The Two-Factor Authentication - or 2FA in short - is an additional security measure to protect accounts from unauthorized access. Users may enable 2FA using an authenticator application, e.g. Google Authenticator app or Apple's Safari Keychain, have the code sent via email or use built-in authenticators such as fingerprint or facial recognition up on WebAuth.

Enabling the 2FA authentication is straight forward:

1. Go to your users menu in the top right corner
2. Select Edit my data
3. Open the Login panel
4. Select the appropriate second factor and follow the instructions

Once enabled, the 2FA information will be requested from the user starting with the next login cycle. The 2FA code request is being displayed independently from the actual user login. In case of Single-Sign-On using an MS Windows account, only the 2FA page will be displayed.

Note: Multiple 2FA methods can be enabled for the same account.

Note: The authentication is remembered by the browser for 28 days since the last access. 2FA is only requested again together with a forced login after logging out, the expiration of the cookie or removal of the session information from the users data.

Note: Users with access to the Users and Groups manager are allowed to remove 2FA information from an account, e.g. in case the user lost the 2FA generator. They are not, however, able to modify the registered 2FA authenticator application code.

The Authenticator Application 2FA method is based up on a time-based one-time password. A QR code has to be scanned using, e.g. Google Authenticator or using the Camera app.

Alternatively, e.g. when using another 3rd party password aggregator, users can copy & paste the registration code below the QR code.

Both codes can be printed and stored safely as paper backup.

The email authentication method requires that the server is configured with an email account by an administrative user. Also, users are required to have a valid email address set up in their account. This provider will not be presented otherwise.

2FA codes sent using email are valid for 15 minutes.

The Web Authentication using webauthn requires an additional hardware based element, such as a fingerprint or facial recognition sensor or YubiKey, to successfully authenticate a user. Users can setup multiple security keys and provide a descriptive name to each of them.

Web Authentication works hand in hand with other industry standards such as Credential Management Level 1 and FIDO 2.0 Client to Authenticator Protocol 2 (see https://webauthn.me/introduction).

Note: Each additional security key can only be added once.

Note: Additional requisites are an HTTPS/SSL secured server connection and an unchanged origin, meaning the login domain (FQDN).