MFA, Firewalls & Additional Security Services
Discover how combining MFA with robust firewalls enhances your cybersecurity strategy to protect against unauthorized access.
Table of Contents
MFA, Firewalls & Additional Security Services
VeritGuard Knowledge Base | Security Services
In This Article
- Multi-Factor Authentication (MFA): What It Is
- Where MFA Is Required
- Common MFA Methods
- Firewalls: What Verito Provides
- The Full VeritGuard Security Stack
- Frequently Asked Questions
Multi-Factor Authentication (MFA): What It Is
Multi-factor authentication (MFA) is a login method that requires two separate forms of proof before you can access an account. Instead of just typing a password and getting in, MFA adds a second step.
Here is how it works:
- Factor 1: Something you know -- your password
- Factor 2: Something you have -- your phone, a security key, or an authenticator app
The idea is simple: even if someone steals your password through a phishing email or a data breach, they still cannot get into your account because they do not have the second factor (your phone). Both pieces are needed together.
MFA is the single most effective way to prevent unauthorized access to your accounts. It stops over 99% of automated password attacks.
Where MFA Is Required
Short answer: MFA is required on any system that stores or can access client financial data or taxpayer information. This is not optional. IRS Publication 4557 and the FTC Safeguards Rule both mandate it for tax and accounting firms handling sensitive client data.
Beyond the legal requirement, MFA should also be enabled on email accounts (the number one target for phishing attacks), remote desktop or VPN access, and any cloud storage that holds client files.
Here is the breakdown by application type:
| Application Type | MFA Required? | Why |
|---|---|---|
| Email (M365 / Google Workspace) | Yes | Email is the #1 attack vector. Phishing, business email compromise, and credential theft all start here. Email often contains client data, tax documents, and sensitive attachments. |
| Tax software (QuickBooks, Drake, Lacerte, etc.) | Yes | Directly stores taxpayer data, Social Security numbers, and financial records. Required by IRS Publication 4557 and FTC Safeguards Rule. |
| Remote desktop / VPN access | Yes | This is the front door to your entire work environment. If someone gets in through remote access, they have access to everything on that machine. |
| Cloud storage (OneDrive, Google Drive, Dropbox) | Yes | If client files, tax returns, or financial documents are stored here, MFA is required. One compromised login could expose thousands of client records. |
| Internal tools (no client data) | Recommended | If a tool does not touch any client data, MFA is not legally required. However, we recommend it as a best practice since any compromised account can be used as a stepping stone to more sensitive systems. |
| Personal apps (social media, personal email) | Not required by Verito | Outside of Verito's management scope. That said, we strongly encourage enabling MFA on personal accounts too, especially if you reuse passwords (which you should not do). |
The rule of thumb: if the application touches client data, MFA is required. If it does not, MFA is still a good idea but not mandatory.
Common MFA Methods
Not all MFA methods are equal. Here are the most common options, ranked from most convenient to most secure:
Duo Push Notification (Recommended)
When you log into any account, a push notification is sent to the Duo app on your phone. You tap "Approve" and you are in. It takes about 3-5 seconds and does not require typing any codes. Duo also verifies the location and device health before approving, which adds an extra layer of protection.
Authenticator App Codes
Apps like Google Authenticator or Microsoft Authenticator generate a 6-digit code that changes every 30 seconds. You open the app, read the code, and type it in. Slightly slower than a push notification, but very secure and works even without internet on your phone.
SMS Text Codes
A code is sent to your phone via text message. This is better than no MFA at all, but it is the least secure option. Text messages can be intercepted through SIM swapping attacks, and delivery can be delayed if you have poor cell service. Use this only if the other options are not available.
Hardware Security Keys
Physical USB keys (like YubiKey) that you plug into your computer or tap against your phone. This is the highest level of security available. Hardware keys are nearly impossible to phish because the key itself verifies the website is legitimate before responding. They are most common in high-security environments, but any firm can use them.
| Method | Speed | Security Level |
|---|---|---|
| Duo Push | ~3-5 seconds | High |
| Authenticator app | ~10 seconds | High |
| SMS codes | ~15-30 seconds | Moderate |
| Hardware key (YubiKey) | ~2 seconds | Highest |
Firewalls: What Verito Provides
Firewalls are one of the most common questions we get, and the answer depends on how your firm operates. Not every firm needs the same setup.
What Is Already Included
Every VeritGuard plan includes cloud-based network security and endpoint-level protection. This means traffic to and from your devices is monitored, suspicious connections are blocked, and threats are detected at the device level through our EDR (endpoint detection and response) tools. For many firms, especially those where staff work primarily from laptops or home offices, this covers the key security gaps without needing additional hardware.
Firms with Remote / Laptop-Based Teams
If your team works mostly from laptops, home offices, or coffee shops, a traditional hardware firewall does not make practical sense. The devices are never on a single office network long enough for a hardware firewall to protect them. Instead, NordLayer VPN combined with endpoint security and EDR provides the protection you need. Your traffic is encrypted in transit, threats are caught at the device level, and you do not need to install or maintain any physical equipment.
Firms with a Physical Office Network
If your firm has its own office with an internal network, in-office servers, shared printers, or scanners, a dedicated hardware firewall is recommended. Devices like Fortinet or SonicWall appliances sit between your office network and the internet, inspecting all traffic and blocking threats before they reach any device on your network. This is especially important when multiple devices share the same network and when you have infrastructure like servers or network-attached storage on-site.
Verito can't help procure and configure the firewall but can manage the firewall remotely. If you are not sure whether your firm needs one, contact your account manager and we will assess your setup.
| Firm Type | Hardware Firewall Needed? | What Covers You Instead |
|---|---|---|
| Fully remote, laptop-based team | No | NordLayer VPN + endpoint security + EDR |
| Hybrid (some office, some remote) | Recommended for the office | Firewall at the office + VPN/endpoint for remote staff |
| Physical office with servers/printers | Yes | Fortinet or SonicWall appliance (Verito manages) |
The Full VeritGuard Security Stack
MFA and firewalls are just two pieces of a larger security picture. Here is the complete VeritGuard stack and which plan each tool is available in:
| Security Tool | What It Does | Essentials | Pro | Elite |
|---|---|---|---|---|
| RMM (Remote Monitoring) | Monitors device health, pushes updates, enables remote support | ✓ | ✓ | ✓ |
| EDR (Endpoint Detection) | Detects and responds to threats on each device in real time | ✓ | ✓ | ✓ |
| Backup | Continuous file backup to the cloud; restores available on demand | ✓ | ✓ | ✓ |
| Email Protection | Anti-phishing filters, suspicious email flagging, link scanning | -- | ✓ | ✓ |
| Password Manager | Secure vault for all passwords; generates strong unique passwords | -- | ✓ | ✓ |
| VPN (NordLayer) | Encrypts internet traffic; secures connections on any network | ✓ | ✓ | ✓ |
| Dark Web Monitoring | Scans for your firm's credentials on dark web marketplaces | -- | -- | ✓ |
| Cybersecurity Training | Phishing simulations and security awareness training for staff | -- | ✓ | ✓ |
| Compliance (WISP) | Written Information Security Plan and ongoing support | -- | ✓ | ✓ |
| 24/7 SOC Monitoring | Continuous surveillance to identify potential threats and reduce false positives. | -- |
-- |
✓ |
Frequently Asked Questions
Q: Is MFA really necessary if I have a strong password?
Yes. A strong password helps, but it is not enough on its own. Passwords get stolen through phishing emails, data breaches at other companies, and social engineering. If your password ends up in a breach database (and millions do every year), attackers can try it instantly. MFA means that even a stolen password is useless without your phone or security key.
Q: Will MFA slow me down?
It adds about 3-5 seconds to each login. With Duo Push, you just tap "Approve" on your phone. That is a very small price for protecting your clients' financial data, and it is required by IRS and FTC regulations for tax firms.
Q: Can I use my personal phone for MFA?
Yes. The Duo app works on personal phones (both iPhone and Android). It does not access your personal data, photos, messages, or anything else on your device. It only generates or receives authentication prompts.
Q: How much does a firewall cost?
It depends on the hardware model and your firm's size. A small office firewall appliance typically ranges from a few hundred to a couple thousand dollars, plus an annual license fee for security updates.
Q: Do I need MFA for my personal email too?
Verito does not require it, but we strongly recommend it. Personal email accounts are often used for password resets on other services. If someone compromises your personal email, they could use it to reset passwords on your work accounts. Enabling MFA on your personal email is one of the easiest things you can do to protect yourself.
Table of Contents