Last year we wrote an article about 2FA that was more high level, touching codes as well as the logic. You can review it here: How Often and Under What Conditions Should You Request 2FA .
This time, we will focus on the business and security logic behind 2FA — specifically when it should be triggered, what data should be stored to support it, and how to properly handle “remember me” and logout behavior in real-world applications.
What is 2FA?
Two-Factor Authentication (2FA) is a security process that requires users to verify their identity using two separate factors:
- Something they know (password)
- Something they have (phone, authenticator app, email access)
Even if a password is compromised, the second factor adds an additional layer of protection.
Example: If a user’s password is leaked in a data breach, 2FA can still block unauthorized access unless the attacker also has access to the second factor.
Common 2FA Methods: Pros and Cons
| Method | Pros | Cons |
|---|---|---|
| Email Codes | Easy to implement, no additional apps required | Less secure if email is compromised |
| SMS Codes | Widely used, familiar to users | Costs money (approx. $0.01–$0.05 per SMS), vulnerable to SIM swap attacks |
| Authenticator Apps (e.g. Google Authenticator) | Very secure, no ongoing cost | Requires user setup, recovery can be difficult |
| Push Notifications | Best user experience, fast approval | Requires mobile app development and maintenance |
| Hardware Keys (FIDO, YubiKey) | Highest security level | Hardware cost ($20–$70 per key), not widely adopted by average users |
In practice, many systems combine methods. For example, SMS as a fallback and authenticator apps as the primary option.
Why 2FA is Critical for CRM, CMS, and Business Applications
CRM and CMS systems often contain sensitive data such as:
- Customer personal information
- Order and payment details
- Internal business data
- Admin-level controls
Real-world numbers show the impact:
- Over 80% of breaches involve compromised credentials
- 2FA can block up to 99.9% of automated attacks
- Credential stuffing attacks can attempt thousands of logins per minute
Without 2FA, a single leaked password can expose an entire system.
When Should 2FA Be Triggered?
2FA should not be required on every login. Instead, it should be triggered based on risk signals.
- First login on a new device
- Login from a new IP address or country
- After password change
- After logout
- When “Remember Me” is not used
- After multiple failed login attempts
- When accessing sensitive sections (admin, billing)
Example: A user logging in daily from the same office computer should not be prompted every time, but the same user logging in from another country should always trigger 2FA.
What Should Be Stored in the Database?
To support secure 2FA and “remember me” functionality, the following data should be recorded:
- User ID
- Hashed remember token (never store raw tokens)
- Device information (user agent)
- Last login timestamp
- IP address or partial IP range
- Token expiration date
- 2FA method (SMS, app, email)
- Failed attempt counters
Example: A system may store a 30-day token tied to a specific browser and invalidate it automatically after expiration.
Handling “Remember Me” Securely
“Remember Me” allows users to skip 2FA on trusted devices, but it must be implemented carefully.
Best Practices:
- Use long, random tokens stored as hashes
- Set expiration (e.g., 30 days)
- Rotate tokens after each login
- Bind tokens loosely to device (user agent)
- Invalidate tokens on password change
Example: If a user selects “Remember Me” on their office computer, they should not need 2FA for 30 days — unless something changes.
Logout Behavior
- Manual logout should remove remember tokens and end session
- Session timeout should NOT remove remembered devices
- Admins should have ability to revoke all sessions
This ensures convenience without sacrificing security.
Frequently Asked Questions
Is SMS 2FA secure enough?
It is better than no 2FA, but authenticator apps are more secure and recommended when possible.
How long should “Remember Me” last?
Typically 7–30 days depending on system sensitivity.
Should 2FA be required for every login?
No. It should be triggered based on risk conditions to balance security and usability.
What happens if a user loses their phone?
You should provide backup codes or alternative recovery methods.
Can 2FA be bypassed?
If implemented correctly with proper token handling and monitoring, bypass risk is minimal.
Final Thoughts
2FA is no longer optional for business systems. The key is not just enabling it, but implementing it intelligently — triggering it only when needed, storing the right data, and balancing security with user experience.