Introducing Two‑Factor Authentication (2FA) in openHR
30 Dec 2025
A new layer of dignity, security, and stewardship for your payroll and HR data
At openHR, we design every feature with one goal: to protect the dignity of your business and your employees. Today, we’re proud to introduce Two‑Factor Authentication (2FA) - a simple, powerful way to secure your account using something you know (your password) and something you have (a one‑time code generated on your phone). And as always - this feature is included as standard in our Free tier along with many more unlimited features.
At openHR, we design every feature with one goal: to protect the dignity of your business and your employees. Today, we’re proud to introduce Two‑Factor Authentication (2FA) - a simple, powerful way to secure your account using something you know (your password) and something you have (a one‑time code generated on your phone). And as always - this feature is included as standard in our Free tier along with many more unlimited features.
This upgrade strengthens your security without adding friction, and it works seamlessly offline with the most trusted authentication apps in the world:
- Google Authenticator
- Apple Passwords/iCloud Keychain
- Microsoft Authenticator
- Authy
- 1Password
- LastPass Authenticator
- FreeOTP
These apps are free, widely supported, and designed for long‑term reliability. openHR now integrates with all of them.
Why authenticator apps are safer than email, SMS, or WhatsApp codes
Most people are familiar with receiving login codes via email or SMS. It feels convenient - but convenience can hide risk. Authenticator apps solve several long‑standing weaknesses in email‑ and message‑based codes. Here’s a clear, non‑technical breakdown of why they’re the gold standard.
🔐 1. Your phone number is not an identity - but these apps are
Email and SMS codes depend on your phone number or inbox, both of which can be accessed or redirected without your knowledge. Examples include:
- SIM‑swaps
- Number porting fraud
- Email account compromises
- Weak or reused email passwords
- Insecure or outdated mail apps on old devices
In contrast, authenticator apps don’t rely on your phone number or your email address. They’re tied to your physical device, not a service provider who can be tricked or compromised. This removes an entire category of attacks.
📡 2. SMS and WhatsApp messages travel through networks you don’t control
When you receive a code via SMS or WhatsApp, it passes through:
- Mobile carriers
- Network routing systems
- Messaging servers
- Sometimes international gateways
Every hop is a potential point of interception, delay, or manipulation. Authenticator apps don’t send anything over the network. The code is generated on your device itself, even if you’re offline. No signal, no data, no roaming - still secure. This eliminates interception risk entirely.
📨 3. Email inboxes are high‑value targets
📨 3. Email inboxes are high‑value targets
Email is the skeleton key of the internet. If someone gets into your inbox, they can:
- Reset passwords
- Approve login attempts
- Read your OTP codes
- Access linked services
- Impersonate you
- If your email is hosted by a domain or web‑hosting provider, staff at that provider often have administrative access to your inbox - meaning your login codes can be viewed or extracted without your knowledge.
Even well‑secured inboxes are exposed to phishing, malware, and credential reuse. Authenticator apps isolate your login codes from your email identity. Even if your inbox is compromised, your openHR account remains protected.
📱 4. Authenticator apps resist social engineering
📱 4. Authenticator apps resist social engineering
Attackers can trick mobile carriers or support agents into:
- Reassigning your number
- Forwarding your SMS messages
- Porting your SIM
- Re‑activating your number on a new device
These attacks are surprisingly common because they exploit human error, not technology. Authenticator apps bypass this entire vulnerability. There is no carrier, no call centre, no “please verify your identity” script to exploit. The code lives on your device, under your control.
🛑 5. Messaging apps are not built for authentication
🛑 5. Messaging apps are not built for authentication
WhatsApp, Telegram, Signal, and SMS were built for communication - not secure login verification. They inherit all the risks of:
- Device sync
- Cloud backups
- Message previews
- Malware‑infected phones
- Stolen unlocked devices
- Notification snooping
Authenticator apps are purpose‑built for one thing: generating secure login codes. They don’t sync messages, store chat history, or expose codes in notifications.
🔒 6. Authenticator apps don’t depend on network availability
🔒 6. Authenticator apps don’t depend on network availability
Email and SMS can fail when:
- You’re out of signal
- You’re travelling
- Your number is roaming
- Your inbox is rate‑limited
- Your provider is down
Authenticator apps work offline, instantly, anywhere in the world. This makes them not only safer, but more reliable.
🧩 7. They reduce the blast radius of a breach
🧩 7. They reduce the blast radius of a breach
If your email or phone number is compromised, attackers can access every service linked to it. Authenticator apps isolate each service. A compromise of one system does not cascade into others. This is a fundamental security advantage.
What this means for openHR users with 2FA enabled:
- Your payroll and HR data gains a second shield
- Your account becomes resilient against phishing, SIM‑swaps, and inbox breaches
- Your audit trail remains trustworthy
- Your business gains enterprise‑grade security without enterprise‑grade complexity or enterprise-grade pricing
openHR’s mission has always been to make compliance and security accessible to every SME - not just those with big budgets. This 2FA rollout is another step in that stewardship.
How to get started
When you log in, openHR will guide you through a simple setup process:
- Install one of the recommended authenticator apps
- Navigate to User account > Profile > 2FA Setup (at the bottom below Change password)
- Scan the QR code
- Enter your first code to confirm
- You’re protected
It takes less than a minute.
*2FA disables the Remember Me feature permanently for your account
*2FA disables the Remember Me feature permanently for your account
