TL;DR
Two-factor authentication (2FA) adds a second login step that blocks unauthorized access even when a password is compromised, protecting every contract, invoice, and client file inside a workspace.
Plutio includes TOTP-based two-factor authentication on all plans, with no add-ons and no extra cost. Each user enables 2FA from Settings under Account, scans a QR code with an authenticator app, and every subsequent login requires a 6-digit code that refreshes every 30 seconds. The practical shift: even if a password leaks in a data breach or gets reused across services, the attacker still needs physical access to the authenticator device to get in.
Two-factor authentication comes with every Plutio plan: Core ($19/month), Pro ($49/month), and Max ($199/month), including the 7-day free trial. Setup takes under 2 minutes per user.
What two-factor authentication is
Two-factor authentication is a login security method that requires two separate pieces of evidence before granting access: something the user knows (a password) and something the user has (a code from an authenticator app on their phone).
In Plutio, 2FA uses the TOTP (time-based one-time password) standard. When a user enables 2FA, Plutio generates a secret key and encodes it into a QR code. The user scans the QR code with an authenticator app like Google Authenticator, Authy, or 1Password. From that point forward, every login attempt requires the password plus a 6-digit code that the authenticator app generates fresh every 30 seconds.
TOTP authenticator codes
TOTP codes are generated locally on the user's device using a shared secret and the current time. The code changes every 30 seconds, and Plutio validates it with a small time window to account for clock drift. No SMS messages are sent, so the process works without cellular service and avoids the SIM-swapping vulnerabilities that plague text-based verification. The authenticator app runs independently from Plutio, so codes work even when the phone is offline.
Backup codes for account recovery
Plutio generates a set of 10 backup codes that can be used to log in when the authenticator app is unavailable, such as when a phone is lost, stolen, or factory-reset. Each backup code is single-use. After generating a new set of backup codes, the previous set becomes inactive automatically. Backup codes are generated from the Account section in Settings and should be stored somewhere separate from the device running the authenticator app.
I switched phones last month and forgot to transfer my authenticator. The backup codes got me back in within 30 seconds, no support ticket needed.
The core mechanic: TOTP codes are mathematically derived from a shared secret and the current timestamp, so they never travel over the network and cannot be intercepted in transit.
Why two-factor authentication matters for freelancers
Freelancers and small teams store client contracts, project files, invoices, and payment details inside a single workspace. A compromised login exposes every client relationship at once, not just one project.
Password reuse remains the most common vulnerability. 62% of users reuse passwords across services, and credential-stuffing attacks account for 19% of all authentication attempts on average. A freelancer using the same password for their email and their business workspace hands attackers a direct path to client data, unpaid invoices, and signed contracts the moment any one service is breached.
Password manager 1Password offers TOTP code storage inside its vault, but 1Password protects the passwords themselves, not the workspace where client work lives. LastPass provides a standalone authenticator app, but after its 2022 breach, many users moved to alternatives. Plutio's 2FA protects the workspace directly, at the application level, so even if a password manager is compromised, the attacker still needs the authenticator device to access client data.
The most damaging scenario is not a single lost file but a full workspace breach: every proposal, every signed contract, every invoice amount, and every client conversation exposed at once. Two-factor authentication is the single most effective control against that outcome.
Plutio places 2FA at the login layer of the workspace itself, so the protection covers every feature inside: projects, invoicing, contracts, and the client portal.
How two-factor authentication works in Plutio
Open Settings, go to Account, and turn on two-factor authentication. Scan the QR code with an authenticator app, enter the 6-digit verification code, and 2FA is active on the account from the next login forward.
Before starting, install an authenticator app on a phone or tablet. Google Authenticator, Authy, and 1Password all support TOTP codes and work with Plutio.
Step by step
- Step 1: Go to Settings and open the Account section under Personal. The two-factor authentication panel appears below the login details.
- Step 2: Click "Turn on" to generate a QR code. Plutio creates a unique secret key and displays it as a scannable barcode. The QR code includes the workspace name as the issuer label in the authenticator app.
- Step 3: Open the authenticator app on a phone, scan the QR code using the app's camera, and the app starts generating 6-digit codes that refresh every 30 seconds.
- Step 4: Enter the current 6-digit code from the authenticator app into the verification field in Plutio and click "Submit and verify." Plutio validates the code and activates 2FA on the account.
- Step 5: Generate backup codes by clicking "Generate backup codes" in the same panel. Plutio produces 10 single-use codes. Save the codes in a secure location separate from the authenticator device.
Practical tip: generate backup codes immediately after enabling 2FA and store them in a password manager or printed in a secure location. Switching phones without transferring the authenticator app will lock the account unless backup codes are available.
Who needs two-factor authentication
Any freelancer or agency storing client data, financial records, or signed contracts in a workspace needs two-factor authentication, especially when team members or clients access the same workspace from multiple devices and locations.
Solo freelancers billing $2,000 or more per month carry enough financial data in invoices and payment records to make their account a target. A compromised workspace means leaked client details, exposed contract terms, and potential liability. Enabling 2FA takes under 2 minutes and blocks the attack vector responsible for 22% of breaches globally.
Agencies with 3 to 15 team members face a multiplied risk: each team member's password is a potential entry point. If one person reuses a password that leaks in a third-party breach, the entire workspace is exposed. Plutio's 2FA is per-user, so each team member enables it independently on their own account, and the workspace owner can see which accounts have 2FA active.
Freelancers researching HoneyBook alternatives or Dubsado alternatives often ask whether the platform includes native two-factor authentication. Plutio includes TOTP-based 2FA on all plans with no add-on cost, while some competing platforms require third-party integrations or limit 2FA to higher-tier plans.
Bottom line: any freelancer or agency handling client contracts, invoices above $1,000, or sensitive project files should enable two-factor authentication on every account in the workspace. The 10-second login addition prevents the one breach that could end client trust permanently.
