than through Microsoft 365 or Google Workspace. Firms should identify in advance whether MFA resets for those platforms require coordination with the software vendor, because that process can add lead time that doesn’t exist in the middle of an engagement.
Building a Policy That Holds
MFA is not a technology problem that gets solved at deployment. It’s an operational practice that requires ongoing management. Firms that build a written device change policy — and communicate it to staff before changes happen rather than after a lockout occurs — rarely experience extended disruptions. Firms that treat MFA as an IT detail rather than a firm operations issue tend to discover the gap at the worst possible time.
The policy doesn’t need to be complex. It needs to answer three questions: What happens before a staff member switches phones? Who handles a reset if something goes wrong? And where are the recovery codes stored? Documenting those answers and training staff on the process is what separates a five-minute reset from a two-hour incident.
Scott Carr, owner of Farmhouse Networking in Grants Pass, Oregon, is a veteran Network & Computer Systems Architect with over 30 years of IT experience. For over a decade, he’s led his team in delivering proactive, secure, and fully managed IT services to more than 80 businesses—including accounting and finance firms that rely on data security, compliance, and efficiency. Scott’s hands-on, jargon-free approach ensures every client understands their technology and gains confidence in their systems. His firm is known for fast, responsive support—most issues are resolved within 15 minutes—and deep expertise in cybersecurity, network design, and IT compliance. Learn more about how Farmhouse Networking supports the accounting industry at https://www.farmhousenetworking.com/finance-it-support/.
Photo credit: blossomstar/Freepik
Sign in to get access to this free resource, and all of our whitepapers and reports.
Download this content today!
Register Now Already registered? Click here to Log In
