About 
BlackBerry 2FA

BlackBerry 2FA
 protects access to your organization’s critical resources using two-factor authentication. The product uses a password that users enter and a secure prompt on their mobile device each time they attempt to access resources. 
BlackBerry 2FA
 also supports the use of standards-based One-Time Password (OTP) tokens.
You manage 
BlackBerry 2FA
 users from the 
BlackBerry UEM Cloud
 or 
BlackBerry UEM
 management console. You can also use 
BlackBerry 2FA
 on devices that aren't managed by 
BlackBerry UEM Cloud
 or 
BlackBerry UEM
BlackBerry 2FA
 supports 
iOS
 and 
Android
 devices that have only a 
BlackBerry Dynamics
 container, devices managed by third-party MDM systems, or unmanaged devices.
You can use 
BlackBerry 2FA
 to protect a wide variety of systems, including VPNs, RADIUS-compatible systems, custom applications using a REST API, and SAML-compliant cloud services when they are used in conjunction with 
BlackBerry Enterprise Identity
.
Configuring 
BlackBerry 2FA
 for use with mobile devices is straightforward. The first authentication factor, the password, can be a user’s directory or container password. The second authentication factor, the device prompt, requires an app on the device that triggers a secure validation of the device. For 
iOS
 and 
Android
 devices, 
BlackBerry 2FA
 is included in the 
BlackBerry UEM Client
. They are either installed during activation or you must have users install them. For managed 
BlackBerry 10
 devices, you must deploy a separate 
BlackBerry 2FA
 app or have users install it.
Configuring 
BlackBerry 2FA
 for users without mobile devices is also straightforward. Standards-based OTP tokens are registered in the 
BlackBerry UEM
 console and issued to users. The first authentication factor is the user's directory password, and the second authentication factor is a dynamic code that appears on the token's screen. For more information, see the Administration content for 
BlackBerry 2FA
.
The 
BlackBerry 2FA
 server is an optional component that is deployed when the product is used in conjunction with RADIUS-based systems like most VPNs, or it is used with apps calling the product’s REST API. The 
BlackBerry 2FA
 server is not required in deployments that use only 
Enterprise Identity
, but it can be deployed in cases where you want to use two-factor authentication for both cloud services and the other supported systems. For more information, see the 
BlackBerry 2FA
 server compatibility matrix content
BlackBerry 2FA
 server installation and upgrade content
, and the 
BlackBerry 2FA
 server configuration content
.
To use 
BlackBerry 2FA
, you must purchase user licenses for the Collaboration, Application, or Content Editions of 
BlackBerry Enterprise Mobility Suite
, or separate 
2FA
 user licenses. For the Collaboration Edition, 
BlackBerry 2FA
 can be used for authentication to 
BlackBerry
 Apps and 
Microsoft Office 365
 only. For more information about 
BlackBerry 2FA
, including how to purchase 
2FA
, see the information on blackberry.com