Is the second factor authentication (2FA) required for external users?


I have a question regarding the following 21 CFR Part 11 requirement:
11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

We are a contract based product development company, and we implemented Adobe Sign Part 11 Compliant into our QMS. For internal users, we are able to meet this requirement by creating accounts for users, through which users are verified and users are required to have a 2 part authentication such as user ID and password.

For external users, to satisfy that requirement we train internal users to ask external users to authenticate such as second-factor authentication methods for higher value transactions that demand more than simple email verification. This requirement is leading to non-compliance due to nature of the business. Clients are not thrilled about getting a separate email with the authentication code, and clients are not willing to get set up as account users to have a 2 part authentication such as user ID and password. That paperwork is mostly proposals, which is driven the QMS. Therefore, it is auditable.

Other than those two options, I am unclear on how to meet the requirement above for an external user. Does the authentication have to be a 2FA to meet that requirement for external users? If not, what are the options?
Top Bottom