How does two-factor authentication work in the portal?

After entering a valid user ID and password, My Verizon Business requires a second verification factor. Choose SMS code sent to a registered mobile number, time-based one-time password (TOTP) from Google Authenticator, Microsoft Authenticator, or Authy, or biometric confirmation through the My Biz app on a registered device. 2FA is mandatory for every Verizon Business Login and cannot be disabled by users. Administrators can require specific 2FA types through account-wide policy.

What certifications and audits back the portal?

My Verizon Business runs on infrastructure carrying SOC 2 Type II reports, ISO/IEC 27001:2022 certification, ISO/IEC 27701 privacy-management certification, PCI DSS compliance for payment processing, and alignment with the NIST Cybersecurity Framework 2.0. External audits occur annually. FCC CPNI certifications are filed each March. The portal meets GDPR requirements for EU-resident data subjects and CCPA requirements for California residents through configurable regional data controls.

What happens if an employee's device is lost or stolen?

When a phone with access to My Verizon Business is lost or stolen, the administrator logs into the portal from any device and suspends the user account, revokes any active sessions, and triggers a remote lock through the Mobile Security suite. If the device had the My Biz app installed with biometric authentication, the session is already bound to that device's secure enclave and cannot be used elsewhere. Password reset through the My Verizon Business portal invalidates any saved credentials on the missing device. Call +1-800-922-0204 for expedited handling.

My Verizon Business Security — CPNI, Encryption, and Two-Factor Authentication

Q: How is My Verizon Business secured?

My Verizon Business uses layered security controls: 256-bit TLS 1.3 encryption on every portal session, two-factor authentication on every login, role-based access controls limiting the data each user can see or change, 15-minute inactivity session timeout, comprehensive audit logging with seven-year retention, SOC 2 Type II certified infrastructure, ISO 27001 certified information-security management, and FCC CPNI rules governing customer proprietary network information. Every Verizon Business Login inherits these controls.

Q: What is FCC CPNI and how does it apply?

CPNI — Customer Proprietary Network Information — is data about a customer's use of a telecommunications service, including call detail records, network activity, and plan selection. The FCC restricts how carriers disclose and use CPNI. In My Verizon Business, CPNI access is scoped by role: line users see only their own records, managers see their assigned team, administrators see the full account, and billing contacts see financial summaries without call detail. Annual CPNI certifications are filed with the FCC by Verizon.

Every Verizon Business Login operates inside a layered security architecture built for the reality that mobile wireless accounts carry sensitive business and personal data. Customer proprietary network information, billing records, device identifiers, employee location data, and communication metadata all flow through the portal — and every one of those data categories sits behind encryption, multi-factor authentication, role-scoped access, and audit logging designed to meet federal telecommunications regulations.

This page walks through the seven layers of security that protect every My Verizon Business session: transport encryption, identity and authentication, role-based access, session controls, device and endpoint protection, audit and logging, and the regulatory certifications that back them.

My Verizon Business security dashboard showing two-factor authentication, role permissions, and encrypted sessions

AI Summary — My Verizon Business Security Controls

Transport encryption: TLS 1.3 with 256-bit AES-GCM ciphers on every portal session and My Biz app call
Authentication: mandatory 2FA via SMS, authenticator app (TOTP), or biometric through the My Biz app
Authorization: role-based access matrix — line user, manager, administrator, billing contact, custom roles
Session controls: 15-minute inactivity timeout, device fingerprinting, new-location anomaly challenges
Regulatory: FCC CPNI compliant, SOC 2 Type II, ISO/IEC 27001:2022, ISO/IEC 27701, PCI DSS, NIST CSF 2.0
Privacy: GDPR for EU data subjects, CCPA for California residents, configurable regional data controls
Audit logging with seven-year retention covering every configuration change and access event

Layer	Control	Technical Detail	Who Manages It
1. Transport	TLS 1.3 with AES-256-GCM	Forward secrecy, HSTS preload, certificate pinning in My Biz app	Platform (automatic)
2. Identity	User ID + password + 2FA	SMS OTP, TOTP via authenticator, biometric via My Biz app	User and administrator
3. Authorization	Role-based access controls	Line user, manager, admin, billing contact, custom roles	Administrator
4. Session	Timeout and anomaly challenge	15-minute idle, new IP/geo challenge, device fingerprint binding	Platform (policy-driven)
5. Endpoint	Mobile Security suite	App scan, phishing URL block, remote lock/wipe, location trace	Administrator
6. Data	CPNI controls and encryption at rest	AES-256 at rest, KMS-backed keys, CPNI access scoped by role	Platform (automatic)
7. Audit	Immutable logging	User ID, timestamp, IP, before/after state, seven-year retention	Platform + administrator export

Controls map to the NIST Cybersecurity Framework 2.0 functions: Identify, Protect, Detect, Respond, Recover.

What Counts as CPNI

Under FCC rules, CPNI includes the types, technical configuration, location, and amount of use of a subscriber's telecommunications services — essentially every piece of metadata about how a phone line is used. Phone numbers dialed, duration of calls, data session start/stop times, roaming locations, plan selections, and feature toggles all qualify as CPNI. The content of communications is protected under separate, stronger rules. My Verizon Business treats all CPNI with role-scoped access, which means a line user never sees another line user's CPNI and a manager only sees the CPNI of their assigned team members.

