The Web Manager uses a Timetime-based Oneone-time Password password (TOTP) to secure a user’s login.

TOTP uses the current time as a source of uniqueness and a secret key to generate a one-time password as described in RFC 6238.

There are numerous applications to generate a TOTP:

...

The secret key can be transferred to the TOTP generator app by hand or by scanning a QR code.

Underlying Concept

To establish TOTP authentication, the authenticatee and authenticator must pre-establish the following parameters:

...

Both the authenticator and the authenticatee compute the TOTP value, then the authenticator checks whether the TOTP value supplied by the authenticatee matches the locally generated TOTP value. Authenticators usually allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.

Enabling two factor authentication

Two factor authentication can be enforced for all users (except super administrators) via the Web Manager configuration:

...