Account safety: two-factor authentication for business tools

Two-factor authentication for business means adding a second check — a passkey, an app code, a physical key — on top of your password, so a stolen password alone can't open your accounts. For the tools you run every day — Shopify, Klaviyo, Google Workspace, Meta — it is the single highest-leverage security step a UK small business can take.

It is also being made largely mandatory anyway, and one focused afternoon locks the most likely door.

Get a free account-safety audit · Start a project

The morning it goes wrong

Picture an ordinary Tuesday. Your Shopify payout lands in someone else's bank account. Your Meta ad account starts running campaigns you didn't authorise, on your budget. A password-reset email for your accounting login arrives in an inbox you no longer control. None of this needs sophisticated hacking. It usually needs one password, taken in a data breach or handed over on a convincing fake login page.

We're a small UK business ourselves, running the same stack our clients do: Google Workspace, Shopify, Klaviyo. So we don't write about this as distant consultants. We've sat with the setup screens, weighed up the "what if I lock myself out" worry, and worked out the calm way through. The good news is that this is straightforward to fix, and we can show you exactly how.

Why account safety is the highest-leverage thing you can do

Most security advice is abstract. The UK numbers are not.

According to the UK Government's Cyber Security Breaches Survey 2025 (published by the Department for Science, Innovation and Technology on 19 June 2025), 43% of UK businesses reported a cyber security breach or attack in the previous 12 months. Among those that were breached, 85% experienced phishing, by far the most common type. Phishing doesn't break your network; it goes after your credentials, by tricking a person into typing them in. A strong password is no defence once you've been persuaded to hand it over.

The follow-up survey makes the gap personal. The Cyber Security Breaches Survey 2025/2026 (published 30 April 2026) found that only 47% of UK businesses have any two-factor authentication in place — falling to 43% of micro businesses, against 90% of large businesses. In other words, more than half of small firms still have no second factor at all. That's your peer group, and it's the exact gap attackers rely on.

It's also a live and rising threat, not a background one. Action Fraud, the UK's national fraud and cybercrime reporting body, reported that social media and email account compromises surged 57% in 2024 — 35,434 reports, up from 22,530 in 2023, with nearly £1 million lost. Most of those are accounts secured by a password and nothing else.

The fix for all of this is the same, and it's not expensive: a second factor on the accounts that matter.

The Cyber Essentials rule change that affects every cloud tool

If you're considering Cyber Essentials — the UK Government-backed certification run by the NCSC and its delivery partner IASME — there's a change worth knowing about. According to IASME, for assessment accounts created after 26 April 2026, failing to enable multi-factor authentication on any cloud service that offers it is an automatic fail, and cloud services can no longer be excluded from the scope of the assessment.

That definition of "cloud service" is broad: it covers any service you reach with a business account — which means Google Workspace, Shopify, Klaviyo and Meta Business are all in scope. The point isn't to alarm you. It's that the standard has caught up with reality, and getting this right now is simply good housekeeping.

There's a tangible upside, too. The NCSC and IASME both confirm that UK organisations with turnover under £20m that achieve whole-organisation Cyber Essentials certification are entitled to free Cyber Liability Insurance — a £25,000 limit of indemnity, arranged by IASME, with 24/7 incident response support covering technical, legal and crisis-management help. (Cyber Essentials targets the most common attack routes and is the sensible minimum standard; it doesn't make you immune, and we won't pretend otherwise.)

Not all two-factor authentication is equal

A second factor is good. Some second factors are much stronger than others, and it's worth a minute to understand why, because the difference is the difference between "harder to break in" and "can't be phished at all."

The NCSC ranks the methods across five tiers, strongest to weakest:

  1. FIDO2 credentials (passkeys and hardware security keys) — the strongest.
  2. Challenge-based authenticator apps.
  3. App-based code generators (the six-digit code in an app like Google Authenticator).
  4. Hardware-based code generators.
  5. Message-based methods (SMS text codes) — the weakest.

SMS sits at the bottom for a reason. The NCSC says text-message codes are "only likely to be appropriate when no other strengthening method is possible" — they can be intercepted, redirected through SIM-swap fraud, or phished along with your password. To be clear, SMS is still far better than no second factor at all; the NCSC's principle is that any second factor beats none. It just shouldn't be your finishing line.

A passkey is the one to aim for. It's a credential stored on your device — your phone or laptop — and unlocked by your fingerprint, face or PIN. Unlike a code you type in, it can't be phished, because the handshake is locked to the real website's exact address. A fake login page, however convincing, simply can't receive it. The NCSC now recommends passkeys wherever a service supports them, with a password manager and two-step verification as the fallback where they don't. Google reports the same direction of travel: passkeys have been used to sign in more than 1 billion times across over 400 million Google accounts, and are already used more often than SMS codes and app one-time passwords. Google's own guidance is blunt: it describes two-step verification as a first line of defence that can cut account takeover by as much as 50%, and calls security keys "the most secure form of 2SV and protect against phishing threats."

