Why CRMs should ship 2FA by default

Most CRMs treat two-factor authentication the way airlines treat legroom: a comfort you pay extra for. Open a popular CRM’s pricing page and you’ll usually find 2FA listed under Enterprise, alongside SSO and audit logs. The implicit message: security is a feature for large customers who ask for it.

That stance made sense a decade ago. It does not make sense now. Account takeover is the single most common cause of CRM breaches, and the attackers don’t care whether you’re on the starter plan or the enterprise plan. The customer data sitting in a five-seat workspace is just as sensitive to the people it belongs to as the data sitting in a five-hundred-seat workspace.

The economics that made 2FA a paid feature don’t hold anymore

Historically, vendors gated 2FA because it cost something to deliver. SMS-based 2FA charged per-message. Hardware tokens cost real money. Support load went up when users got locked out. Putting it behind a higher tier let vendors recover those costs from customers who valued it most.

None of those costs are meaningful today. TOTP (the standard used by apps like Authy, Google Authenticator, and 1Password) is RFC 6238 — a free, open standard. The vendor cost to support it is the engineering time to build it once. Recovery codes and lockout flows eliminate most of the support overhead. The remaining cost — the engineering hours to ship and maintain it — is fixed, not per-user. There’s no per-seat justification anymore.

What you get when 2FA is the default

When a CRM ships 2FA in the base plan, three useful things happen:

• The blast radius of a password leak shrinks. A compromised password alone doesn’t unlock the workspace.
• Admins can require it org-wide without paying for an upgrade. The decision to enforce 2FA stops being a budget conversation.
• Audits get easier. SOC 2, ISO 27001, and most procurement security questionnaires ask whether you require 2FA. If your CRM doesn’t support it on your tier, you have a finding to remediate.

What to look for when evaluating a CRM

1. Is 2FA available on the free or lowest paid plan? If it’s gated, ask which tier unlocks it — and price the upgrade accordingly.
2. Can admins require 2FA org-wide, or is it user-opt-in only? Opt-in is better than nothing but doesn’t move the needle on breach probability.
3. Are recovery codes generated at enrollment? Without them, your first lockout becomes a support ticket.
4. Is there a lockout policy after repeated failures? This is what protects against brute-force attempts on the TOTP code itself.

Our take

Vanta CRM ships 2FA on every plan, including the free one. Admins can require it org-wide from settings. Recovery codes are generated at enrollment, and accounts lock for fifteen minutes after five failed attempts. We didn’t build it as a differentiator — we built it because account security is not a feature.

If you’re shopping for a CRM and security matters to you, make 2FA-in-the-base-plan a hard requirement. It’s the cheapest signal you have about whether the vendor thinks of you as a customer or as a cost center.