Let's talk about Users and Permissions for your Shopify Store... and how you can secure your store in addition to Two Way Authentication.
The Store Owner has FULL access. Anytime Shopify needs to reach out regarding the Store, they will reach out to the email address that is listed as the Store Owner. There are some tasks that only a Store Owner can approve/do.
Each Staff Account has User Permissions that can be assigned specifically to them.
You can assign the User Permissions based on what the needs of access are. Your Accountant may require only Financial Information (Payouts) and Orders. The person who adds products may only need access to Products, Collections, and Navigation. Your Marketing person would probably need access to Marketing and Coupons. Keep in mind, you can always grant more access or take away.
My clients know that as a Shopify Expert, when building a store for my clients I request Full Access w/the exception of Financials. This is because when building the store I'm going to be doing everything from connecting domains, creating discount codes, and setting up the store. I do not approve the purchase of Apps or Theme's. I defer to the Store Owner on that and they must approve the charge.
This is what the User Permissions looks like. You can even click the arrow to fine tune approvals. Maybe you want to give your employee permission to Add products but not Delete products.
If you need Tech Support with an App or Theme, quite often their support will need access via a Staff Account . Since there are limited Staff Accounts, see if they can access via their Partner account. Shopify Partners will send a request from their Partner account to your store as a Collaborator. This will not tie up a Staff Account. Remove unused Staff and Collaborator accounts as a safety feature.
I turned on a little security feature requiring a Collab to provide a number before their request is approved. Unless a Store Owner provide a Shopify Partner this 4 digit Collab number, they cannot even request access to the store. What if a employee who wasn't aware, accidentally granted access... this person could have had access to EVERYTHING.
Please update your settings: Go to Settings / Users and Permissions and scroll down to Collaborators. This is the default view:
Change the setting to require the person requesting to have the Code first.
This way your store will remain safe and secure in addition to having two-way authentication.