Two-Factor Authentication & OTP

Security is a critical concern for any system that handles employee personal data, salary information, and statutory records. Udyamo HRMS supports two additional layers of authentication beyond the standard email/password login: TOTP-based two-factor authentication (2FA) and OTP-based passwordless login. This chapter explains how to set up, use, and manage both features.

What You Will Learn

  • Why two-factor authentication matters for HR systems
  • How to enable TOTP-based 2FA on your account
  • How to use an authenticator app to generate codes
  • How to generate and safely store recovery codes
  • How to log in with 2FA enabled
  • How to disable 2FA
  • How OTP-based login works
  • How administrators manage 2FA policies for the organization
  • Security best practices

Prerequisites

Required: A smartphone or device capable of running an authenticator app (Google Authenticator, Microsoft Authenticator, Authy, or similar TOTP-compatible app).

Required: Access to your Udyamo HRMS account with a valid email and password.

Why Two-Factor Authentication Matters

Standard email/password authentication is vulnerable to several attack vectors:

ThreatDescriptionHow 2FA Helps
Password theftPasswords stolen via phishing, data breaches, or keyloggersEven with the password, an attacker cannot log in without the second factor
Credential stuffingAttackers try stolen credentials from other servicesThe TOTP code changes every 30 seconds and is unique to Udyamo HRMS
Social engineeringAttackers trick users into revealing passwordsThe authenticator app generates codes locally — they cannot be extracted remotely
Brute forceAutomated tools try thousands of password combinationsEven if a password is guessed, the TOTP code provides an additional barrier

Warning: HR systems contain highly sensitive data — Aadhaar numbers, PAN details, bank account information, salary records, and personal addresses. A compromised account can lead to data theft, financial fraud, and regulatory penalties. Enabling 2FA is one of the most effective steps you can take to protect this data.

Setting Up TOTP-Based Two-Factor Authentication

TOTP (Time-based One-Time Password) generates a 6-digit code that changes every 30 seconds. The code is generated by an authenticator app on your device and verified by the Udyamo HRMS server. Both the app and the server share a secret key, ensuring that only your device can generate valid codes.

Step-by-Step: Enable 2FA

  1. Log in to Udyamo HRMS with your email and password.
  2. Click your profile icon or name in the top-right corner.
  3. Select Security Settings (or navigate to Profile > Security).
  4. In the Two-Factor Authentication section, click Enable 2FA.

Security settings — Enable 2FA

  1. The system displays a QR code and a text-based secret key.
  2. Open your authenticator app on your smartphone:
AppPlatformDownload
Google AuthenticatorAndroid, iOSGoogle Play Store / Apple App Store
Microsoft AuthenticatorAndroid, iOSGoogle Play Store / Apple App Store
AuthyAndroid, iOS, Desktoptwilio.com/authy
  1. In the authenticator app, tap Add Account (or the + icon).
  2. Choose Scan QR Code and point your camera at the QR code displayed on screen.
    • If you cannot scan the QR code, choose Enter Manually and type the text-based secret key shown below the QR code.
  3. The authenticator app adds the Udyamo HRMS account and displays a 6-digit code.
  4. Enter the current 6-digit code in the Verification Code field on the Udyamo HRMS screen.
  5. Click Verify and Enable.

QR code scanning and verification

Tip: If the verification fails, check that your device's clock is synchronized. TOTP relies on accurate time — even a 30-second discrepancy can cause codes to be rejected. On Android, go to Settings > Date & Time > Use network-provided time. On iOS, go to Settings > General > Date & Time > Set Automatically.

  1. Upon successful verification, 2FA is now active on your account.

Recovery Codes

When you enable 2FA, the system generates a set of recovery codes. These are single-use backup codes that you can use to log in if you lose access to your authenticator app (e.g., if your phone is lost, stolen, or factory reset).

Generating Recovery Codes

Recovery codes are displayed immediately after enabling 2FA. They typically consist of 8-10 alphanumeric codes.

Example recovery codes:

a1b2c-3d4e5
f6g7h-8i9j0
k1l2m-3n4o5
p6q7r-8s9t0
u1v2w-3x4y5
z6a7b-8c9d0
e1f2g-3h4i5
j6k7l-8m9n0

Storing Recovery Codes Safely

Warning: Recovery codes are shown only once when you enable 2FA. If you lose them and also lose access to your authenticator app, you will be locked out of your account and will need to contact your administrator.

