Two-Factor Authentication
Also known as: 2FA, MFA-second-factor, two factor auth
Login that requires both a password (something you know) and a second factor (something you have, usually a TOTP code from an authenticator app or an emailed one-time code). Reduces the impact of credential theft.
Two-factor authentication (2FA) layers a second proof of identity on top of the password. The password alone is sometimes leaked (phishing, credential-stuffing, breach reuse); the second factor isn’t transferable in the same way, so an attacker with just the password can’t complete a login.
The two common second-factor mechanisms used in MSP-context:
- Authenticator app (TOTP): a 6-digit code generated by an app like Google Authenticator or Microsoft Authenticator, refreshed every 30 seconds. Standard is RFC 6238 with SHA1, 6 digits, 30-second interval.
- Email one-time code: a 6-digit code emailed to the user’s registered address, valid for a short window (typically 5 minutes). Easier to roll out, weaker because it depends on the email account’s own security.
On Yeastar PSE, 2FA can be configured for the Super Administrator account (recommended; an admin password leak otherwise gives full PBX takeover) and made mandatory for all extension users (a policy rollout that affects everyone’s next Linkus login). The “Trusted Device” option lets a user skip the second factor on a known device for 180 days; useful for personal laptops, risky for shared devices.