Trying to determine if our application login constitutes 2FA



  • Our organization uses a Voip "push to talk" type app on Android and IOS devices. The application connects to a server on premises through the internet. To use the app, the user is assigned a UID, which can only be used from on a single device. When a user logs in for the first time, the server logs the device ID ( which I think is the CPU SN) and the user ID. After that, the user ID can not be used on another device unless the sys admin releases the association between UID and device ID in the server.

    Our organisation security is requiring 2FA. Would our current set up count as 2FA since security relies on a device in the users possession, and granting of the user ID?


  • QA Engineer

    Assuming that the login process you describe includes a password along with the system-assigned UID:

    The authentication system itself cannot be considered a factor. It's like saying that because you "have" a user account on a system, then that's a factor. The app is part of the authentication system, so it can't be a factor. This question has actually been asked here a few times, so it is a common misunderstanding.

    You need an authentication process, not just an identification process. All you are doing is recognising the device and inferring the userID.

    If you need 2FA (and there may be some further questions and clarifications on this requirement), then you need to add a factor to your system (assuming you also have a password).



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2