New phones are creating MFA lockouts

CPA firms need a device-change process before a routine phone upgrade turns into a client-data and deadline problem.

Author

Murtaza Ahmad
June 22, 2026

A staff accountant gets a new phone.

That sounds harmless until Monday morning.

The authenticator app is empty. The document system will not open. A client deadline is sitting at noon. And now the firm has a security problem disguised as an IT ticket.

CPA Practice Advisor published a useful warning today on multi-factor authentication during device changes. The point is simple. MFA protects client data, but it can also lock firms out when staff switch phones without a process.

Key takeaways

  • MFA is a core control for accounting firms under the FTC Safeguards Rule.

  • Authenticator apps are tied to specific devices, so phone upgrades can break access.

  • Workarounds like credential sharing or unprotected devices create real compliance risk.

  • Firms need backup methods, recovery codes, and old-device handoff steps before the phone changes.

  • This is not a software problem first. It is a workflow ownership problem.

The annoying part is the risky part

Most partners understand why MFA matters.

They also know what happens when the system blocks someone at the worst possible time. People get creative. They share credentials. They ask an admin to bypass a step. They use a personal device because the client work has to move.

That is where a small access issue becomes a bigger firm-risk issue.

Accounting firms are sitting on tax returns, payroll records, bank data, financial statements, and client portal access. A sloppy MFA reset process is not just inconvenient. It weakens the same control the firm put in place to protect that data.

What firms should fix now

The best fix is boring. That is usually a good sign.

Inventory every system that uses MFA. Include Microsoft 365, tax software, document management, payroll tools, cloud storage, client portals, and banking-related systems.

Make sure each staff account has more than one recovery path. That can include a secondary phone number, hardware key, admin reset workflow, or stored recovery codes in the firm password manager.

Turn on encrypted cloud backup for authenticator apps where it is supported. Do it before the device switch, not after the old phone is wiped.

Then write the sequence down.

New phone gets set up first. MFA gets restored and tested on the new device. Every critical system gets checked. Only then does the old phone get wiped or traded in.

The CPA angle

This is exactly the kind of operational detail that does not feel urgent until it breaks.

But firms already know the pattern. A control gets added. The control creates friction. The friction creates a workaround. And the workaround becomes the real risk.

MFA is still worth it. The problem is unmanaged MFA.

For firm owners, the question is not whether staff should use authentication apps. They should. The question is whether the firm can survive a normal phone upgrade without inventing a bad workaround under deadline pressure.

What CPAs should do next

  • Ask IT for the current MFA device-change checklist.

  • Confirm every critical app has a backup authentication method.

  • Store recovery codes in the firm password manager.

  • Tell staff not to wipe old phones until access is tested on the new device.

  • Add MFA reset ownership to onboarding, offboarding, and device replacement procedures.