Products May 30, 2026

Why We Made 2FA Optional But Enforceable Per Tenant

Security that is too strict gets bypassed. Too loose and you are vulnerable. We chose a flexible middle path.

C
CrescendPOS Team

The Problem Context

Security and usability often clash. The more secure a system is, the more steps users have to go through. In the context of a busy cafe, every additional step is friction that slows down operations.

But on the other hand, business data is sensitive. Sales reports, cashier data, menu configurations — this is information that should not be accessible to just anyone.

The Decision We Made

We made 2FA (Two-Factor Authentication) via authenticator app an optional feature at the individual level. Every user can choose to enable it or not. But — and this is the important part — the owner or admin of a tenant can require 2FA for all users in their tenant.

This puts control in the right hands: business owners decide the security level they need, not us imposing one standard for everyone.

Why Not Mandatory for Everyone

If we required 2FA for all users from day one, there would be real risks:

  • Users unfamiliar with authenticator apps could get stuck during onboarding and never use the product at all
  • In emergencies — phone lost, authenticator reset — users could get locked out at the worst possible time
  • For solo operators accessing everything from one device, 2FA overhead may not be proportional to the risk

Why Not Purely Optional

If we made 2FA purely optional with no enforcement mechanism, most people would never enable it. This is human nature — security is inconvenient and its benefits are not felt until a breach happens.

Per-tenant enforcement solves this: security-conscious business owners can ensure their entire team is protected, without depending on individual awareness.

Implementation Details

  • 2FA uses TOTP (Time-based One-Time Password) — an industry standard supported by Google Authenticator, Authy, and similar apps
  • Setup is a one-time process — scan a QR code, enter a confirmation code, done
  • Recovery codes are provided during setup for emergency situations
  • Trusted device feature allows skipping 2FA on verified devices — reducing friction for daily use

What We Learned

This decision taught us that effective security is not about forcing the highest standard on everyone — it is about giving the right tools and control to the right people so they can make the right decisions for their context.