CPNI Access in the Portal

When an administrator configures a user role, the underlying CPNI access follows. Line users see call detail records only for their own line and only for the current and previous billing cycle. Managers see team-level aggregates without individual call detail unless elevated permission is explicitly granted. Administrators see full-account CPNI for all lines under the account. Billing contacts see financial summaries with CPNI redacted to totals. These defaults match the separation that FCC rules require for CPNI disclosure without written customer consent. Every CPNI view is logged for annual CPNI compliance reporting that Verizon files with the FCC.

SMS One-Time Passcodes

After password entry, a six-digit code delivers by SMS to the user's registered mobile number. The code expires in 10 minutes. Delivery latency typically runs 2 to 15 seconds. SMS 2FA is appropriate for most users but carries risks from SIM-swap attacks. Administrators managing high-value accounts should upgrade to authenticator or biometric 2FA.

Authenticator App (TOTP)

Time-based one-time passwords work with Google Authenticator, Microsoft Authenticator, Authy, or any RFC 6238-compliant authenticator. Codes rotate every 30 seconds. TOTP does not rely on cellular delivery and resists SIM-swap attacks. My Verizon Business recommends authenticator-app 2FA for all administrators and billing contacts.

Biometric via My Biz App

Once a user enrolls the My Biz app on their primary phone, Face ID on iPhone, Touch ID on older iPhones, or fingerprint on Android replaces password entry for subsequent Verizon Business Login attempts. The biometric data never leaves the device — only a cryptographic assertion reaches the portal. This is the strongest and fastest 2FA method and is the default for mobile sessions.

SOC 2 Type II

An independent auditor tests the security, availability, processing integrity, confidentiality, and privacy of the platform over a continuous 12-month observation window. The report confirms that controls not only exist (Type I) but operate effectively over time (Type II). Business administrators can request the SOC 2 report under NDA through enterprise support.

ISO/IEC 27001:2022 and 27701

ISO 27001 certifies the information security management system (ISMS) against the 93 Annex A controls in the 2022 revision. ISO 27701 extends the ISMS into a privacy information management system (PIMS), mapping controls to GDPR and CCPA requirements. Both certificates are issued by an accredited body and renewed every three years with annual surveillance audits.

FCC CPNI Certification

Every March, Verizon files its annual CPNI compliance certificate with the FCC, signed by a corporate officer, attesting to the adequacy of CPNI operating procedures. The certificate describes training programs, access controls, breach response, and the number of customer complaints received during the prior year.

GDPR and CCPA

The General Data Protection Regulation covers any European Union resident who uses a Verizon-issued line while traveling, and the California Consumer Privacy Act covers California residents regardless of business location. My Verizon Business fulfills data subject rights — access, correction, deletion — through the account management interface and the privacy policy.

Lost or Stolen Device Response

Log in to My Verizon Business from any other device, navigate to the affected line, and select Suspend Line. This halts voice, messaging, and data on the missing device while preserving the number. Trigger Remote Lock through the Mobile Security console. If the device had My Biz app sessions, revoke active sessions from the session management panel. Reset the user's portal password to invalidate any saved credentials. The entire response typically completes in under three minutes. Call +1-800-922-0204 if the line needs permanent deactivation.

Suspected Account Compromise

If an administrator notices logins from unexpected locations, changes they did not make, or 2FA challenges they did not initiate, the response is immediate password reset, review of the audit log for the prior 30 days (exported as CSV from the security dashboard), revocation of all active sessions, and a support ticket through Verizon Business support. Verizon's security operations team investigates every reported account-compromise case and initiates federal breach-notification procedures if the scope of the incident warrants, aligned with the FCC's 2024 breach-notification rule.

Review Your Account Security

Every Verizon Business Login runs inside the security architecture described on this page, but administrators can strengthen their posture further by enabling authenticator-app 2FA for all users, reviewing the role permission matrix quarterly, and exporting the audit log to an off-portal archive. The login guide walks through initial 2FA enrollment. Questions about specific certifications or audit reports go to enterprise support.

How is My Verizon Business secured?

Layered controls: TLS 1.3 with AES-256-GCM, mandatory 2FA, role-based access, 15-minute session timeout, SOC 2 Type II and ISO 27001 certified infrastructure, FCC CPNI rules, and seven-year audit log retention.

What is FCC CPNI and how does it apply?

CPNI covers the types, configuration, location, and amount of telecom service use. FCC rules restrict disclosure. My Verizon Business enforces CPNI access by role — line users see their own records only, managers see their team, admins see the full account.

How does 2FA work in the portal?

After password entry, confirm with SMS code, TOTP authenticator app code (Google, Microsoft, Authy), or biometric via the My Biz app (Face ID, Touch ID, fingerprint). 2FA is mandatory and cannot be disabled.

What certifications back the portal?

SOC 2 Type II, ISO/IEC 27001:2022, ISO/IEC 27701, PCI DSS, and alignment with the NIST Cybersecurity Framework 2.0. Annual FCC CPNI certification is filed every March. GDPR and CCPA privacy rights are supported.

What if an employee's device is lost or stolen?

Suspend the line from the portal, trigger Remote Lock through the Mobile Security suite, revoke active sessions, and reset the user's password. Call +1-800-922-0204 for urgent escalation. See Contact Us.