Two-factor authentication is functionality to improve the user's identification by requiring the username and password and a code from an external physical device.
This makes it practically impossible, e.g. certain user groups (e.g. system administrators), to use shared credentials.
(Using shared credentials would make it almost impossible, e.g. to monitor specific user actions from the audit logs later on.)
The admin enables the 2-factor authentication for the specific user group.
When the user in the group tries to log in for the first time, the user is requested to use or install the 2-factor authentication client (e.g. Authy, Google authenticator, MS Authenticator (available for free)) on his/her mobile device.
The VMS and the authentication client are then synchronized with the software with VMS.
This happens by transferring the "secret key" generated by the VMS to the authentication software via QR code or directly typing it to the software.
After that, the authentication client automatically generates new one-time passwords.
(The passwords change periodically and are kept in sync as the VMS clocks and the authentication app have the same time.
Note that this does not require any direct data communication link between the software.)
The user provides the standard credentials to VMS (username, password)
The VMS requests an authentication code from the authentication app for each login.
The user provides the one-time password from the authentication app. The user types them to the VMS client.
If the user forgets his / her 2-factor secret key, the administrator can then reset the key from the system manager.
After the 2-factor secret key reset, the user needs to update the private key next time he/she logs in. (See step 2).