Skip to content
Help and manuals  >  Enterprise services  >  BlackBerry 2FA  >  BlackBerry UEM administration
Version: 2.5

About BlackBerry 2FA

BlackBerry 2FA protects access to your organization’s critical resources using two-factor authentication. The product uses a password that users enter and a secure prompt on their mobile device each time they attempt to access resources. BlackBerry 2FA also supports the use of standards-based one-time password (OTP) tokens.

You manage BlackBerry 2FA from the management console in BlackBerry UEM version 12.6 or BES12 version 12.5. The service can be used with or without installing a BlackBerry 2FA server in your network. You can also use BlackBerry 2FA on devices that aren't managed by BlackBerry UEM or BES12. BlackBerry 2FA supports iOS and Android devices that have only a BlackBerry Dynamics container, devices managed by third-party MDM systems, or unmanaged devices.

You can use BlackBerry 2FA to protect a wide variety of systems, including VPNs, RADIUS-compatible systems, custom applications using a REST API, and SAML-compliant cloud services when they are used in conjunction with BlackBerry Enterprise Identity.

Configuring BlackBerry 2FA for use with mobile devices is straightforward. The first authentication factor, the password, can be a user’s directory or container password. The second authentication factor, the device prompt, requires an app on the device that triggers a secure validation of the device. For iOS and Android devices, BlackBerry 2FA is included in the BlackBerry UEM Client app. They are either installed during activation, or you must have users install them. For managed BlackBerry 10 devices, you must deploy a separate BlackBerry 2FA app or have users install it.

Configuring BlackBerry 2FA for users without mobile devices is also straightforward. OTP tokens are registered in the BlackBerry UEM console and issued to users. The first authentication factor is the user's directory password, and the second authentication factor is a dynamic code that appears on the token's screen.

The BlackBerry 2FA server is an optional component that is deployed when the product is used in conjunction with RADIUS-based systems like most VPNs, or it is used with apps calling the product’s REST API. The BlackBerry 2FA server is not required in deployments that use only Enterprise Identity, but it can be deployed in cases where you want to use two-factor authentication for both cloud services and the other supported systems. For more information about the BlackBerry 2FA server, see the BlackBerry 2FA server installation and upgrade content and the BlackBerry 2FA server configuration content .