Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a security method that requires users to provide two distinct forms of identification before accessing an account or resource. The first factor is typically something you know, such as a password or PIN. The second factor is something you have, like a code from a mobile authenticator app, an SMS message, or a hardware security key. By combining two independent verification steps, 2FA ensures that a compromised password alone is not enough to gain access. This principle extends beyond login screens — it can also protect access to shared documents and publications.

Password breaches rank among the most frequent security incidents across all industries. Attackers obtain credentials through phishing campaigns, credential stuffing from leaked databases, or brute-force attacks. Once they have a password, an unprotected account is fully exposed. For publishers sharing confidential reports, client presentations, or internal training materials, a single compromised account could expose sensitive reader data, payment information, and proprietary content. 2FA blocks this attack path by requiring a second verification factor that the attacker does not possess, making unauthorized access significantly harder.

FlipLink supports secure account access through Google and Microsoft sign-in options. By using these identity providers, users benefit from the 2FA protections already configured on their Google or Microsoft accounts — if you have 2FA enabled on your Google account, that same protection extends to your FlipLink login. For organizations managing sensitive publications through FlipLink's [team collaboration](/features/team-collaboration) features, this ensures every team member's access is protected by their identity provider's security policies without requiring FlipLink to manage a separate 2FA system. At the publication level, FlipLink offers [OTP verification](/glossary/otp) combined with [email allowlists](/glossary/email-allowlist), which functions as a two-factor gate: readers must be on the approved list (identity verification) and enter a one-time code sent to their email (possession verification).

Not all second factors provide the same level of protection. SMS-based codes are vulnerable to SIM-swapping attacks, where an attacker convinces a carrier to transfer a phone number to their device. Authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes locally on the device, making them resistant to remote interception. Hardware security keys (FIDO2/WebAuthn) offer the strongest protection because they require physical possession and are immune to phishing — the key verifies the legitimate domain before responding. When choosing a 2FA method for your team, prioritize authenticator apps as a baseline and hardware keys for high-value accounts.

**"2FA makes accounts unhackable."** Two-factor authentication dramatically reduces risk but does not eliminate it entirely. Sophisticated attackers may use real-time phishing proxies that intercept both the password and the 2FA code simultaneously. Session hijacking after authentication is another vector. 2FA is a strong layer, not an impenetrable wall. **"SMS verification is just as secure as an authenticator app."** SMS codes travel over the cellular network and can be intercepted through SIM swaps or SS7 protocol vulnerabilities. Authenticator apps generate codes on the device itself, never transmitting them over a network. **"2FA is only for large enterprises."** Any account containing valuable content — whether a freelance designer's portfolio or a startup's pitch deck — benefits from 2FA. The effort to enable it is minimal compared to the cost of a breach.

1. **Enable 2FA on your identity provider** — Go to your Google or Microsoft account security settings and activate two-step verification 2. **Install an authenticator app** — Download Google Authenticator, Authy, or Microsoft Authenticator on your phone 3. **Save backup codes** — Store the recovery codes your identity provider generates in a secure location, separate from your password 4. **Sign in to FlipLink via SSO** — Use the Google or Microsoft sign-in option so your 2FA protection carries over 5. **Require SSO for your team** — If you manage a team on FlipLink's [team collaboration](/features/team-collaboration) plan, ensure all members sign in through an identity provider with 2FA enabled 6. **Protect publications with OTP** — For sensitive flipbooks, enable [OTP verification](/glossary/otp) with an [email allowlist](/glossary/email-allowlist) to add reader-level access control 7. **Review access periodically** — Remove former team members and expired email allowlist entries to maintain a clean access list