PBX MFA Module


Multi-factor Authentication (MFA) is an authentication method that requires the user to provide a verification factor to gain access to a PBX.

Why do we need MFA for PBX ?

The main benefit of MFA is it will enhance your PBX security by requiring users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties.

How MFA Works?

MFA strengthens access security by requiring 2 or more ways (also noted as authentication factors) to verify user identity. MFA works by requiring additional verification information (factors) in addition to the username and password. These MFA factors are one-time passwords (OTP), which consist of 4-8 digit codes that the user receives via email, SMS or a mobile app. A new OTP code is generated each time an authentication request is submitted.

Features supported by PBX MFA Module

MFA/OTP via Email

Whenever users login to the PBX, a new prompt will be made requesting a verification code which will be sent to the user's email address. Users can use this OTP to log in.

The verification code (OTP) will expire after 30 minutes.

The user gets 3 login attempts before the verification code expires.

Users can ask for a maximum of 3 requests to resend OTP every 1 minute. If the user exceeds maximum attempts they can refresh the browser and try again

The verification code expires immediately after a successful login.

MFA/OTP via Call

Whenever the users log in to the PBX, a call will be made to the user's extension. The user has to answer the call and press # to verify their identity.

The user can request the call again every 60 seconds and gets 3 login attempts. If the user exceeds maximum attempts they can refresh the browser and try again.

MFA/OTP via Authenticator App

Users will receive the authenticator app configuration mail when they log in for the first time to PBX (This Email will have a QR code and detailed steps to set up the Authenticator app). We recommend users to use authenticator apps such as Microsoft Authenticator / Google Authenticator Apps.

After setup, every time when user login, a new prompt is made requesting an OTP code. The user has to enter the OTP code from the configured authentication App (Like Google Authenticator / Microsoft Authenticator)

Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds.

Authenticator app works without Internet and Network coverage 

MFA via user choice authentication factor

Whenever the users log in to the PBX, a new prompt is made requesting users to select their choice of authentication factor's like 

After selecting authentication factor user can verify their identity.


Use Recovery/Backup Codes to login

Recovery codes (or Backup codes) are a unique 10-set of 6-digit codes given to each users that can be used while logging in to PBX.

If users can't get codes or OTP by email, call, or by any authenticator app due to some connectivity or delivery issues, then they can use 1 set of 6-digit backup code to sign in to the PBX.

Once the user uses a backup code to sign in, that code becomes inactive.

Trusted Device 

A trusted device is another feature for users who are protected with MFA. It allows users to remember the device they log in to most frequently without the need to re-enter the verification code every time they log in to their account from PBX.

This option is available when the user login to PBX. When the user selects this option, the user will not be prompted for an authentication code for the next 30 days

This feature will not work when the user logs in from incognito mode.


For MFA settings only, please see the PBX MFA - Admin Guide

For login guide only, please see the 

Return to Documentation Home I Return to Sangoma Support