Recommended storage methods:

MethodSecurity LevelNotes
Password managerHighStore in a secure password manager like 1Password, Bitwarden, or LastPass
Printed copyMediumPrint and store in a locked drawer or safe
Encrypted fileHighSave in an encrypted document on your computer
Cloud note (encrypted)MediumUse an encrypted note in a secure cloud service

Do NOT:

  • Save recovery codes in plain text on your desktop
  • Store them in an unencrypted email or chat message
  • Share them with anyone
  • Take an unprotected screenshot

Logging In with 2FA

Once 2FA is enabled, your login flow adds one additional step.

Step-by-Step: Log In with 2FA

  1. Navigate to the Udyamo HRMS login page.
  2. Enter your Email and Password.
  3. Click Log In.
  4. The system verifies your credentials and prompts for a Two-Factor Code.

2FA code entry screen

  1. Open your authenticator app.
  2. Find the Udyamo HRMS entry and note the current 6-digit code.
  3. Enter the code in the Two-Factor Code field.
  4. Click Verify.
  5. If the code is correct, you are logged in to the dashboard.

Tip: The TOTP code refreshes every 30 seconds. If the code is about to expire (shown by a countdown timer in most authenticator apps), wait for the next code to avoid entering an expiring code.

Using a Recovery Code

If you do not have access to your authenticator app:

  1. On the Two-Factor Code screen, click Use a Recovery Code (or similar link).
  2. Enter one of your recovery codes.
  3. Click Verify.
  4. You are logged in. The used recovery code is invalidated and cannot be reused.

Warning: Each recovery code can only be used once. After using a recovery code, immediately re-configure your authenticator app and generate new recovery codes from Security Settings.

Disabling Two-Factor Authentication

You may need to disable 2FA temporarily (e.g., when switching phones) or permanently.

Step-by-Step: Disable 2FA

  1. Log in to Udyamo HRMS (using your authenticator app or a recovery code).
  2. Navigate to Profile > Security Settings.
  3. In the Two-Factor Authentication section, click Disable 2FA.
  4. Enter your current password to confirm the action.
  5. Click Confirm Disable.
  6. 2FA is now removed from your account. You will log in with only email and password going forward.

Warning: Disabling 2FA reduces your account security. Re-enable it as soon as possible after completing whatever task required disabling it (e.g., setting up a new phone).

Tip: When switching phones, you can usually transfer your authenticator app accounts using the app's built-in transfer feature (Google Authenticator has "Transfer Accounts," Authy syncs across devices). This avoids the need to disable and re-enable 2FA.

OTP-Based Login

Udyamo HRMS also supports One-Time Password (OTP) login as an alternative authentication method. Unlike TOTP-based 2FA (which supplements password login), OTP login replaces the password entirely — the user logs in using only their email/phone and a one-time code.

How OTP Login Differs from 2FA

AspectTOTP 2FAOTP Login
What it replacesNothing — it adds a second factor on top of passwordReplaces the password entirely
Code deliveryGenerated by an authenticator appSent via email or SMS
Code validityRefreshes every 30 secondsValid for 5-10 minutes
Requires setupYes (QR code enrollment)No setup required — works with registered email/phone
Security modelSomething you know (password) + something you have (app)Something you have (email/phone access)

Step-by-Step: Log In with OTP

  1. Navigate to the Udyamo HRMS login page.
  2. Click Login with OTP.
  3. Enter your registered Email Address or Mobile Number.
  4. Click Send OTP.
  5. Check your email inbox or SMS for the one-time code.
  6. Enter the OTP in the verification field.
  7. Click Verify & Log In.

OTP login flow

Tip: OTP codes are typically valid for 5-10 minutes. If you do not receive the OTP, check your spam folder (for email) or wait a minute for SMS delivery. Click Resend OTP if needed.

Admin Configuration for OTP Login

OTP login is managed through the OtpController and must be enabled by an administrator:

  1. Navigate to Settings > Security.
  2. Locate the OTP Login section.
  3. Toggle Enable OTP Login to on.
  4. Configure the OTP delivery method:
SettingOptions
Delivery MethodEmail only, SMS only, or Both
OTP ValidityDuration in minutes (default: 10 minutes)
OTP LengthNumber of digits (default: 6)
Max Resend AttemptsMaximum number of OTP resends per session (default: 3)
  1. Click Save.

