What Is Two-Factor Authentication and Why Should You Use It? | Plain Speak Online Services
Tech Made Simple

What Is Two-Factor Authentication and Why Should You Use It?

4 min read security, two-factor-authentication, privacy, small-business

Two-factor authentication — usually shortened to 2FA — adds a second step when you log into an account. Instead of just typing your password, you also enter a code sent to your phone, generated by an app, or confirmed through a notification. It means that even if someone steals your password, they still can’t get in without that second piece.

You’ve probably already used it. When your bank sends you a code via SMS to confirm a transaction, that’s 2FA.

Why does this matter for my business?

Because passwords get stolen. It’s not a matter of if — it’s when. Data breaches happen constantly, and most people reuse passwords across multiple accounts. If one gets compromised, every account using that same password is exposed.

For a business, the stakes are higher than losing access to a personal Netflix account. Your email, your CRM, your website dashboard, your Google Business Profile, your accounting software — these all contain customer information, financial data, or the ability to make changes that affect your business directly.

A single compromised account can mean:

  • Customer data exposed — names, emails, phone numbers, payment details
  • Someone locking you out of your own website or Google profile
  • Fraudulent emails sent from your business account
  • Financial transactions you didn’t authorise

The average cost of a cybercrime incident to an Australian small business is around $39,000. And research consistently shows that the majority of consumers would stop doing business with a company that’s been breached. The financial hit is bad enough — the trust hit can be worse.

It’s not just good practice — Australian law is heading this way

The Privacy and Other Legislation Amendment Act 2024 (POLA) strengthened the requirements for businesses handling personal data. It now explicitly requires businesses to implement “technical measures” — and names multi-factor authentication specifically — as part of taking reasonable steps to keep customer information secure.

Right now, most small businesses with turnover under $3 million are exempt from the Privacy Act. But the Australian Government has agreed in principle to remove that exemption. The direction is clear — all businesses that collect customer data will eventually be expected to meet these standards. Maximum penalties under the strengthened Act sit at up to $50 million.

Even if your business is currently exempt, several of the major data breaches that have made headlines in Australia had one thing in common: multi-factor authentication wasn’t enabled. It’s one of the simplest and most effective security measures available, and not having it is increasingly hard to justify.

How do I set it up?

The good news is it’s free on virtually every platform that matters, and it takes about five minutes per account.

Start with the accounts that matter most:

  • Your email (Gmail, Outlook, Microsoft 365)
  • Your website dashboard (WordPress, Squarespace, Wix, or your hosting provider)
  • Your Google account (which controls your Google Business Profile, Analytics, and Search Console)
  • Your CRM or business tools (GoHighLevel, HubSpot, Xero, MYOB)
  • Your social media accounts (Facebook Business, Instagram, LinkedIn)
  • Your domain registrar (wherever your domain is registered)

The setup process is almost always the same: Go to the account’s security settings, find “two-factor authentication” or “two-step verification,” and follow the prompts. Most will give you the option of SMS codes (sent to your phone) or an authenticator app (like Google Authenticator or Microsoft Authenticator).

Authenticator apps are more secure than SMS. SMS codes can be intercepted through SIM-swapping attacks. An authenticator app generates codes on your device that can’t be intercepted remotely. If you’re choosing between the two, go with the app. But either option is significantly better than no 2FA at all.

What about my team?

If anyone else has access to your business accounts — a staff member, a VA, a contractor — they should have 2FA enabled on their accounts too. One weak link is all it takes. Most platforms let you enforce 2FA for all users from the admin settings.

The honest version

Two-factor authentication is boring. It’s an extra step every time you log in. Nobody gets excited about it. But it’s one of those things where five minutes of setup now can save you from a catastrophic headache later. It costs nothing, it’s built into every major platform, and it’s increasingly expected — both by Australian law and by the customers who trust you with their information.

If you’re not sure which accounts to prioritise or how to set it up, that’s something we can sort out in a quick chat — it’s straightforward and usually takes less than half an hour to get your key accounts secured.

For more plain-English explanations of the tech behind your business, check out the Plain Speak Tech Dictionary.

Want more plain-English tech definitions?

Browse the Tech Dictionary.

View Tech Dictionary →
Share this post:
Danny with Cooper the dog

Danny Shone

Danny is the founder of Plain Speak Online Services, a web design and digital services business based in Scarborough, Western Australia. He builds websites and solves digital problems for small businesses across Australia.

Get tips like this in your inbox

Plain-English advice about websites, SEO, and digital marketing for small businesses. No spam. Ever.

No spam. Unsubscribe anytime.

Related Posts