New Admin to QBO but Veteran in IT/Security. How can I make MFA mandatory and enforce strong passwords on my Contractors (and employees) who access my financial data?

Pertaining to you as the new admin and an IT/Security veteran, I believe that the security of your company's financial data should follow standard government regulations and not be compromised by any illegal actions, @it17. 

In terms of the MFA mandatory to enforce a powerful password, you can set this up on your own account by turning on the 2-step verification option when managing your it. Please know that this is only applicable whenever your login credentials.

Here's how:

1. In your QuickBooks account, click the initial letter of your name in the upper right corner. It is placed in a blue circle.
2. Click on Manage your Intuit Account.
   
3. Go to Sign in & security.
4. Scroll down and turn on the 2-step verification option.
   
5. Set up Verification methods, either via Phone number or Authentication app.
   
6. Follow the on-screen steps.

If you added your contractors and employees as users also, they will be the one to turn on the 2-step verification by replicating the steps above. However, as the new admin, you have control over what they can access in your company whenever they log in by managing their role. 

You can follow the steps below to learn how:

1. Go back to your QuickBooks account and go to the Gear icon.
2. Select Manage users.
   
3. Locate the contractor and employee user you want to limit access to your financial records.
4. Click on the Edit icon below the Action column.
   
5. Press the dropdown icon of the Roles field and pick an access that limits them to edit or view financial transactions. You can view this article to view available roles: User roles and access rights.
6. Tip Done to save it.
   

Keep in mind that if you simply invite your contractor and employee to fill in their payroll and tax information in QuickBooks, they won't have any access to your account, unlike adding them as a user. 

It is also worth noting that QuickBooks Online (QBO) is designed to adapt to your region's regulations and financial data compliance. In addition, your information is highly protected by our system since we rely on advanced, industry-recognised security safeguards to keep all of your financial data private and protected.

Furthermore, QBO is a DigiCert® secured product. This is the leading Secure Sockets Layer (SSL) Certificate Authority. With password-protected login, firewall-protected servers and the same encryption technology (128-bit SSL) used by the world's top banks, we have the security elements in place to give you peace of mind. Check out this reference for detailed information: QuickBooks Global Financial Privacy and Security.

You can always look back here and reply if you have additional questions or suggestions relating to security and privacy compliance of QuickBooks. I am more than willing to assist you. 

Thank you so much for the thorough explanation.  I truly appreciate the details. 

I'm comfortable with the security parameters INSIDE QBO. 

My concern is that if I'm responsible for Governance for this company, QBO has handicapped me because I have no way to (1) validate or (2) enforce compliance of my own (internal) users...let alone contractors with their own email accounts (Gmail, Yahoo, et al).  Please correct me if I'm wrong...even with MFA turned on for my contractor, they can choose to turn it off and use '123abc' for their password and I would never know.  So if their (personal) gmail account gets hacked, the bad guy has access to everything that my contractor legally had access/permission to.  Please confirm or correct. 

I'm just shocked that QBO has no 'Governance Management' capabilities for their customers to validate compliance to standards and laws. 

Thank you so much for the thorough explanation.  I truly appreciate the details. 

I'm comfortable with the security parameters INSIDE QBO. 

My concern is that if I'm responsible for Governance for this company, QBO has handicapped me because I have no way to (1) validate or (2) enforce compliance of my own (internal) users...let alone contractors with their own email accounts (Gmail, Yahoo, et al).  Please correct me if I'm wrong...even with MFA turned on for my contractor, they can choose to turn it off and use '123abc' for their password and I would never know.  So if their (personal) gmail account gets hacked, the bad guy has access to everything that my contractor legally had access/permission to.  Please confirm or correct. 

I'm just shocked that QBO has no 'Governance Management' capabilities for their customers to validate compliance to standards and laws.