Warning: SMS-based OTP requires an SMS gateway configuration. Ensure your SMS provider is set up and has sufficient credits before enabling SMS OTP for the organization.

Admin: Managing 2FA for the Organization

Administrators can enforce or encourage 2FA adoption across the organization through the TwoFactorSettingsController.

Organization-Wide 2FA Settings

  1. Navigate to Settings > Security > Two-Factor Authentication.
  2. Configure the following settings:
SettingDescriptionOptions
2FA PolicyWhether 2FA is optional, encouraged, or mandatory.Optional, Encouraged (with reminders), Mandatory
Enforcement ScopeWhich roles must use 2FA if mandatory.All users, Administrators only, Admins + Managers
Grace PeriodDays allowed after mandate before account lockout.7, 14, 30 days
Recovery Code CountNumber of recovery codes generated per user.8 (default), configurable
  1. Click Save.

Mandatory 2FA Enforcement

When 2FA is set to Mandatory:

  1. Users who have not enabled 2FA see a setup prompt after login.
  2. During the grace period, they can dismiss the prompt and use the system normally.
  3. After the grace period expires, users are redirected to the 2FA setup page and cannot access other features until 2FA is configured.

Tip: Before mandating 2FA, send an organization-wide announcement explaining the change, providing setup instructions, and giving employees time to install an authenticator app. See Chapter 42: Announcements & Notifications.

Admin: Resetting an Employee's 2FA

If an employee is locked out because they lost their authenticator device and recovery codes:

  1. Navigate to Employees > [Employee Name] > Security.
  2. Click Reset 2FA.
  3. Confirm the action.
  4. The employee's 2FA is disabled. They can log in with just their password and set up 2FA again.

Warning: Only administrators should reset 2FA. Verify the employee's identity through a secondary channel (in-person, phone call) before resetting to prevent social engineering attacks.

Security Best Practices

For Employees

  1. Enable 2FA on your account. Even if not mandatory, it significantly enhances security.
  2. Use a reputable authenticator app. Avoid unknown or unverified apps.
  3. Store recovery codes securely. Use a password manager or a locked physical location.
  4. Do not share TOTP codes. Codes are generated for your device only. Never share them over chat, email, or phone.
  5. Keep your authenticator app updated. Install updates promptly for security patches.

For Administrators

  1. Mandate 2FA for admin accounts. At minimum, all administrator and HR manager accounts should have 2FA enabled.
  2. Monitor 2FA adoption. Use the Active Users report or security dashboard to track how many users have enabled 2FA.
  3. Educate employees. Provide clear instructions and support for 2FA setup, especially for non-technical staff.
  4. Have a recovery process. Document the steps for employees who lose their authenticator device so they know how to regain access.
  5. Review OTP settings periodically. Ensure OTP validity periods and delivery methods are appropriate for your security posture.

Common Errors and Solutions

ProblemCauseSolution
TOTP code rejectedDevice clock out of syncSync your device time with the network (Settings > Date & Time > Automatic)
QR code does not scanScreen glare, low resolution, or camera issueUse the manual text key entry option instead
Recovery codes lostNot saved properly after 2FA setupContact your administrator to reset 2FA
OTP not received (email)Email delivery delay or spam filterCheck spam folder; wait 2-3 minutes; click Resend OTP
OTP not received (SMS)SMS gateway issue or incorrect phone numberVerify phone number; contact admin if SMS gateway is misconfigured
Account locked after failed 2FAToo many incorrect TOTP/OTP attemptsWait for the lockout period (typically 30 minutes) or contact admin
Cannot disable 2FAForgot password required for confirmationUse password reset flow first, then disable 2FA

Quick Reference

ActionNavigationNotes
Enable 2FAProfile > Security Settings > Enable 2FARequires authenticator app
View recovery codesProfile > Security Settings > Recovery CodesOnly shown once at setup; regenerate if needed
Disable 2FAProfile > Security Settings > Disable 2FARequires password confirmation
Log in with OTPLogin page > Login with OTPMust be enabled by admin
Admin: Enforce 2FASettings > Security > Two-Factor AuthenticationCan be optional, encouraged, or mandatory
Admin: Reset user 2FAEmployees > [Name] > Security > Reset 2FAVerify identity before resetting

What Comes Next

With two-factor authentication and OTP login covered, the next chapter addresses Single Sign-On integration with Azure AD and Google. Proceed to Chapter 45: Single Sign-On — Azure AD & Google.