Two-Factor Authentication rev 01

Two-Factor Authentication (2FA) adds an extra security layer to JovianDSS administrator accounts. When activated, the administrator must supply both a password and a 6-digit code from a smartphone authenticator app during login. This prevents unauthorized entry even if the password is compromised.

Note: 2FA is delivered as an optional Small Update (the oe_2fa module). This article describes revision 01. If your system was updated to a newer revision, refer to the matching Extension:Two-Factor_Authentication_rev_NN article.

JovianDSS implements TOTP (Time-based One-Time Password):

• Compatible with Google Authenticator, Microsoft Authenticator, Authy, FreeOTP, and any other TOTP-compatible app.
• Codes change every 30 seconds.
• Works offline — the authenticator app does not need internet access.
• SMS-based methods are intentionally not supported (TOTP is more secure).

1. Navigate to System Settings → Administration → Two-Factor Authentication.
2. Click Enable Two-Factor Authentication.
3. Review the displayed QR code and secret key.
4. In your authenticator app, either scan the QR code or manually enter the secret.
5. Enter the current 6-digit code from the app to verify the setup and click Verify and Enable.
6. The system generates 10 backup codes. Save these codes immediately — they are shown only once.

Store backup codes securely (password manager or printed copy kept in a safe place).

1. Enter the administrator password.
2. When prompted — "Two-factor authentication is enabled. Please enter your authentication code." — enter the current 6-digit code from the authenticator app.
3. Click Log in.

The system allows a small time tolerance (±30 seconds) to cope with minor clock drift.

If the authenticator app is unavailable, enter one of the saved backup codes in the authentication code field instead of a TOTP code. Each backup code works only once and is invalidated after use.

Open System Settings → Administration → Two-Factor Authentication to see the current status and the number of remaining backup codes (for example: 7 / 10 backup codes available).

1. Click Regenerate Backup Codes.
2. Enter the current 6-digit authenticator code to confirm.
3. A new set of 10 codes is generated. All previous codes (used and unused) are invalidated.
4. Save the refreshed codes immediately.

1. Click Disable Two-Factor Authentication and confirm.
2. 2FA is deactivated and the stored secret and backup codes are removed.
3. Re-enabling requires complete reconfiguration (new QR code, new backup codes).

1. Log in using a backup code.
2. Disable 2FA in System Settings.
3. Set up 2FA again on the replacement device.

1. Contact the system administrator.
2. The administrator disables 2FA on the account.
3. Log in with password only.
4. Set up 2FA again on the replacement device.

Most authenticator apps support transfer:

• Google Authenticator — account transfer feature.
• Microsoft Authenticator — optional cloud backup.
• Authy — automatic sync across linked devices.

Alternatively: disable 2FA on the old device, then re-enable it and scan the QR code on the new device.

• Save backup codes immediately after setup — store them in a password manager or a secure physical location.
• Keep the phone's time synchronized (usually automatic).
• Do not share codes, secret keys, or backup codes with anyone.
• Regenerate backup codes periodically after heavy use.
• Consider disabling 2FA before planned device transitions.