MFA
Multi-Factor Authentication (MFA)
Secure user logins and sensitive actions with account-based or action-based MFA.
Multi-Factor Authentication (MFA) adds a layer of security to your app. Require users to verify their identity upon login, for sensitive actions like transactions, or both. This guide covers how to implement both account-based and action-based MFA using either the Dynamic Widget or headless hooks for a custom UI.
Account-Based MFA
With account-based MFA, users must complete an MFA challenge on every login.Setup
- Go to the Security page.
- In the Account MFA section, enable your desired methods (TOTP and/or Passkeys).
- (Optional) Toggle “Require at onboarding” to force MFA setup during signup.
- (Optional) Toggle “Session-based MFA” to require MFA for every new session.
- Click Save Changes.
Implementation
Using the Dynamic Widget
The Dynamic Widget automatically handles the entire account-based MFA flow, including device registration, authentication, and recovery codes. No extra code is needed.Using your UI (headless/hooks)
For full UI control, use our headless hooks to build a custom MFA experience. This approach is more complex but allows complete UI and flow customization. See our step-by-step guides for detailed instructions:Headless TOTP Guide
Build a custom TOTP experience with authenticator apps.
Headless Passkeys Guide
Implement a custom Passkey MFA flow for your application.
Action-Based MFA
Require users to complete MFA only for sensitive actions, like signing transactions or exporting private keys. This is more user-friendly while still protecting critical operations.Setup
- Go to the Security page.
- In the Account MFA section, enable your desired methods (TOTP and/or Passkeys).
- Click the settings gear next to the MFA header.
- Toggle on Action based MFA.
- Click Save Changes.
Implementation
Using the Dynamic Widget
The Dynamic Widget automatically prompts for MFA when a user attempts a protected action. No extra code is needed.Using your UI (headless/hooks)
For full UI control, use our headless hooks to build a custom MFA experience. See our step-by-step guides for detailed instructions:Headless TOTP Guide
Build a custom TOTP experience with authenticator apps.
Headless Passkeys Guide
Implement a custom Passkey MFA flow for your application.
Device Management & Recovery
Users might need to delete an MFA device if it’s lost or replaced, or an admin may need to reset a user’s MFA.Device Management
Manage user MFA devices and recovery.