You don't have to get to passkeys everywhere on day one. The order that matters is: get a second factor on, prefer an authenticator app over SMS, and move to passkeys where the platform supports them.

Setting it up, tool by tool

This is the practical core. Here's where each of the main tools stands, what's at risk, and the minimum we'd recommend.

Email first — Google Workspace or Microsoft 365

Start here, always. The NCSC is explicit about why: "criminals with access to your inbox can use it to reset passwords on your other accounts." Your email is the master key to almost everything else, so it gets the strongest protection first.

  • What's at risk: every other account that uses your email for password resets — which is most of them.
  • Minimum setting: two-step verification on, authenticator app or stronger.
  • Aim for: a passkey or hardware security key for anyone with an admin role.

Google is moving to enforce two-step verification for Workspace admin accounts, so for administrators this is becoming a requirement rather than a recommendation. Doing it deliberately now means you control the timing instead of being prompted at an awkward moment.

Shopify

  • What's at risk: your storefront, customer data, and — critically — your payouts.
  • Minimum setting: two-step authentication is mandatory to activate Shopify Payments. No second factor, no payouts.
  • Aim for: passkeys, which Shopify supports as a secure sign-in method.

If you're on Shopify Plus, an organisation can require all users to use a secure sign-in method — passkeys or two-step authentication — to log in. (That organisation-wide enforcement is a Shopify Plus feature; on other plans you enable it per account.)

Klaviyo

  • What's at risk: your email and SMS marketing, your subscriber lists, and your sending reputation.
  • Minimum setting: on Klaviyo paid accounts, MFA is already mandatory — every user must set it up, or use another approved measure such as single sign-on.
  • Aim for: an authenticator app rather than SMS (Klaviyo recommends the app). Klaviyo issues 4 single-use backup codes when you set up your authenticator — keep them somewhere safe.

Account owners can require MFA across the whole organisation, so nobody slips through.

Meta Business Portfolio

This one trips people up, because the security lives somewhere unexpected. Your Meta Business Portfolio is controlled through the personal Facebook accounts of its admins, so two-factor authentication is set up on the personal account, not a separate business one.

  • What's at risk: your ad accounts, your budget, and your business pages — all reachable through an admin's personal login.
  • Minimum setting: two-factor authentication on the personal Facebook account of every portfolio admin.
  • What Meta enforces: Meta can require two-factor authentication for portfolio admins and can restrict advertising access where it isn't enabled.

If the personal account has no second factor, that's the way in. Securing it is securing the business.

Instagram

Instagram strongly recommends two-factor authentication, and an authenticator app is preferred over SMS. If your business presence runs through Instagram, treat it like any other account that matters: a second factor on, app rather than text where you can.

"But what if I get locked out?"

This is the worry that stops most people, and it's a fair one. It's also solved.

Every major platform — Shopify, Klaviyo, Google, Meta — generates recovery (or backup) codes when you switch on two-factor authentication. These are single-use codes that get you back in if you lose your phone. The whole trick is storing them properly: printed and kept somewhere secure, or saved in a password manager — never sitting in the inbox or on the phone they're meant to rescue. Klaviyo, for instance, gives you 4 single-use backup codes at setup.

If you use a password manager to hold those codes (a sensible choice), the NCSC recommends putting "strong user authentication (such as multi-factor)" on the password manager itself, so the vault holding your keys has its own lock.

Set up well, lockout stops being a risk. That's a large part of what doing this properly buys you: not just protection, but the confidence to use it without fear.

A free place to start today

If you'd like to make a start this afternoon without spending anything, the NCSC Cyber Action Toolkit is a genuinely good free resource. The NCSC launched it on 14 October 2025 specifically for sole traders, micro businesses and small organisations, and it walks you through the basics in plain language. We recommend it, as a self-serve baseline, and it's a sound first step whether or not you ever work with us.

What True Noise does

When we run an account-safety engagement, we treat it as the foundation everything else sits on. Compromised accounts undermine your marketing, your store and any AI automation you build on top, so this comes first.

In practice, we:

  1. Audit every account your team actually uses — not just the headline platforms, but the quieter logins that tend to get forgotten and are often the weakest link.
  2. Configure multi-factor authentication correctly on each one, choosing the strongest method the platform supports — passkeys where we can, an authenticator app where we can't, and SMS only where there's no alternative.
  3. Set up a shared, sane approach to recovery codes so the team can get back in without anyone storing keys in a risky place.
  4. Leave you a written record of what was done, where, and why — so you own the knowledge, not just the result.

