Stronger Logins with TOTP Two-Factor Authentication

David Kowalski··6 min read
Setting up two-factor authentication

Why a Password Alone Is No Longer Enough

Credential theft is one of the most reliable ways attackers gain entry to corporate systems. Phishing campaigns, data breaches from third-party services, and simple password reuse mean that a valid username and password combination is genuinely easy to obtain. Once an attacker has those two pieces of information, a traditional login screen offers no further resistance. Adding a second factor - one that changes every 30 seconds and lives only on a device the attacker does not control - closes that gap decisively.

empowsec supports two-factor authentication using time-based one-time passwords, or TOTP, the same open standard used by authenticator apps worldwide. When 2FA is enabled on an account, a successful login requires both the user's password and a six-digit code generated by their authenticator app at that moment. Even if an attacker has the password - from a phishing simulation that actually succeeded in the wild, from a breached database, or from a shoulder-surfing incident - they cannot get in without physical access to the user's device.

How TOTP Setup Works in empowsec

Enabling two-factor authentication is a self-service flow that takes less than two minutes. After navigating to the security settings for their account, a user is presented with a QR code. They open any standard authenticator app - Google Authenticator, Microsoft Authenticator, Authy, and similar tools all work because TOTP is an open standard - and scan the code. The app then displays a six-digit rotating code, which the user enters to confirm that pairing succeeded.

Once confirmed, empowsec marks the account as 2FA-protected and generates a set of recovery codes. These codes are single-use backup credentials that let the user regain access if they ever lose their phone or uninstall their authenticator app. Presenting any one recovery code during login bypasses the TOTP step for that single session, then marks that code as used. Users are strongly encouraged to store recovery codes in a password manager or print them and keep them somewhere secure, because they are shown only once.

app.empowsec.com / account / security
Two-Factor Authentication
Scan the QR code with your authenticator app, then enter the 6-digit code to confirm.
Step 1
Scan QR
Open your authenticator app
Step 2
Enter code
6-digit rotating code
Step 3
Save codes
Store recovery codes safely
StatusEnabled
Recovery codes remaining8 of 8
Mobile app supportYes
The 2FA setup flow in empowsec: scan, confirm, and store recovery codes.

Recovery Codes: Your Safety Net

Recovery codes deserve a dedicated mention because they are the mechanism that prevents 2FA from becoming a lockout risk. Without them, an employee who replaces their phone or clears their authenticator app would be permanently unable to log in without administrator intervention. empowsec generates these codes automatically during setup and displays them immediately after the TOTP pairing is confirmed. Each code is unique, one-time, and the full set should be treated with the same care as a master password.

For organizations running security awareness training, this is also a teaching moment. Administrators can point to recovery codes as a concrete example of a security control that requires users to make a decision - where to store a sensitive credential - and use that as the basis for a short discussion about credential hygiene. The behavior required to protect a recovery code is exactly the behavior empowsec training reinforces: think before you click, store sensitive material thoughtfully, and treat access credentials as if they are already compromised.

Two-Factor Authentication on the Mobile App

empowsec has a companion mobile app where employees complete training, review debriefs, and check their progress. 2FA applies there too. When a user signs in on the mobile app, they are prompted for their TOTP code in exactly the same way as on the web. This consistency matters because it reinforces the habit of multi-factor authentication across every surface the platform offers, not just the administrative console.

For security teams running phishing simulations, this is worth highlighting in awareness materials. When employees are accustomed to being challenged for a second factor every time they log in - whether on a browser or a phone - they develop a healthy expectation that legitimate services ask for that step. A service that never asks for a second factor, or that suddenly stops asking, becomes something to question rather than something to trust. Building that instinct is precisely what a security awareness program is designed to achieve.

Recovery Codes
Store these somewhere safe. Each code can only be used once.
AAPL-7KQ2-MN93Available
BRTX-4WE8-ZP61Available
CWDS-9FJ3-LR47Available
DQNX-2TH6-KM85Used
Recovery codes are single-use backup credentials displayed once during 2FA setup.

2FA as Part of a Layered Security Posture

Two-factor authentication does not operate in isolation. It is one layer in a security stack that also includes phishing simulation, security awareness training, risk scoring, and email reporting tools. An employee who has completed phishing awareness training understands why credential theft happens; 2FA on their empowsec account means that even if a real-world phishing attack captures their password, the attacker still cannot reach any sensitive data inside the platform.

From a compliance standpoint, many frameworks - including NIS2, ISO 27001, and various national data protection regulations - require or strongly recommend multi-factor authentication for access to systems that handle personal or sensitive data. Enabling TOTP on empowsec accounts is a straightforward way to meet that requirement for the platform itself. Security teams that need to demonstrate access controls to auditors can point to per-account 2FA enforcement as concrete evidence.

MSPs and resellers managing multiple client companies will also appreciate that 2FA settings apply per account. Each company's administrators and end users manage their own 2FA enrollment independently. This granularity means resellers can recommend 2FA to every client without needing to configure it centrally, while still being able to verify through audit logs and account settings whether protection is in place.

Key Takeaways

  • empowsec supports TOTP-based two-factor authentication compatible with any standard authenticator app.
  • Setup uses a QR code and takes under two minutes; recovery codes provide a safe backup path.
  • 2FA applies to both the web portal and the mobile app for consistent protection.
  • Requiring a second factor blocks account takeover even when a password is leaked or phished.
  • Enabling 2FA supports compliance requirements for multi-factor access controls under NIS2, ISO 27001, and similar frameworks.
Share: