There are two places where Two-Factor Authentication (2FA) is enforced. In both places, Hydrogen uses the Google Authenticator 2FA app.
Hydrogen Admin Portal
This is the admin portal that you, as a business user of Hydrogen, receives after you signup on the site.
To retrieve your API keys on the Hydrogen portal, it is mandatory that you setup 2FA. You will not be able to use the API (which will restrict your access to the WebComponents, for example) without this extra layer of security. We use Google Authenticator for 2FA. You can download this app for free from the Google and Apple stores.
If you need to disable 2FA on the Hydrogen Admin Portal, please see our guide here to learn how.
Cards and PFM White Label Web Apps
In the Cards and PFM White Label Web Apps, your end users will also be required to setup 2FA to access their accounts. This is mandatory, per bank rules. This 2FA will add more security and peace of mind for your users, as this portal will grant access to balances, card controls, and card numbers. They will also be required to use the Google Authenticator app on their phone for the 2FA.
Note: you will not be able to add your own 2FA method (e.g. text or email) to the platform. We are under strict bank and network rules. You also cannot enforce 2FA for your users at the point of sale. If they are doing a debit transaction with a physical card present, or using their Apple, Google, or Samsung wallet, the user will already be required to authenticate themselves with a PIN, fingerprint, or face scan. You are not allowed to integrate an additional layer of authentication that may cause large rejection rates on transactions, per bank and card network rules. Instead, please have users go through the normal procedures for transaction disputes, if they suspect there has been fraud.