Skip to main content

Overview

Multi-factor authentication (MFA) adds a second verification step after the user’s primary authentication method. This strengthens account security by requiring something the user has (an authenticator app or passkey device) in addition to something they know or are (password, email, wallet signature, etc.).
This page covers MFA for end users of your application. For MFA on the Dynamic Dashboard (admin login), see Dashboard MFA.

Methods (TOTP, Passkey)

TOTP (Time-based One-Time Password)

TOTP uses an authenticator app (e.g. Google Authenticator, Authy, 1Password) to generate a six-digit code that rotates every 30 seconds. The user registers their authenticator app during setup and enters the current code when prompted for MFA.

Passkey

Passkey-based MFA uses WebAuthn to verify the user with a hardware security key, biometric (fingerprint, face), or platform authenticator. Unlike passkey as a primary sign-in method, passkey MFA is used as an additional verification step after the user has already authenticated.

How MFA works in Dynamic

When MFA is enabled and required, Dynamic issues the initial JWT with a requiresAdditionalAuth scope after the primary authentication step. This signals that the user must complete an additional verification before the token is fully trusted.
  1. User completes primary authentication (email, wallet, social, etc.) and receives a JWT with the requiresAdditionalAuth scope.
  2. The SDK prompts the user to complete MFA (TOTP code or passkey verification).
  3. Upon successful MFA, Dynamic upgrades the JWT scope — removing requiresAdditionalAuth — and the user is fully authenticated.
Critical: Your backend must verify that the JWT scope list includes user:basic before trusting the token. If user:basic is not among the scopes (e.g. scope is requiresAdditionalAuth), the user has NOT completed authentication. Reject tokens whose scope does not include user:basic for all protected operations.
See Tokens for verification details and code examples.

MFA modes

Dynamic supports different MFA modes depending on when and how MFA is enforced:
  • Session-based MFA: Required at sign-in. The user must complete MFA every time they authenticate and establish a new session.
  • Action-based MFA: Required before specific actions (e.g. high-value transactions). MFA is triggered on-demand rather than at login.
MFA is one type of step-up authentication — re-verifying before sensitive actions. Step-up can also use re-auth methods (email OTP, SMS OTP, wallet signature). For the full picture (elevated access tokens, scopes, all verification methods), see Step-up authentication.

Configuration

Enable and configure MFA in the dashboard security settings. You can choose which MFA methods to offer, whether MFA is required or optional, and when it is triggered.

SDK implementation guides

JavaScript

React

React Native

Swift

Kotlin

Flutter

Detailed guides by method and mode

GuideJavaScriptReactReact NativeSwiftKotlinFlutter
TOTPGuideGuideGuide
Passkey MFAGuideGuideGuide
Account-based MFAGuideGuideGuideGuideGuide
Action-based MFAGuideGuideGuideGuideGuide
Step-up authGuideGuideGuideGuide
Session MFAGuide
Device managementGuideGuideGuide
Recovery codesGuide