Join the LadVen OS testing programRequest a demo
Skip to main content

Two-factor authentication (2FA)

Two-factor authentication (2FA, MFA) adds a second confirmation step to your password when signing in. Even if someone learns your password, they still cannot get into the account without the second factor. For a business, this is baseline protection for work data: tasks, clients, documents, and conversations.

In LadVen OS every employee can turn on 2FA themselves in their profile, while an administrator can set a policy for the whole company and for external participants (extranet).

How it works

When 2FA is enabled, signing in takes two steps:

  1. Login and password — as usual.
  2. A one-time code from the authenticator app on your phone.

The code changes every few dozen seconds, so it cannot be reused or intercepted for long. If your phone is unavailable, instead of the code you can enter one of the recovery codes you saved when enabling 2FA.

How to enable 2FA in your profile

Enabling it takes a couple of minutes. Install an authenticator app on your phone in advance: Google Authenticator, Microsoft Authenticator, Authy, or an equivalent.

  1. Open your profile and find the security section with the two-factor authentication block.
  2. Click to enable 2FA. To confirm your identity, the system will ask you to enter your current password.
  3. A QR code will appear. Open the authenticator app and scan it — the app will add an entry with your LadVen OS account and a changing code.
  4. Enter the current code from the app to confirm that it is set up correctly.
  5. The system will show your recovery codes. Save them right away — this is the only moment they are visible in full.

Once activated, 2FA becomes mandatory for signing in to your account.

If the QR code will not scan, the app usually lets you add the account manually using the text key shown next to the code.

Recovery codes

Recovery codes are one-time backup codes for when the authenticator app is unavailable: the phone is lost, dead, replaced, or reinstalled.

  • Save the codes in a safe place: a password manager, a secure note, a printout in a safe. Do not store them next to your password and do not send them in open chats.
  • Each code works once. After it is used, it no longer works.
  • When the codes run out or you suspect someone has seen them, generate a new set in your profile. The old codes stop working at that point.

Recovery codes are access to your account. Treat them like a password.

Trusted devices

So you do not have to enter a code every time you sign in from your personal work computer, you can mark the browser as trusted. On a trusted device, the second factor is not requested for some time.

  • Mark only personal work devices as trusted, not shared or someone else's computers.
  • If a device is lost or an outsider may have gained access to it, revoke the trust — the next sign-in will require the second factor again.
  • Trust is limited in time and stored in a specific browser: after you clear the browser data or the period expires, the code is requested again.

Signing in with a second factor

When 2FA is enabled, after login and password a field for the one-time code appears:

  1. Open the authenticator app and look at the current code for LadVen OS.
  2. Enter the code before it changes. If you miss it, wait for the new code and enter that one.
  3. If the app is unavailable, switch to entering a recovery code.

If the code does not work, check that the time on your phone is correct (authenticators depend on accurate time) and that you are entering the code for the LadVen OS account and not for another service.

How to disable 2FA

You can disable 2FA in the same profile section. The system will ask you to confirm your identity with your password and the second factor — this protects against someone else disabling it after getting to an unlocked screen.

Disable 2FA deliberately: the account will again be protected only by a password. If 2FA is mandatory under the company policy, you cannot disable it yourself — contact your administrator.

For administrators: company 2FA policy

The administrator sets who is required to use the second factor. The policy is configured separately for portal employees and for external extranet participants, with several levels:

LevelWhat it means
Disabled2FA is unavailable or not used.
OptionalEveryone turns on 2FA themselves; it is not mandatory.
Required for administratorsEmployees with administrative rights must use 2FA.
Required for everyoneAll employees (or all external participants) must enable 2FA.

Choose the level based on the sensitivity of the data and the maturity of the team. A practical rollout path: first "optional" with a request to enable it, then "required for administrators", then "required for everyone" once the team is used to the process and knows about recovery codes.

When a mandatory policy is in effect, an employee without 2FA configured will be required to complete the setup to keep working.

For administrators: resetting an employee's 2FA

If an employee loses access to their second factor (phone and recovery codes lost, left the company and handed over the account, a compromise), the administrator performs a forced 2FA reset in the employee list. This is a sensitive action, so it requires confirmation.

After the reset:

  • the employee's current 2FA setup is removed;
  • at the next sign-in they go through the setup again if a mandatory policy is in effect;
  • the previous recovery codes and trusted devices stop working.

Verify the employee's identity before the reset through an independent channel: a 2FA reset removes the account's protection, so it must not be used on an unverified request.

Good practices

  • Enable 2FA for everyone who has access to clients, documents, finances, or administrative settings.
  • Save the recovery codes right when you enable it and keep them separate from your password.
  • Do not mark shared or someone else's devices as trusted.
  • Introduce a mandatory policy in stages and warn the team about recovery codes in advance so people do not lose access.
  • Reset an employee's 2FA only after verifying their identity through a reliable channel.

Common mistakes

  • Enabled 2FA and did not save the recovery codes — if the phone is lost, access can be restored only through an administrator.
  • Storing recovery codes next to the password or in a shared chat — this cancels out the protection.
  • Marking a shared computer as trusted — the second factor stops protecting the sign-in.
  • Introducing a mandatory policy abruptly, without warning — part of the team loses access and floods the administrator with reset requests.
  • Wrong time on the phone — the authenticator codes do not work even though everything is set up correctly.