2-step verification (2SV) is an extra security step that takes place during the process for getting an OAuth 2.0 access token for user-restricted endpoints.
It occurs immediately after the user has signed in, and requires them to have their mobile or landline phone to hand.
First time through, the user must register for 2SV. The options are:
- mobile phone - 6-digit code via SMS
- landline - 6-digit code via voice message
- app - QR code displayed on-screen, to be scanned using a device running an authenticator app
Second and subsequent times through, the user must complete 2SV using their chosen method. Because 2SV is part of the API authorisation process, users do not need to complete it every time they use an API, only when their token expires (after 18 months) or if they are granting access to additional scopes.
The following diagram illustrates the user journey: