Lock It Down, Write It Down (Intuit Security for Firms)

Editor’s Note: This article is part 4 of a 4-part series. To view all of Dan DeLong's Intuit series, click here: Dan DeLong Intuit Series

Security is not a vibe, it is a process. If you have ever said, “We should really clean up access in that file,” congratulations. You have discovered the difference between wanting security and having security.

In Part 3, we talked about roles, admins, and the Primary Admin plot twist. Now we are going to do the less glamorous part: how to keep Intuit access safe, recoverable, and boring.

Boring is the goal. If your access system is exciting, it is usually exciting in the same way a kitchen fire is exciting.

The three rules of Intuit access security

1. Every person gets their own login. No shared email, no shared password, no “we all use the owner’s account.”
2. The Primary Admin is a real person who can be reached. Not a former employee, not a retired partner, not someone who “doesn’t do computers.”
3. You can recover access without panic. If the Primary Admin disappears, you have a documented path forward.

Everything else is details, important details, but still details.

MFA, passkeys, and other ways to stop future-you from suffering

Turn on Two-Step authentication (2FA)

First, let’s explain that there is a difference between the codes you get when you sign in. Multi-Factor Authentication and Two-Step verification. Both send you a 6-digit code when you log in, so on the surface it sounds like the same thing, but in reality, one is an optional setting, and the other is mandatory. Intuit explains the difference in more detail here.

If 2FA is optional for a user, treat that like a “suggested speed limit.” You can ignore it, but the consequences will be educational.

• Require 2FA for anyone with admin-level access.
• Prefer authenticator apps over SMS when possible.
• If you support clients, make 2FA part of your onboarding checklist.

Use passkeys when available 

Passkeys reduce the risk of password reuse and phishing because they are designed to be harder to steal and harder to type into the wrong place.

If passkeys are available in the relevant Intuit experience for your users, they are worth adopting, especially for:

• Primary Admin users
• Firm owners and partners
• Anyone who can change billing, user access, or security settings

Use a password manager, even if you hate them

A password manager is not just a vault. It is a way to:

• Generate strong, unique passwords
• Share credentials safely when you truly must (rare)
• Keep an audit trail of who had access to what

If your current system is “a Word doc called Passwords-FINAL-FINAL,” you already know how this ends.

A practical Security SOP for firms

This SOP is written for accounting professionals who manage multiple client files. Adjust it to match your services, your risk tolerance, and your client’s internal controls. We have a step by step guide on our blog for more detailed steps.

Step 1: Intake and identity check (new client or new engagement)

For every new client, capture the following:

• Legal business name and main contact
• Who is the Primary Admin today?
• Who should be the Primary Admin going forward?
• A list of all current users, including staff, former staff, and third-party apps
• Where the client stores their “source of truth” for access documentation (your CRM, your client folder, etc.)

If the client does not know who the Primary Admin is, that becomes Priority One.

Step 2: Establish the minimum viable admin structure

Your goal is to avoid single points of failure.

• Confirm the Primary Admin is reachable.
• Confirm at least one additional admin-capable user exists.
• Confirm the owner has their own login.

If the client insists on one login for everyone, document the risk in writing. You do not have to win the argument, but you should not lose the paper trail.

Step 3: Clean up users and invitations

Do a sweep for:

• Users who no longer work with the company
• Duplicate users created from email changes
• Invitations that were never accepted
• Access granted to vendors that is no longer needed

Then:

• Remove users who should not be there.
• Re-invite users who should be there, using their correct email and their own login.

This is the part where you discover the “mystery admin.” There is always a mystery admin.

Step 4: Role assignment (least access needed)

Assign roles based on responsibilities, not on who yells the loudest.

• Admin access should be limited.
• Payroll access should be payroll-specific.
• Day-to-day bookkeeping access should not automatically include user management.

If you are not sure what someone needs, start smaller. It is easier to grant access than to un-ring the bell.

Step 5: Secure the Primary Admin account

For the Primary Admin user:

• Enable MFA.
• Enable passkeys if available.
• Store recovery options in a controlled way.
• Make sure the email and phone on file are current.

If the Primary Admin is the business owner, this is also the moment to confirm they can actually log in without calling you.

Step 6: Document the access map

For each client, maintain an “Access Map” that includes:

• Primary Admin name and contact
• Secondary admin-capable user(s)
• List of firm users and their roles
• List of client users and their roles
• List of connected apps and who approved them
• Date last reviewed

This is the document you will thank yourself for later.

Step 7: Quarterly access review

Put it on a schedule. Quarterly is a good default.

• Confirm Primary Admin is still correct.
• Confirm admin users are still active.
• Remove anyone who should not be there.
• Review connected apps.

If your firm supports dozens of clients, this is also how you spot patterns and prevent repeat problems.

Troubleshooting: when security and access collide

Sometimes security measures create friction. That does not mean they are wrong. It means they are working.

When a user cannot log in:

• Confirm they are using the correct Intuit login (not a shared email, not a different personal account).
• Confirm the invitation was accepted.
• Confirm MFA is set up on the correct device.
• Confirm you are in the right portal for the task (product vs account management).

If you are troubleshooting in circles, step back and confirm the basics. Most “mystery issues” are “wrong login + wrong portal” wearing a trench coat.

A quick note for Scaling New Heights attendees

If you are heading to Scaling New Heights, Carrie Kahn and I are co-facilitating a breakout session where we will walk through these access and security workflows, and we will have a checklist you can use with your clients.

Wrap-up

The goal of this series was not to make Intuit access feel fun. The goal was to make it feel manageable.

• Part 1: clarified what an Intuit login is, and why the email vs login confusion keeps happening.
• Part 2: mapped what a single login unlocks across the Intuit ecosystem.
• Part 3: explained roles, admins, and the Primary Admin plot twist.
• Part 4: gave you a security SOP so your access system stops being a recurring emergency.

If you implement even half of this, you will spend less time chasing logins and more time doing the work clients actually pay for.