Breadcrumbs

(5.2) Two-Factor Authentication (2FA) Service

The Two-Factor Authentication (2FA) service adds a native OTP-based verification step to EFCX user login. After signing in with their username and password, users must enter a one-time password (OTP) delivered via a configured communication channel.

2FA is a tenant-level capability. Once enabled, it applies consistently across all EFCX applications for that tenant.

Feature Summary

The OTP-based 2FA service strengthens security by:

  • Adding a second verification factor during login

  • Reducing risks from compromised credentials, unauthorized access attempts, and shared or leaked passwords.

The service enforces a controlled OTP lifecycle, including generation, delivery, validation, expiry, regeneration, and invalidation.

Prerequisites

Before enabling 2FA, ensure the following:

  1. Channel Configuration (Prerequisite for Email Channel only)

    • If you are configuring Email as a 2FA method, make sure that the email channel is configured in Unified Admin. See the prerequisites here.

  2. Tenant Configuration

    • 2FA is enabled and fully configured via Tenant Settings API.

    • (Add steps for tenant settings here).

  3. User Reachability

Users must have access to the selected delivery channel. If no valid channel exists, 2FA configuration cannot be completed.

Supporting Documents

Roles Impacted

Once enabled, 2FA applies to all users logging into Unified Admin and Agent Manager for that tenant, including Administrators, Agents, Supervisors, Quality Managers, Evaluators, and Routing Managers.

There is no role-based or user-specific override. All users follow the same authentication flow.

Tenant-level enablement

  • 2FA is enabled and configured from Tenant Settings. See this guide to enable and configure.

  • Configuration applies globally across the platform for the tenant.

  • Changes take effect immediately for subsequent login attempts.

OTP delivery channels

The service supports OTP delivery through:

  • Authenticator Apps (Google Authenticator & Microsoft Authenticator)

  • RSA Authenticator

  • SMS

  • Email


  • Only one channel type can be active per tenant at a time.

  • Users cannot override the selected channel individually.

  • The selected channel is used consistently for all OTP delivery.

  • Channels must be pre-configured in Unified Admin before they can be selected for 2FA.

User registration and reuse

  • Users who have not previously registered for 2FA are prompted to register during login.

  • Email channel: The entered email is confirmed and stored with the user profile. On subsequent logins, OTPs are sent automatically to the stored address.

  • Authenticator Apps: Users scan a QR code during first-time setup and use the app for all subsequent logins.

  • SMS: Users confirm their phone number during registration.

The same email address or phone number should not be shared across multiple user accounts.

OTP Lifecycle Enforcement

The OTP service enforces the following controls:

Control

Description

Time-bound expiry

OTPs are valid only for a configured duration

Single-use validation

An OTP becomes invalid immediately after successful verification

Regeneration support

Users can request a new OTP if delivery fails

Cooldown enforcement

Regeneration is restricted until a cooldown period expires

Invalidation on regeneration

Previously issued OTPs are invalidated when a new one is generated

Consistent User Feedback

The login flow provides clear feedback for:

  • Invalid OTP

  • Expired OTP

  • Regeneration wait time

  • Verification failure due to exceeded limits

Error messages are intentionally generic to avoid exposing sensitive system details.

Limitations and Constraints

The following limitations apply to this release:

  • Only one OTP delivery channel can be active per tenant.

  • No fallback or secondary channel is supported.

  • For the Email channel, user-level brute-force tracking and lockout are not enforced by the OTP service itself. Admins should consider implementing rate-limiting at the gateway level.

  • The same email address should not be used for more than one user.

FAQs

Q1. My OTP is always shown as invalid. Why?

Possible causes:

  • The OTP has expired; request a new OTP and try again promptly.

  • You are entering an old OTP after a newer one was already generated.

  • For the email channel, your user account may share the same email with another account, and the other user triggered a newer OTP. Ask your admin to confirm that your account uses a unique email address.

Q2. I did not receive my OTP. What should I check?

  • Check your network connectivity to receive OTP via SMS.

  • Confirm that the email stored in your profile is correct and accessible.

  • Check spam/junk folders for OTP emails.

  • If the problem persists, contact your system administrator.

Q3. Can I disable 2FA just for specific users or roles?

No. 2FA is enforced at the tenant level. Once enabled, it applies uniformly to all EFCX users under that tenant.

Q4. Can users choose a different OTP delivery channel (e.g; switch from Authenticator apps to SMS)?

No. Only one delivery channel can be active per tenant; users cannot override the selected channel individually.

Q5. I get an error saying I exceeded the allowed attempts or must wait. What should I check?

  • The OTP service enforces a cooldown and attempt limits.

  • Wait for the configured cooldown period to pass, then request a new OTP.

  • If the issue continues, your admin should check the tenant 2FA configuration and logs.