🔐 Two-Factor Authentication (2FA)

ABRA Flexi offers two-factor authentication for user login, which significantly enhances the security of user accounts. The 2FA (Two-Factor Authentication) feature is based on the TOTP (Time-based One-Time Password) protocol.

📌 Two-factor authentication is available:

in the cloud / server version
in the local installation of ABRA Flexi

📱 Requirements for Using 2FA

To use this feature, you will need:

a mobile phone with a 2FA authentication app
or a browser plugin (extension)

All applications and tools that support the TOTP protocol are compatible, for example:

📲 Mobile apps

Google Authenticator (Android, iOS)
Authy (Android)
2FA Authenticator (Android, iOS)

🌐 Browser plugins

Authenticator – Google Chrome
Authenticator – Mozilla Firefox

⚙️ Activating Two-Factor Authentication

The first step of activating two-factor authentication must be completed in either:

the desktop application
or the web interface of ABRA Flexi

📍 Activation path

Desktop application: Tools > Two-Factor Authentication
Web interface: Settings > User Profile > Set Up Authentication

After opening the relevant option, an activation form with a QR code will appear, prompting you to enter the verification code.

📷 Working with the QR Code

The QR code (or the generated text code) must be:
- scanned in the mobile app, or
- manually entered into the browser plugin

⚠️ In the web interface, only QR code scanning is supported — manual code entry is not available.

After scanning the QR code, the mobile app automatically generates a verification code.

Example from 2FA Authenticator:

⏱️ Verification Codes and Time Synchronization

Verification codes are randomly generated
Each code is valid for 30 seconds, after which a new one is automatically generated

⏰ 2FA activation verifies the current time on the server:

if the time difference is greater than 30 seconds between the server and the code-generating device,
activation will fail

After entering the code in ABRA Flexi and clicking the Activate button, two-factor authentication is set up for the currently logged-in user.

🔑 Using 2FA at Login

Each time you log in to the application:

The user enters their standard login password
They are then prompted to enter the verification code from the 2FA app

📲 Open the authenticator app on your mobile device and enter the currently valid code.

After confirmation, you are successfully logged in to ABRA Flexi.

🌐 Web Interface

Two-factor authentication is also fully functional when logging in to the ABRA Flexi web interface.

When 2FA is active:

the verification code entry form appears automatically after entering your password
login cannot be completed without entering the correct code

🔓 Deactivating Two-Factor Authentication

Deactivation can be performed:

📍 By the user themselves

Desktop application: Tools > Two-Factor Authentication
Web interface: Settings > User Profile > Set Up Authentication

📍 By an administrator

Tools > Company Users
an administrator can disable 2FA for other users

🔑 Deactivation Code

When a user disables 2FA themselves:

they are prompted to enter a deactivation code
the code is again generated in the mobile app

After entering the code and confirming with the Deactivate button:

future logins will no longer require mobile phone verification

📵 Lost Mobile Phone / Token

In the event of an irreversible loss of the token (e.g., lost phone, deleted app):

you must contact an administrator to deactivate 2FA

📍 Steps for the administrator

Tools > Company Users > {user} > Disable Two-Factor Authentication

Upon re-activation, you will need to:

scan a new QR code from ABRA Flexi into the mobile app again

🛠️ Critical Situation – Locked Administrator Account

If the administrator account becomes locked and:

there is no other user in Flexi with equal or higher privileges,

a direct database intervention is required:

update csuzivatel set otpsecret = null, otpprefix = null where jmeno = '%LOGIN_UZIVATELE%';

📌 Database: centralServer 📌 Table: csuzivatel

🔌 2FA and API

Two-factor authentication management is also available via the ABRA Flexi API.

➡️ For more details, refer to the developer documentation.

❓ Frequently Asked Questions

Can multiple devices be used for a single account?
No, 2FA is always tied to one device / authenticator. If you change devices, you must re-activate 2FA.
Does 2FA affect application performance?
No, using 2FA has no impact on the performance of ABRA Flexi.
Is 2FA mandatory?
No, 2FA is an optional security feature, but it is strongly recommended.