Two-factor authentication (2FA) adds another layer of protection to login process. In addition to the normal login, 2FA uses Time-based One Time Password (TOTP) calculated password from the user.

When the two-factor authentication is enabled in myDBR and the user logs in myDBR checks if the user has taken the 2FA in use by registering the QR-code in their device (usually a smartphone). The user then registers with the QR-code/token and the secret value is stored into the device and into myDBR. The secret value is used as the basis to calculate the time-based one-time password.

When a user whose 2FA setup is done, logs in, the one-time time-based password is asked.

The secret value for a user can be reset from the admin's user list. In case the admin secret is lost and 2FA prevents the login, one can reset the secret value by removing the admin's row from mydbr_twofa_secrets-table.

As TOTP is a standard (RFC 6238), there are plenty of apps to choose from. Here are the list few common ones:

2FA can be limited only to external IP addresses and/or to admin only. This way one can require the use of 2FA when the user is using the system from outside the internal network or it can also be limited to admin accounts providing further security for admins.