How to Give Your Virtual Assistant Access to 2FA Codes Without Sharing Your Phone

You hired a virtual assistant to handle your admin work. Smart move. She can manage your calendar, process invoices, handle customer service — everything you've been drowning in.

Except for one thing. Every service she needs to log into — your email admin panel, your invoicing software, your social media scheduler, your domain registrar — sends a 2FA code to your phone. And she's in the Philippines. And it's 3 AM your time.

So now she messages you on WhatsApp. You wake up, squint at your phone, read her the code. She types it in. Sometimes it's already expired. She messages you again. You read another code. She finally gets in.

This happens multiple times per week. It defeats the entire purpose of having an assistant.

Here's the fix — and it takes less time to set up than reading this introduction.

The Virtual Assistant Access Problem

Most entrepreneurs who hire VAs encounter the same friction point:

That's 8+ services, each requiring a verification code that goes to a phone 8,000 miles away.

The Current "Solutions" (and Why They're Terrible)

None of these solutions are real solutions. They're workarounds that trade security for convenience, or cost for sanity.

The Setup: 5-Minute Workflow

2FA codes arrive as SMS → Your iPhone → SMS to Email Forwarder
                                                ↓
                                      [email protected]
                                                ↓
                                      Your VA checks email,
                                      enters code, does work
      

Step 1: Create a Controlled-Access Inbox

Set up a new email address:

• [email protected] (Google Workspace)
• Or a dedicated Gmail: [email protected]

Security configuration:

• Grant your VA read-only access (Google Workspace → Shared Mailbox → Reader role)
• If using Gmail, set up "delegate access" (Settings → Accounts → Grant access)
• Delegate access means: VA can read emails but cannot change settings, forward rules, or delete
• Enable 2FA on THIS email account using an authenticator app (that YOU control)

Step 2: Install SMS to Email Forwarder

Download SMS to Email Forwarder on your iPhone.

Configuration:

1. Enter [email protected]
2. Complete Shortcuts setup — 2 minutes
3. Every incoming SMS is forwarded to the inbox your VA can access

Step 3: Brief Your VA

Send your VA this message:

"From now on, when you need a verification code for any of our business accounts, check the inbox at [email protected]. Codes appear there automatically within seconds of being sent. You don't need to message me anymore."

Show them how quickly it works: Have them log into one service while you watch — the code appears in the email within seconds of the SMS arriving on your phone.

Security: What You're Actually Exposing (and Not Exposing)

Let's be precise about the security model:

What Your VA CAN See

• Verification codes from business services
• Delivery notifications, marketing texts, and other SMS you receive

What Your VA CANNOT Do

• Change forwarding rules or redirect emails
• Access your phone, apps, photos, or personal messages
• Use codes after they expire (30-60 seconds)
• Log into services without also knowing the password

What You RETAIN

• Full control over the email account (you can revoke access instantly)
• Ability to see what codes were used (email audit trail)
• Your phone remains private — VA never touches it
• Password control — even with codes, VA can't log in without passwords you've shared on a per-service basis

The Trust Equation

The core question is: do you trust your VA enough to let them log into your business tools?

If the answer is yes (and it has to be — otherwise why did you hire them?), then the only question is: what's the safest way to give them access?

SMS forwarding sits at the pragmatic sweet spot — significantly more secure than most current practices, minimal cost, and zero daily friction.

VA Workflow Scenarios

Scenario 1: The Morning Social Media Session

Your VA works 8 AM - 12 PM Manila time (8 PM - 12 AM your time). She needs to log into Buffer, Canva, and Instagram Business to schedule the week's content.

Before: She messages you at 8 PM your time with "need Buffer code." You're having dinner. She waits. At 9:30 PM, you finally see the message, read the code. It expired. You send another. She gets in. Then she needs Canva. The cycle repeats.

After: She opens her workday, checks the codes email. Logs into all three services within 5 minutes. Finishes content scheduling by 10 AM. Done. You were asleep the entire time.

Scenario 2: The Urgent Domain Renewal

Your VA notices that yourcompany.com expires in 2 days. She needs to log into GoDaddy to renew it. GoDaddy sends 2FA to your phone.

Before: She messages you urgently. You're on a flight with airplane mode on. She can't renew. The domain lapses for 6 hours before you land, causing email delivery failures and a brief website outage.

After: Code goes to the shared inbox automatically. She renews the domain. You land, see a Slack message: "Renewed domain for 2 years ✅." Crisis averted.

Scenario 3: The Client Account Setup

A new client signs up. Your VA needs to create their account in your CRM, set up their invoicing, and send a welcome email. Each system requires login + 2FA.

Before: 3 separate interruptions over 45 minutes as she pings you for codes.

After: She logs into everything independently. Client is fully onboarded in 20 minutes. You get a summary email when she's done.

When Your VA Leaves: The Offboarding Checklist

When your VA's contract ends, here's the 10-minute security reset:

1. Remove her delegate access from [email protected]
2. Change passwords on all services she had access to
3. Review login history on critical services (most show recent sessions)
4. Revoke active sessions where available (Google, Facebook, etc.)
5. Consider rotating the email — create a new va-access address for the next VA

The SMS forwarding itself doesn't need to change — you simply cut off the downstream access.

Advanced: Time-Zone-Aware Setup

If your VA works in a different time zone – which most do – you want codes forwarded only during her working hours. There are two approaches:

Approach 1: Forward Everything (Recommended)

Forward all SMS 24/7. Your VA only checks during work hours anyway. The codes expire in seconds regardless.

Pros: Simplest. No configuration. Works even for urgent situations outside normal hours.

Approach 2: Scheduled Forwarding

Use iOS Shortcuts Automations with time conditions:

• Forward SMS to the VA inbox only during her working hours (e.g., 8 PM - 4 AM your time)
• Outside those hours, forward to your own personal email instead

Pros: More private during your active hours. Cons: Requires iOS automation setup, limits flexibility.

The Math: What's This Actually Worth?

• VA interruptions per day: 5-8
• Your context-switching cost per interruption: 15 minutes
• Daily time lost: 75-120 minutes
• Monthly time lost: 25-40 hours
• If your effective rate is $100/hour: $2,500-4,000/month of wasted time

The app is free.

For related workflows: share 2FA codes with your team | forward order SMS to team email

Free yourself from the code relay.

Download SMS to Email Forwarder — your VA works independently, you sleep through the night.