Multi-Factor Authentication (MFA)

Overview

Multi-factor authentication (MFA) adds a second verification step after the user’s primary authentication method. This strengthens account security by requiring something the user has (an authenticator app or passkey device) in addition to something they know or are (password, email, wallet signature, etc.).

This page covers MFA for end users of your application. For MFA on the Dynamic Dashboard (admin login), see Dashboard MFA.

Methods (TOTP, Passkey)

TOTP (Time-based One-Time Password)

TOTP uses an authenticator app (e.g. Google Authenticator, Authy, 1Password) to generate a six-digit code that rotates every 30 seconds. The user registers their authenticator app during setup and enters the current code when prompted for MFA.

Passkey

Passkey-based MFA uses WebAuthn to verify the user with a hardware security key, biometric (fingerprint, face), or platform authenticator. Unlike passkey as a primary sign-in method, passkey MFA is used as an additional verification step after the user has already authenticated.

How MFA works in Dynamic

When MFA is enabled and required, Dynamic issues the initial JWT with a requiresAdditionalAuth scope after the primary authentication step. This signals that the user must complete an additional verification before the token is fully trusted.

User completes primary authentication (email, wallet, social, etc.) and receives a JWT with the requiresAdditionalAuth scope.
The SDK prompts the user to complete MFA (TOTP code or passkey verification).
Upon successful MFA, Dynamic upgrades the JWT scope — removing requiresAdditionalAuth — and the user is fully authenticated.

Your backend should check for the requiresAdditionalAuth scope when verifying JWTs and reject or limit access for tokens that still carry it. See Tokens for verification details.

MFA modes

Dynamic supports different MFA modes depending on when and how MFA is enforced:

Session-based MFA: Required at sign-in. The user must complete MFA every time they authenticate and establish a new session.
Action-based MFA: Required before specific actions (e.g. high-value transactions). MFA is triggered on-demand rather than at login.

Configuration

Enable and configure MFA in the dashboard security settings. You can choose which MFA methods to offer, whether MFA is required or optional, and when it is triggered.

SDK implementation guides

JavaScript

React

React Native

Swift

Kotlin

Flutter

Detailed guides by method and mode

Guide	JavaScript	React	React Native	Swift	Kotlin	Flutter
TOTP	Guide	—	—	Guide	Guide	—
Passkey MFA	Guide	—	—	Guide	Guide	—
Account-based MFA	Guide	Guide	Guide	Guide	Guide	—
Action-based MFA	Guide	Guide	Guide	Guide	Guide	—
Session MFA	Guide	—	—	—	—	—
Device management	Guide	Guide	Guide	—	—	—
Recovery codes	Guide	—	—	—	—	—

Getting Started

Wallets

Authentication

Security

Rate Limits

Developer Dashboard

Migrations

Wallets & Chains Integration

Troubleshooting

Recipes

Multi-Factor Authentication (MFA)

Overview

Methods (TOTP, Passkey)

TOTP (Time-based One-Time Password)

Passkey

How MFA works in Dynamic

MFA modes

Configuration

SDK implementation guides

JavaScript

React

React Native

Swift

Kotlin

Flutter

Detailed guides by method and mode

Getting Started

Wallets

Authentication

Security

Rate Limits

Developer Dashboard

Migrations

Wallets & Chains Integration

Troubleshooting

Recipes

​Overview

​Methods (TOTP, Passkey)

​TOTP (Time-based One-Time Password)

​Passkey

​How MFA works in Dynamic

​MFA modes

​Configuration

​SDK implementation guides

JavaScript

React

React Native

Swift

Kotlin

Flutter

​Detailed guides by method and mode

Overview

Methods (TOTP, Passkey)

TOTP (Time-based One-Time Password)

Passkey

How MFA works in Dynamic

MFA modes

Configuration

SDK implementation guides

Detailed guides by method and mode