A. General Overview

With two-factor phone provisioning, NFON offers the latest security standard in authentication to one of its most important services. Phone provisioning is a crucial part of the service, which is responsible for the device setup and configuration. It handles a lot of sensitive information like employees‘ name, call history, phonebook contacts, as well as everything required to make & receive phone calls. Security of this crucial part of the NFON’s service is therefore one of our highest priorities.

Standard provisioning process

With two-factor authentication in place, every new certified device added to the NFON platform is still being provisioned once connected to the internet. In order to fully setup the device and be able to make and receive phone calls, a special PIN, so called "Phone Authentication PIN" (PAP), is required. This is a 6 digit number that is unique per device ID (usually the MAC address) and can be found in the admin portal. The standard process for setting up new phones on the NFON service now requires 5 steps to complete:  

Provisioning of new Devices

  1. Add a new device and note the PAP for that MAC address *
  2. Connect the device to the local network or restart the device if it was already connected
  3. Wait for the device until it shows "authentication needed" on its display
  4. Pick up the phone and for most devices you will be automatically connected to the authentication service. Otherwise please dial *89 or any other number.
  5. When prompted, enter the PAP for this specific device, followed by the hash key (#)
  6. Wait for the device to be authenticated and being fully operational

 *A list of unauthenticated phones including the MAC address and the PAP of those phones can be exported as CSV file.

The following devices support 2-Factor-Authentification:

 Vendor Series 
 Yealink  T19





 DECT (W60B, W70B, W80B, W90B)

 CP Series




Patton SN Serie


SPA 2102

Enabling for faster deployments

For convenience and to speed up deployment, the authentication via PAP is not required in the following three scenarios:

  • For devices for which authentication has been manually suspended in the admin portal for 30 Minutes
  • For devices in the network of the customer whose public IP address is on the whitelist. A successful provisioning (Yealink or Spectralink) automatically puts this IP on the whitelist for 8 hours. This period is automatically extended at each provisioning (every 4 to 6 hours).

In many, if not most rollouts of new phones, the PAP authentication will only be required once and sometimes not at all.