Technical details about the 2FA implementation used by BRANDED IAM, including TOTP standards, app compatibility, and recovery options.
BRANDED IAM uses TOTP (Time-based One-Time Password) for two-factor authentication, as defined by RFC 6238. This is the same standard used by Google, Microsoft, GitHub, and most enterprise authentication systems.
How TOTP Works
When you set up 2FA, your authenticator app and our server both receive a shared secret key (represented as a QR code during setup). Both parties independently compute a 6-digit code using the same algorithm applied to the current time. Because the computation is deterministic — the same time + the same secret always produces the same code — your code matches ours without any network communication between the app and server during login.
Compatible Authenticator Apps
- Microsoft Authenticator (recommended)
- Google Authenticator
- Authy
- 1Password (built-in TOTP support)
- Bitwarden (built-in TOTP support in premium plans)
- Any app supporting TOTP (RFC 6238)
Hardware Security Keys
For high-security environments, BRANDED IAM supports FIDO2/WebAuthn hardware security keys (YubiKey, Google Titan, etc.) as an alternative or supplement to TOTP. Contact your account manager to enable hardware key authentication for your account.
Session Validity
After successful 2FA login, your portal session is valid for 8 hours of activity. After 8 hours of inactivity, you'll be required to re-authenticate. Admins can adjust the session timeout duration for their organization in Account Settings → Security Policy.