Flexible solution for Multi-factor Authentication (MFA)

Trial version

2Element - Multi-factor authentication (MFA)

  • Flexible solution for organizations and companies
  • It complements problematic passwords with other factors
  • MFA is mainly used for:
    • Privileged accounts (various administrator rights) – for all access types
      • VPN, server login, password administrator, …
    • User accounts – especially for Internet access to the organization (or to the cloud)
      • VPN, remote desktops (RDP), …
  • Czech and English language support (other languages can be added)
  • Solution for authentication – of employees, partners, customers
  • On-premise installation option (entirely at the customer's site only, no cloud)

Example of the VPN Client login (typical for Home Office)

Factors for authentication in general

  • Authentication factors are categorized into three groups:
    • Something you know (such as a password or PIN).
    • Something you have (such as a phone or a HW token).
    • Something you are (such as a fingerprint, facial scan or other biometric data).
  • MFA requires the user to authenticate using two or more authentication factors from different categories (e.g. "something you know" in combination with "something you have").
  • The modern method of Push notifications for smartphones with biometric authentication combines all three of these categories. Logging in with your name and password (something you know) is complemented by Push notifications on your mobile phone (something you have), which must be confirmed after biometric verification (something you are).

Supported factors of authentication

  • Mobile application 2Element
    • PUSH authentication
    • TOTP authentication
    • Support for iOS or Android
    • Support TouchID/FaceID
  • Hardware tokens
    • YubiKey for OS Windows, MacOS and Linux
  • SMS messages
    • Support for SMS cloud services and SMS gateways

2Element product list

Integration of 2Element and Sofie


Detailed logging (audit log) of all processes in the whole solution.
Registration and authorization of mobile applications is ensured by asymmetric cryptography.
Private key in modern mobile phones is stored in a dedicated security storage site and is protected biometrically.
The administrator defines the required security policies for the user.
Data transmissions are encrypted by default using SSL / TLS.
Export of logs using Syslog for external processing (SIEM support).
Login (SSO) integration with SAML or ADFS providers.
The application is tested by penetration tests according to the OWASP methodology.
Possibility to provide source code for audit.

Penetration tests

Security of the application 2Element is tested and verified by penetration testing by NETHEMBA corporation.


Link to AD or ADFS

  • Link to Active Directory, including setting which trees or user groups to synchronize and how.
  • Concurrent support for both local groups and users, as well as those transferred from AD.
  • Possible operation even without link to AD. Local users can be created directly in the MFA server. Suitable for installations without AD or users who are not in AD.
  • Support of other LDAP compatible directories is also possible.
  • Integration into ADFS logins – this makes it easy to extend the entire ecosystem with MFA, supporting ADFS logins and also SAML as a chain-type response.

MFA integration options

  • Open API for integration into third party applications
  • Connection to ADFS and SAML (e.g. customer cloud services)
  • RADIUS support (e.g. for VPN)
  • SMS gateways
  • Password administrator – we can deliver turnkey solutions
  • SOFiE application to secure file exchange of any size and type

Typical services and applications for MFA

VPN accesses (Fortinet, Cisco, CheckPoint, …)
Administrator RDP accesses to MS servers
Remote desktops (RDP) for users, incl. Terminal Server access
Local user logins for the computer
ADFS (Active Directory Federation Services) integration
Cloud services (O365, …)
Customer's own application (Helpdesk, Intranet,…) using API
Gateways and solutions for partners and customers
Other integration protocols with Radius or LDAP
SOFiE secure file exchange



Installation of MFA servers at the customer

  • Installation on dedicated servers (RHEL, CentOS, Rocky Linux)
    • Installation into virtualisation is recommended - VMware, Hyper-V, KVM
  • Web interface for administrators available
  • Optimally divided into two sections:
    • In DMZ – MFA WEB server - it communicates to the Internet (Push notifications, etc.), provides API
    • In VLAN - MFA Authentication PROXY server - Auth proxy, it mediates communication with AD and RADIUS
  • A scalable solution for large installations that meets the required SLAs.
  • MFA servers can be installed in a cloud environment

Consultation and on-line presentation

  • Professional consultation for customers and partners
  • An explanation of all concepts such as FIDO2, WebAuthn, U2F, TOTP, ...
  • Demonstration of MFA solutions using Teams or other conference platforms
  • During the conference, we help analyse MFA application for the customer

Trial version and PoC installation

  • TRIAL licences for internal testing and PoC (Proof of Concept) installation
  • MFA server installation can be under our hosting.
  • Installation into the customer’s infrastructure.
  • Within PoC, professional consultation for further integrations.

Customer solution

  • For larger implementations, we offer a solution that is popular today, for example, in banks under the names such as – KB key, RB key, …
  • This means delivering a customized mobile application to the customer that can be used for all MFA accesses.
  • Appropriate consolidation of all applications that should use MFA authentication.
  • “White label” customization
    • for server (own name and design)
    • for mobile applications (own name, design and fixed connection with the customer's server)

MFA and security recommendations

Multi-Factor Authentication is subject to legislative regulations and recommendations from cybersecurity authorities.

Business Partners

EruCom GC System Pragodata J3AG Dator 3 O2 NTT Actinet Asciinet system boost

Supported platforms

Fortinet Cisco Checkpoint
Hardware tokens

Contact and request for Price offer / Trial version

This website uses cookies to provide services, personalize ads and analyze traffic. By using this website, you agree to this. More about the use of cookies.ok