We hold our own systems to a higher standard than most agencies hold their clients': secrets kept out of code, intrusion protection in front of our services, and automated security checks on everything we ship. We mention it because we think the people securing your accounts should visibly take their own seriously.

Proof

Our position rests on the evidence above: UK Government, NCSC, IASME and the platforms' own published guidance.

When we run your free audit, you'll see exactly the kind of evidence we work from — a clear picture of where your accounts stand today, before you commit to anything.

How this fits your plan

Account safety can be a standalone audit engagement, or part of the ongoing care in your monthly plan — keeping new accounts secured as your team and tools grow. Either way the cost is predictable and scoped up front, with nothing hidden. See the pricing page for what the monthly plan covers, or ask us when you request a quote.

Frequently asked questions

Do I really need two-factor authentication if I already use a strong password?

Yes. The NCSC is clear that passwords can be stolen through no fault of your own — in data breaches, or through phishing — even when they're long and unique. Phishing in particular bypasses password strength entirely by tricking you into handing the password over: the UK Government's Cyber Security Breaches Survey 2025 found that 85% of breached UK businesses were hit by phishing. A strong password plus a second factor is the baseline; a password on its own no longer is.

Is SMS two-factor authentication good enough?

It's better than nothing — the NCSC's principle is that any second factor beats none. But SMS is the weakest of the NCSC's five tiers, suitable "only when no other strengthening method is possible." Text codes can be intercepted or redirected through SIM-swap fraud, which is part of why UK social media and email account hacks rose 57% in 2024 (Action Fraud). For a business account, treat an authenticator app as the minimum, and passkeys or a hardware security key as the goal.

What if I lose my phone and get locked out?

This is the most common worry, and recovery codes solve it. Every major platform — Shopify, Klaviyo, Google, Meta — gives you single-use backup codes when you switch on two-factor authentication. Store them in a password manager or print them and keep them somewhere secure — not on the phone or in the inbox they're meant to recover. Klaviyo, for example, issues 4 single-use codes at setup. Set up properly, getting locked out stops being a realistic risk.

Does Cyber Essentials really require MFA for Shopify and Google Workspace?

For assessment accounts created after 26 April 2026, yes. According to IASME, the updated definition of "cloud service" covers any on-demand service you access with a business account — which includes tools like Google Workspace and Shopify — and cloud services can't be excluded from the scope of the assessment. If multi-factor authentication is available and you haven't enabled it, that's an automatic certification failure.

What's a passkey, and is it better than an authenticator app?

A passkey is a credential stored on your device and unlocked by your fingerprint, face or PIN. Unlike a one-time code, it can't be phished — the handshake is bound to the real website's exact address, so a fake login page can't receive it. The NCSC ranks this type of credential (FIDO2) at the top of its five-tier hierarchy and now recommends passkeys wherever a service supports them. Google reports that passkeys are already used more often than SMS codes and app one-time passwords across its accounts.

My staff share one Shopify login — does everyone need their own two-factor authentication?

Sharing a login is itself the risk: there's no record of who did what, and one compromised password exposes everything. Each team member should have their own account with permissions matched to their role. On Shopify Plus, an organisation can require a secure sign-in method (passkeys or two-step authentication) for all users. On any plan, the account that protects Shopify Payments must have two-step authentication, or payouts are blocked.

Why do I need to secure my personal Facebook account for business ad campaigns?

Because a Meta Business Portfolio is controlled through the personal Facebook accounts of its admins. If an admin's personal account has no second factor, anyone who compromises it can reach your portfolio, your ad accounts and your budget. Meta can require two-factor authentication for portfolio admins and restrict advertising access where it isn't enabled — so the second factor goes on the personal account, and that's what protects the business.

How long does setting this up across all our tools take?

For a small team on the common stack — Google Workspace, Shopify, Klaviyo, Meta — a focused session usually runs two to four hours, including documenting recovery codes and briefing the team. The NCSC frames these account actions as quick wins, and that matches our experience. We can do it as a standalone audit engagement so it's off your plate in one sitting.

Get a free account-safety audit

We'll run a free, no-obligation audit of the accounts your business runs on — a clear, plain-English picture of where your second-factor protection stands today and where the gaps are. No commitment, no pressure toward the paid option.

Get a free account-safety audit

Prefer to start for free on your own? The NCSC Cyber Action Toolkit is a sound ten-minute first step.

Ready to have it handled properly? Start a project and we'll audit every account, configure multi-factor authentication correctly, and leave you a written record of exactly what was done.