Skip to main content

Overview

Two-factor authentication (2FA) adds a second verification step after a user enters their password. Even if a password is compromised, an attacker cannot access the account without also having the second factor.
2FA can be enforced organization-wide by an administrator or enabled voluntarily by individual users. When enforced, users must set up 2FA before they can access Fentu FSM.

Supported Second Factors

MethodHow It WorksRecommended For
Authenticator App (TOTP)Time-based one-time code generated by an app (Google Authenticator, Microsoft Authenticator, Authy)All users — most secure option
Email OTPOne-time code sent to the user’s registered email addressUsers without a smartphone
SMS OTPOne-time code sent via text messageFallback option when email is unavailable
Authenticator apps are strongly recommended over SMS or email. Codes are generated offline and are not vulnerable to SIM-swapping or email account compromise.

Enforcing 2FA Organization-Wide

Administrators can require all users to set up 2FA before accessing Fentu FSM:
1

Open Security Settings

Navigate to Administration > Settings > Security
2

Enable 2FA Enforcement

Toggle “Require Two-Factor Authentication” on
3

Set Grace Period

Optionally set a grace period (e.g., 7 days) during which existing users can still log in without 2FA while they set it up
4

Save

Click Save. New login attempts will prompt users to enrol in 2FA before accessing any page
Enforcing 2FA immediately (with no grace period) will block all users who have not yet set up a second factor. Communicate the change to your users before enabling enforcement, or set a grace period.

Setting Up 2FA (Per User)

Users can set up 2FA from their own profile, or be prompted automatically when enforcement is active.

Using an Authenticator App (TOTP)

1

Open Profile Settings

Click your avatar in the top-right corner and go to Profile > Security
2

Click Enable Two-Factor Authentication

Select Authenticator App as the method
3

Scan the QR Code

Open your authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) and scan the QR code displayed on screen
4

Enter the Verification Code

Type the 6-digit code shown in your authenticator app to confirm the setup
5

Save Recovery Codes

Download or copy the recovery codes shown. Store them in a secure location. These are used if you lose access to your authenticator device
6

Done

2FA is now active. You will be prompted for a code on every login

Using Email OTP

1

Open Profile Settings

Go to Profile > Security > Enable Two-Factor Authentication
2

Select Email

Choose Email as your second factor method
3

Confirm Your Email Address

Verify the email address shown is correct. A test code is sent immediately
4

Enter the Test Code

Enter the code from the email to confirm setup
5

Done

On future logins, a code will be emailed to you after you enter your password

Logging In with 2FA

Once 2FA is active, the login flow has an additional step:
1

Enter Email and Password

Log in as normal on the Fentu FSM login page
2

Second Factor Prompt

After password verification, a prompt appears asking for your second factor code
3

Enter the Code

Open your authenticator app (or check your email/SMS) and enter the current 6-digit code
4

Access Granted

If the code is correct and has not expired, you are logged in
TOTP codes are valid for 30 seconds. If a code is rejected, wait for the next code to generate and try again. Ensure your device clock is accurate — TOTP codes depend on time synchronisation.

Recovery Codes

Recovery codes are one-time-use backup codes generated when 2FA is first set up. Use them if you lose access to your authenticator device or email.

Using a Recovery Code

  1. On the 2FA prompt, click “Use a recovery code instead”
  2. Enter one of your saved recovery codes
  3. You are logged in — the used code is invalidated immediately
  4. After logging in, go to Profile > Security and re-enrol a new second factor or generate new recovery codes
Each recovery code can only be used once. If you run out of recovery codes and lose your second factor device, you will need an administrator to reset your 2FA. Store your recovery codes securely (password manager, printed copy in a safe).

Regenerating Recovery Codes

If you suspect your recovery codes are compromised:
  1. Go to Profile > Security
  2. Click “Regenerate Recovery Codes”
  3. Save the new codes — the previous set is immediately invalidated

Resetting 2FA for a User (Admin)

If a user loses access to their second factor and does not have recovery codes, an administrator can reset their 2FA:
1

Open User Management

Go to Administration > Users
2

Find the User

Search for the user by name or email
3

Open User Record

Click the user to open their detail view
4

Reset 2FA

Click “Reset Two-Factor Authentication” and confirm
5

Notify the User

Inform the user that their 2FA has been reset. They will be prompted to set up a new second factor on their next login
Only administrators with the User Management permission can reset another user’s 2FA. All resets are recorded in the audit log.

2FA and SSO

When SSO is enabled, the identity provider handles the authentication flow — including any MFA requirements configured in the IdP. In this case:
Scenario2FA Handling
SSO onlyMFA is managed entirely by your identity provider (Entra ID, Okta, etc.). Fentu FSM 2FA is bypassed
SSO + Fentu 2FAUsers complete IdP MFA, then are prompted for a Fentu 2FA code as well. Not recommended — configure MFA at the IdP level instead
Local login (no SSO)Fentu FSM 2FA applies in full
If you use SSO, configure and enforce MFA at the identity provider level rather than in Fentu FSM. This ensures a consistent and centrally managed security policy.

Troubleshooting 2FA

SymptomLikely CauseResolution
”Invalid code” on correct-looking codeDevice clock is out of syncSync your device time settings (Settings > Date & Time > Automatic)
Code rejected immediately after setupQR code scanned incorrectlyDelete the entry from your authenticator app and re-scan
No email OTP receivedEmail in spam folder, or wrong email on accountCheck spam; verify email address in Profile settings
Locked out, no recovery codesLost device and no codes savedContact your Fentu FSM administrator to reset 2FA
2FA prompt does not appear2FA not yet enforced or user exemptCheck Security settings; verify user is not in the exempt list

Related Documentation

Single Sign-On (SSO)

Authenticate users through your organization’s identity provider

User Management

Manage user accounts, roles, and security settings