Blog/Management & Scaling

Two-Factor Authentication Setup for Your VA's Accounts

VirtualAssistantVA Team·

Setting Up Two-Factor Authentication for Virtual Assistant Accounts

Two-factor authentication (2FA) is the single most effective security control you can apply to business accounts managed by a virtual assistant. This guide covers what to secure, how to set it up, and how to manage 2FA codes in a shared-access environment.

See also: password management for VAs, secure access setup for virtual assistants, data security best practices.

Why 2FA Matters for VA Accounts

Passwords alone are insufficient security for business accounts. Data breaches, credential stuffing attacks, and phishing campaigns compromise passwords regularly. 2FA adds a second verification step - typically a code from an app or SMS - that an attacker cannot access even with the correct password.

For VA relationships specifically, 2FA also serves a management function: if the VA's own device is compromised, an attacker cannot access your business accounts without also having the 2FA device.

Which Accounts Need 2FA

Prioritize 2FA on any account that, if compromised, would cause serious business harm:

Tier 1 - Enable immediately:

  • Business email (Gmail, Outlook)
  • Password manager (LastPass, 1Password, Bitwarden)
  • Cloud storage (Google Drive, Dropbox)
  • Financial platforms (banking, Stripe, PayPal, QuickBooks)
  • CRM (HubSpot, Salesforce)
  • E-commerce admin (Shopify, WooCommerce, Amazon Seller Central)

Tier 2 - Enable soon:

  • Social media accounts
  • Project management tools (Asana, ClickUp, Notion)
  • Communication platforms (Slack, Teams)
  • Domain registrar and web hosting
  • Ad platforms (Google Ads, Facebook Ads Manager)

2FA Methods: What to Use

Authenticator Apps (Best)

Google Authenticator, Authy, Microsoft Authenticator, and 1Password all generate time-based one-time passwords (TOTP). These are more secure than SMS and work offline.

For VA relationships: Authy is particularly useful because it supports multiple devices and backup codes, making it easier to manage when the VA needs access to 2FA codes.

SMS 2FA (Acceptable, Not Ideal)

Sends a code to a phone number via text. Vulnerable to SIM swapping attacks but still significantly better than no 2FA. Acceptable for lower-risk accounts.

Hardware Keys (Most Secure for High-Risk Accounts)

Physical keys like YubiKey provide the strongest 2FA. Best for financial accounts or administrator access - not practical for day-to-day VA account sharing.

The 2FA Sharing Challenge

2FA creates a practical challenge in VA relationships: if the 2FA code goes to your phone, your VA can't log in without you. If it goes to their phone, you lose control.

Here are the workable solutions:

Solution 1: Give VA their own named account (no 2FA sharing needed) The cleanest approach. Create [email protected] or a dedicated user account in each platform. The VA enrolls their own 2FA on their own device. You retain owner/admin access separately with your own 2FA.

Solution 2: Use Authy with team sharing Authy allows authenticator codes to be used from multiple devices (with your approval). You control which devices can access 2FA codes. This works for shared accounts where named user accounts aren't possible.

Solution 3: Use a shared authenticator in 1Password 1Password Business supports storing TOTP codes within password entries in a shared vault. The VA accesses the vault (with permission) and can retrieve the current 2FA code alongside the password. Full audit log of access.

Solution 4: SMS to a shared number Use a business phone number (via Google Voice, OpenPhone, or a VoIP service) as the 2FA receiver. Both you and the VA can access messages from that number. Less ideal for security but workable for lower-risk accounts.

Avoid: Never enroll your VA's personal phone as the 2FA device on your primary accounts. You lose control of 2FA immediately when the engagement ends.

Setting Up 2FA: Step-by-Step

For Google Workspace accounts:

  1. Admin Console → Users → Select user → Security → 2-Step Verification → Enrollment
  2. Or require 2FA enrollment for all users in your organization
  3. VA enrolls their authenticator app using the QR code

For Shopify staff accounts:

  1. Settings → Users and Permissions → Select staff member
  2. Require 2FA for all staff in Settings → Account → Two-step authentication

For most other platforms:

  1. Navigate to account Security or Privacy settings
  2. Enable Two-Factor Authentication
  3. Choose authenticator app (preferred) or SMS
  4. Scan QR code or enter setup key in authenticator app
  5. Save backup codes in a secure location (your password manager)

Managing Backup Codes

Every platform provides backup codes when you set up 2FA. These are one-time-use codes that bypass 2FA if the authenticator is unavailable.

Store backup codes in your password manager - not in email, not in a Google Doc, not on a sticky note. If your VA manages the account, store backup codes in your shared vault (not theirs).

Offboarding: Removing VA 2FA Access

When a VA engagement ends:

  1. If they have a named account: deactivate the account (2FA access disappears with it)
  2. If they're enrolled on a shared account: remove their device from Authy or your shared authenticator, then generate new backup codes
  3. If SMS 2FA is used on a shared number: change the 2FA phone number on all accounts
  4. Check for any accounts where you may have added their personal phone - update those immediately

Frequently Asked Questions

What if my VA is in a different country and SMS 2FA doesn't work reliably?

Switch to an authenticator app (Authy, Google Authenticator). These work without cellular service and don't have international SMS delivery issues.

My VA needs access to a personal social account - how do I handle 2FA?

Use a social media management tool (Buffer, Hootsuite) so the VA accesses accounts through the tool rather than logging into your personal accounts directly. This eliminates the 2FA sharing problem for social media.

Can I require my VA to have 2FA on their own accounts?

You can - and should - include this as a requirement in your data handling policy. A VA whose personal email is compromised could expose your business if they use that email for business communications.

Learn how to hire a virtual assistant with security expertise. Use a VA onboarding checklist for 2FA and access setup. Apply a delegation framework for secure operations.

Ready to Hire Securely?

Virtual Assistant VA matches you with vetted VAs who take security seriously. Get matched today.

Related Articles

Need Help With This Exact Workflow?

Get matched with a VA service aligned to this topic in as little as 24 hours.

Get Free Consultation

Ready to Hire a Virtual Assistant?

Let a dedicated VA handle the tasks that slow you down. Get matched in 24 hours.

Get Free ConsultationMore Articles