Two-factor authentication, often shortened to 2FA, is a common form of multi-factor authentication, or MFA. It is one of the simplest ways to protect the systems your business relies on. For small and medium-sized businesses in Devon, it can make a real difference to email accounts, banking portals, domain names, website logins, Microsoft 365, cloud software and supplier systems.
The basic idea is straightforward: a password on its own should not be enough to get into an important account. 2FA adds a second check, usually a short code from an authenticator app or password manager, so that a stolen password is much less useful to an attacker.
MFA can take this further by using additional checks such as a hardware security key, device approval, biometric verification or a location and risk check. In everyday conversation, people often use 2FA and MFA to mean the same thing, but technically 2FA is one form of MFA.
At a minimum, businesses should be using 2FA on important accounts, but the details matter. If 2FA is set up on one person’s phone, or recovery codes are saved somewhere informal, the business can quickly run into problems when someone is away, leaves the company or changes device. This guide explains a practical way to set up 2FA using OTP codes and a team password manager.
What is an OTP code?
OTP stands for one-time password. In this context, it usually means a six-digit code that changes every 30 seconds. You may also see this called TOTP, which means time-based one-time password.
When you enable 2FA on a service, the website usually shows a QR code or setup key. An authenticator app or password manager scans that QR code and then generates the changing codes needed at login. Instead of scanning the QR code, many services also show a manual setup key that can be copied into the password manager. This is useful when the QR code is displayed on the same device you are using to set everything up.
This is different from receiving a code by email or text message. Email and SMS codes are still better than having no 2FA at all, but they are not usually the best choice for business-critical accounts.
Why avoid email and text message codes where possible?
Email-based codes can be awkward because the code often goes to the same mailbox you are trying to protect. If an attacker has access to the email account, the second factor may not add much protection.
Text message codes can also be unreliable. Phones get lost, numbers change, staff leave, signal can be poor and SIM-related attacks do happen. For a business, SMS also tends to tie access to one person rather than to a controlled company process.
Authenticator and OTP codes are usually more practical. They work without mobile signal, they can be stored securely, and they can be managed as part of a proper access process.
Built-in password tools are useful, but usually personal
Most people already have access to a basic password tool. On a Mac, Apple’s Passwords app can store passwords, passkeys and verification codes for the person signed into that Apple Account. On Windows, the closest default options are usually Microsoft Edge Password Manager, Windows passkeys and Credential Manager, depending on how the device is configured.
These tools can be very useful for individuals. The issue for a business is that they are normally tied to one person’s account, browser profile or device setup. That makes them less suitable for shared supplier accounts, admin portals and business logins that more than one trusted person may need to access.
If the OTP code for a key system lives only on one employee’s phone or in one person’s browser, the business has a single point of failure. That is exactly what good security planning should avoid.
Why use a team password manager?
A dedicated password manager for teams gives the business a central, controlled place to store login details, strong passwords, OTP codes and recovery information. Access can be shared with the right people, removed when someone leaves and kept up to date as systems change.
At Longstone IT, we use Keeper. Other team password managers can also work well, but the key point is that the tool should support business sharing, permissions, strong password generation, OTP storage, auditability and secure offboarding.
The password manager itself must be protected properly. That means strong access controls, MFA for password manager users, sensible permissions and a clear process for removing access when someone leaves. If you are going to keep passwords, OTPs and backup codes in one place, that place needs to be managed carefully.
This approach is especially useful for accounts where named individual logins are not available, or where a small management team needs access to the same supplier portal. Where a system supports separate user accounts, that is usually preferable, with each person using their own login and their own 2FA.
A simple process for setting up 2FA properly
When creating a new business login, it is worth setting it up properly from the start rather than tidying it later. A simple process might look like this:
- Create the password manager record first. Add the website address, username, account owner, notes and any relevant supplier details.
- Generate a strong unique password. Do not reuse an old password or create something memorable by hand. Let the password manager generate it.
- Enable 2FA straight away. Choose an authenticator app or OTP option rather than email or SMS if the service gives you the choice.
- Save the OTP setup in the password manager. Scan the QR code or paste the setup key into the shared record so approved users can generate the login code.
- Store backup codes securely. Most services give you recovery or backup codes. Save these in the password manager too, either in the same record or a linked secure note.
- Test access before you finish. Sign out, sign back in, check the password works, check the OTP works and confirm the right people can access it.
- Set permissions carefully. Only share the record with people who genuinely need access. Review this when staff roles change.
This takes a little longer than saving a password in a browser, but it saves a lot of pain later.
Do not forget backup codes
Backup codes are easy to overlook because they appear at the end of the setup process, when everyone is keen to move on. They matter.
If the OTP setup is lost, a device is replaced, a QR code is unavailable or a password manager record is accidentally changed, backup codes can be the difference between a quick recovery and a long support request with a supplier.
They should not be saved in a desktop folder, a shared spreadsheet or someone’s inbox. Store them securely in the same team password manager, with clear notes about which service they belong to and when they were created.
Keep individual accountability where possible
There is an important balance here. Shared password manager records are useful for business continuity, but they should not replace individual named accounts where those are available.
For example, Microsoft 365, Google Workspace, finance systems, CRM tools, website CMS platforms and support systems often allow each member of staff to have their own login. That is usually better because you can see who did what, remove access cleanly and apply the right permissions to each person.
Shared records are best kept for accounts that genuinely have to be shared: supplier portals, registrar accounts, emergency admin access or older systems that do not support proper user management.
Review your most important accounts first
You do not have to fix everything in one afternoon. Start with the accounts that could cause the biggest problem if they were lost or compromised.
- Email and Microsoft 365 or Google Workspace admin accounts
- Domain name and DNS provider accounts
- Website hosting, CMS and WordPress administrator accounts
- Banking, finance and payroll systems
- Cloud storage and backup systems
- Line-of-business software used by the whole team
For each one, check whether 2FA is enabled, who has access, where the OTP code is stored, and whether backup codes are available.
2FA is a strong starting point, not the whole answer
2FA is one of the best first steps a Devon business can take, because it makes stolen passwords much less useful. It is not, however, a guarantee that an account or device can never be compromised. Attackers can still use phishing, malicious links, stolen session cookies, unsafe devices, weak recovery processes or social engineering to get around good login controls.
That is where additional endpoint security such as Huntress fits in. Huntress is a managed endpoint detection and response service, often shortened to managed EDR, that monitors computers and servers for signs of compromise and gives a security team extra visibility when something suspicious happens.
In practical terms, 2FA helps protect the front door of an account, while Huntress helps watch what is happening on the devices people use every day. Used together with a password manager, secure backups, patching and sensible access controls, it gives small and medium-sized businesses a much stronger security baseline without expecting every member of staff to become a cyber security specialist.
How Longstone IT can help
Longstone IT helps Devon businesses make practical security improvements without making day-to-day work harder than it needs to be. Setting up 2FA, password managers, recovery processes and account access properly is a good example of that approach.
If you are not sure where your business stands, start with a small audit: list your key systems, check who can access them, confirm whether 2FA is enabled and make sure recovery information is stored somewhere secure.
If you would like help setting this up for your team, speak to Longstone IT. We can help you choose a sensible password manager, configure OTP access, review admin accounts and put a simple process in place for new starters, leavers and shared business logins.
