When a human logs into a website with 2FA, the human reads the generated TOTP code from the google authenticator app on his phone and enters it onto the website which he is trying to login.
I am designing a backend integration between two systems via web API. I am not comfortable just to let the two systems hold on to the same encryption password. I want to involve something like 2FA in this process. Obviously there is no human involved in this process to read the code from the authenticator app. So what are the industry-standard/recommended approach?
If a password is something the server knows, then a certificate might be something the server has.
Consider protecting your web based API using TLS with mutual authentication where also the client (as the other server is acting as a client here) is authenticated via TLS. This way the password is only ever exchanged if both ends have first authenticated using their certificates.