Frequently Asked Questions about MFA

What is MFA and why do we need it?

MFA (Multi-Factor Authentication) is a security measure that requires more than just a username and password to log in. In addition to your password, you must also enter a one-time verification code from an authentication app. This ensures that your account remains secure even if someone discovers or steals your password.

What are the main benefits of MFA?

Significantly reduces the risk of user account compromise.
Protects corporate data and systems.
Prevents unauthorized access in the event of a password leak.
Is one of the most effective security measures used by organizations worldwide.

What is an OTP code and how does it work?

OTP (One-Time Password), also known as TOTP (Time-based One-Time Password), is a one-time code generated based on:

a secret key saved during registration,
the current time.

During the initial setup, a secret key is stored in the authentication app (usually by scanning a QR code). Every 30 seconds, the app uses this key and the current time to calculate a new six-digit code.

Key features:

the code is valid for only a short period of time and can be used only once,
only the server and your authentication app know the same secret key,
no internet connection is required to generate the code.

What is an authentication app?

An authentication app is a program that generates one-time OTP codes.

Common authentication apps include, for example:

Microsoft Authenticator
Google Authenticator

The app’s sole purpose is to generate verification codes for logging in.
More information about authentication apps, including download links, is available on a separate webpage.

Do I have to use an authentication app only on my smartphone?

No.
A smartphone is the most common option because people usually have it with them, but it’s not the only one.

OTP codes can also be generated:

in a desktop app on a computer,
in a specialized password manager that supports TOTP,
on certain hardware security devices.

Important notice

For security reasons, it is recommended that you keep your second factor separate from the device you use to log in. Therefore, if you use a desktop app on the same computer you use to log in, your security is slightly weaker than if you used a separate phone or hardware token.

I don’t want to use my personal phone. What are my options?

You can use the desktop authentication app on your computer.

Will the authentication app track my phone?

No.
Standardní autentizační aplikace slouží pouze ke generování ověřovacích kódů.

Typically:

it does not track your location,
it does not access your photos,
it does not access your messages,
it does not allow your employer to remotely control your phone,
it does not allow your employer to view the contents of your phone.

The app generates codes locally, directly on the device.

Does the authentication app send data from my phone?

The generation of OTP codes itself works without sending login credentials or the contents of your phone.
Some apps may communicate with their servers for purposes such as:

backing up accounts,
synchronizing across devices,
app updates.

However, this does not mean that the organization gains access to the contents of your phone. The extent of communication depends on the specific app and its settings.

Does the authentication app need access to the camera?

It often does during the initial setup. This is because it needs to scan a QR code that contains a secret key for setting up the account. Once registration is complete, most apps no longer need the camera. The secret key can usually be entered manually as a text string.

Does the authentication app require an internet connection?

No, not for generating OTP codes.
After the initial setup, the app can generate codes even:

without mobile data,
without Wi-Fi,
in airplane mode.

The device just needs to have the correct time set.

What, if I lose my phone?

Contact IT support as soon as possible.

It is usually possible to:

reset MFA,
set it up on a new device.

What, if I buy a new phone?

Before switching devices, you should:

install the authentication app on your new device
view your MFA key on the user account management portal
add the account to your new device by scanning the displayed QR code

Alternatively, transfer the authentication app to your new device, including the settings, following the manufacturer’s instructions.
If you no longer have your old phone, contact IT support.

Can I use a single authentication app for multiple accounts?

Yes.
Authentication apps typically support multiple independent accounts at the same time and can generate separate codes for different services.

Can I set up MFA on multiple devices?

Yes.
You can have the authentication app installed on both your phone and a backup device—such as another phone or a computer. This can make it easier to regain access if one device is lost or malfunctions.

Is OTP more secure than SMS codes?

Yes, generally speaking.

OTP codes:

are not dependent on a mobile carrier,
cannot be intercepted by SMS forwarding,
work even without a mobile signal.

That is why they are now considered a more secure option for multi-factor authentication.

What should I do if the app displays invalid codes?

Most common causes:

incorrect time settings on your device,
using an expired code,
typing the code incorrectly,,
incorrect account settings in the authentication app.

Check your device’s time (ideally, enable automatic time synchronization) and try a new code. If the problem persists, contact IT support.

Why isn’t a strong password enough?

Even a very strong password can be:

stolen in a data breach,
obtained through a phishing attack,
accidentally disclosed,
exploited by malware.

MFA adds an extra layer of security, so simply knowing the password isn’t enough for an attacker.

What happens when you set up MFA for the first time?

Typically:

log in to the system,
scan the QR code using the authentication appí,
the app will start generating OTP codes,
enter one code to verify that the setup is correct.

After that, whenever you log in where it is required, you will enter the current verification code in addition to your password.

Can my employer track my activity through the authentication app?

No.

Using the authentication app on its own:

does not provide access to the phone’s content,
does not provide access to call history,
does not provide access to photos,
does not provide access to personal apps,
does not allow tracking of the user’s location.

The authentication app is not a communication tool between the organization and the phone. It functions more like a calculator that generates one-time OTP codes based on a stored secret key and the current time.

Virtual tour

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
mdocs-f23d4887cc59eaf5d74998a5389151af	session	This cookie is associated with the site's document system and is used to store information needed to manage and display documents.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
qtrans_front_language	1 year	This cookie is set by qTranslate WordPress plugin. The cookie is used to manage the preferred language of the visitor.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1HP1PTTJR4	2 years	The _ga_1HP1PTTJR4 cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
sid	1 month	The sid cookie contains digitally signed and encrypted records of a user’s Google account ID and most recent sign-in time.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	13 months	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	13 months	This cookie is set by Microsoft to recognise unique web browsers that visit its websites. It is used for personalised advertising, web analytics and other operations.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by Google and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.