Two-Factor Authentication Is Protecting Your Practice From Your Own Administrator
You enabled two-factor authentication on your practice management system, your email, your online banking, and your cloud storage. Good — you should have. But if your client contingency plan doesn't address how your administrator bypasses 2FA when you're incapacitated, those same security measures will lock out the one person who needs to get in.
This is one of the most overlooked gaps in otherwise well-prepared client contingency plans under By-Law 7.1.
What the By-Law Requires
Section 19.2(3)(2) requires your plan to document the location of and the means of obtaining possession or control of all property held in connection with your professional business. That includes electronically stored information — client files in the cloud, emails, documents in a practice management system, and accounting records in software platforms.
The key phrase is "means of obtaining." Listing a username and password is not enough if the system also requires a second factor to log in. If your administrator can't get past the 2FA prompt, the plan fails at the point of execution — regardless of how thoroughly everything else is documented.
Why This Is a Bigger Problem Than Most Lawyers Realise
Two-factor authentication is now standard on most platforms lawyers use: Clio, PCLaw, CosmoLex, Microsoft 365, Google Workspace, online banking portals, and cloud storage services. Many of these systems default to SMS-based 2FA — a one-time code sent by text message to the licensee's personal mobile phone.
That's the highest-risk configuration for a client contingency plan. If you're incapacitated, your administrator cannot receive the code. Your phone may be locked, lost, with a family member, or at a hospital. The administrator has the password but cannot get past the second factor. The system does exactly what it was designed to do — deny access to anyone who isn't you.
This isn't a hypothetical edge case. It's the default setup for most sole practitioners and small firms in Ontario.
What Your Plan Needs to Address
Every system that requires a login should be documented in your client contingency plan — system name, username, where the password is stored, whether 2FA is enabled, what type of 2FA is in use, and how to bypass it. For each system with 2FA, the plan must document at least one functioning bypass mechanism.
Here are the most common options.
Recovery codes. Most 2FA-enabled platforms generate one-time recovery codes at setup. These codes allow account access when the 2FA device is unavailable. Print them, store them securely (a sealed envelope in a fireproof safe or a locked filing cabinet — not in the same system they protect), and note the storage location in the plan. Check periodically that the codes haven't expired or been invalidated.
Password manager emergency access. Tools like 1Password, Bitwarden, and LastPass offer emergency access features that allow a designated person to request access to the vault after a configurable waiting period. If you use a password manager, enable this feature, designate your administrator as the emergency contact, and document the process in the plan.
Shared firm credentials. Where possible, practice management and accounting systems should use a firm-level administrative account with 2FA tied to a shared firm device or a shared email inbox — not to an individual's personal phone. This is more practical for firms than for sole practitioners, but it eliminates the single point of failure.
Vendor administrator access. Some cloud platforms offer a formal process for granting access to an authorised successor or administrator. Check the vendor's policy for each system you use and document the process. If the vendor requires a death certificate, court order, or other documentation, note that in the plan so the administrator knows what to prepare.
The Systems Most Likely to Be Missed
Lawyers tend to document the obvious platforms — practice management, accounting, banking — but miss the supporting systems that are just as important:
Email. Your administrator will need access to your email to notify clients, locate correspondence, and identify active matters. If your email is protected by 2FA tied to your phone, this is the first and most critical bottleneck.
Law Society portal (LSO Connects). The administrator must notify the LSO that you've ceased practising. Access to your LSO portal may be needed.
Cloud storage. Client files stored in Dropbox, Google Drive, OneDrive, or similar platforms may be inaccessible without 2FA bypass.
Teraview or other e-registration systems. Teraview credentials cannot be shared with another user. For real estate practitioners, the plan should identify any pending transactions and document how the administrator can locate them, so they can be transferred to another licensee with their own Teraview access.
Firm website and domain registrar. If the firm's website or email hosting needs to be maintained or redirected during the wind-up, access to the hosting provider and domain registrar may be required.
A Plan That Lists Credentials Without a Bypass Mechanism Is Not Operationally Functional
This point deserves emphasis. A client contingency plan can list every username and password for every system in the practice and still be useless if the administrator can't get past 2FA. The plan may satisfy the literal requirements of By-Law 7.1 on paper, but it will not work when it's needed.
The test is simple: if your administrator sat down tomorrow with your plan and tried to access every system listed, could they actually get in? If the answer is no for even one critical system, the plan has a gap that needs to be closed.
Need Help Getting This Right?
Preserver prepares By-Law 7.1 compliant client contingency plans for Ontario law firms, including a full technology access audit covering every system, 2FA configuration, and bypass mechanism. We document what your administrator actually needs to get in — not just what the system is called.
Learn more about our client contingency plan services →
Shona Bertrand, Preserver
This post is for informational purposes only and does not constitute legal advice. Licensees are responsible for ensuring their plan meets all applicable requirements of By-Law 7.1.
