Skip to main content

Enabling Multi-Factor Authentication (MFA)

Enhance your application's security by enabling Multi-Factor Authentication for your users.

Overview

Multi-Factor Authentication adds an extra layer of security by requiring users to provide additional verification beyond their password. Authsec supports multiple MFA methods to accommodate different user preferences and security requirements.

Supported MFA Methods

1. Time-Based One-Time Password (TOTP)

TOTP is the most common MFA method using authenticator apps.

Supported Apps

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password
  • LastPass Authenticator

Implementation

// Enable TOTP for a user
const totpSetup = await authsec.mfa.setupTOTP({
  userId: 'user-123'
});

// totpSetup contains:
// - qrCode: QR code for app scanning
// - secret: Manual entry secret
// - backupCodes: Recovery codes

// Verify TOTP setup
const verified = await authsec.mfa.verifyTOTP({
  userId: 'user-123',
  token: '123456' // Code from authenticator app
});

2. Biometric Authentication

Leverage device biometrics for seamless security.

Supported Biometrics

  • Fingerprint (TouchID, fingerprint sensors)
  • Face recognition (FaceID, Windows Hello)
  • Voice recognition
  • Iris scanning (where supported)

Implementation

// Check biometric availability
const biometricSupport = await authsec.mfa.checkBiometricSupport();

// Enable biometric MFA
if (biometricSupport.available) {
  const biometricSetup = await authsec.mfa.setupBiometric({
    userId: 'user-123',
    biometricType: biometricSupport.types[0] // Use first available type
  });
}

// Authenticate with biometrics
const biometricAuth = await authsec.mfa.authenticateBiometric({
  userId: 'user-123'
});

3. SMS/Email Verification

Traditional verification methods for broader compatibility.

SMS Verification

// Send SMS code
await authsec.mfa.sendSMSCode({
  userId: 'user-123',
  phoneNumber: '+1-555-0123'
});

// Verify SMS code
const smsVerified = await authsec.mfa.verifySMSCode({
  userId: 'user-123',
  code: '123456'
});

Email Verification

// Send email code
await authsec.mfa.sendEmailCode({
  userId: 'user-123',
  email: 'user@example.com'
});

// Verify email code
const emailVerified = await authsec.mfa.verifyEmailCode({
  userId: 'user-123',
  code: '123456'
});

MFA Configuration

Global MFA Settings

Configure MFA requirements in your Authsec dashboard:

Enforcement Policies

  • Required for All Users: Mandate MFA for everyone
  • Required for Admins: Enforce MFA for administrative accounts
  • Optional: Allow users to choose whether to enable MFA
  • Risk-Based: Require MFA based on risk factors

Grace Period Settings

  • Enrollment Period: Time users have to set up MFA after it's required
  • Backup Options: Alternative authentication methods during setup
  • Emergency Access: Procedures for account recovery

Per-Application Settings

Different applications may have different MFA requirements:

// Configure MFA for specific application
const mfaConfig = {
  applicationId: 'app-123',
  settings: {
    required: true,
    allowedMethods: ['totp', 'biometric', 'sms'],
    gracePeriodDays: 7,
    rememberDevice: true,
    rememberDeviceDays: 30
  }
};

await authsec.mfa.configureApplication(mfaConfig);

User MFA Management

Enrollment Flow

  1. Detection: Check if user has MFA enabled
  2. Method Selection: Let user choose preferred MFA method
  3. Setup: Guide user through setup process
  4. Verification: Confirm MFA is working correctly
  5. Backup Codes: Provide recovery codes
// Complete MFA enrollment flow
async function enrollUserMFA(userId) {
  // Check current MFA status
  const mfaStatus = await authsec.mfa.getStatus({ userId });
  
  if (!mfaStatus.enabled) {
    // Show MFA method selection
    const selectedMethod = await showMFAMethodSelector();
    
    // Setup chosen method
    const setup = await authsec.mfa.setup({
      userId,
      method: selectedMethod
    });
    
    // Display setup instructions (QR code, etc.)
    await displaySetupInstructions(setup);
    
    // Verify setup
    const verification = await promptForVerification();
    const verified = await authsec.mfa.verifySetup({
      userId,
      token: verification.token
    });
    
    if (verified.success) {
      // Show backup codes
      await displayBackupCodes(verified.backupCodes);
    }
  }
}

Recovery Methods

Backup Codes

// Generate backup codes
const backupCodes = await authsec.mfa.generateBackupCodes({
  userId: 'user-123'
});

// Use backup code for authentication
const backupAuth = await authsec.mfa.authenticateWithBackupCode({
  userId: 'user-123',
  backupCode: 'abc123def456'
});

Administrator Reset

// Admin can reset user's MFA (requires admin privileges)
await authsec.mfa.adminReset({
  userId: 'user-123',
  adminId: 'admin-456',
  reason: 'User lost access to authenticator device'
});

Best Practices

Security Best Practices

  1. Multiple Methods: Support multiple MFA methods for fallback
  2. Backup Codes: Always provide backup recovery codes
  3. Device Trust: Implement device remembering for trusted devices
  4. Rate Limiting: Prevent brute force attacks on MFA codes
  5. Audit Logging: Log all MFA events for security monitoring

User Experience Best Practices

  1. Clear Instructions: Provide step-by-step setup guidance
  2. Method Choice: Let users choose their preferred MFA method
  3. Gradual Rollout: Implement MFA requirements gradually
  4. Support Documentation: Provide help resources for users
  5. Accessibility: Ensure MFA methods work with assistive technologies

Implementation Tips

  1. Progressive Enhancement: Start with optional MFA, then make it required
  2. Risk-Based: Require MFA based on login risk factors
  3. Remember Devices: Reduce friction on trusted devices
  4. Fallback Options: Always provide alternative authentication methods
  5. Regular Review: Periodically review and update MFA policies