Skip to main content

Two-Factor Authentication (2FA)

TOTP-based 2FA using Google Authenticator.

Configuration

KeyDescription
ENFORCE_OTPMandate OTP for staff on sensitive operations

Staff Setup

  1. Admin navigates to Staff → Edit → Enable 2FA
  2. Staff scans QR code in their profile via Google Authenticator
  3. On login / sensitive operations, enter the 6-digit TOTP

Sensitive Operations Requiring OTP

  • Loan disbursement
  • Fixed asset disposal / liquidation / write-off / revaluation / impairment
  • Bulk operations
  • Prepayment amortization creation

Recovery

If a staff member loses their 2FA device, an admin can disable 2FA on their account from the Admin portal.