> ## Documentation Index
> Fetch the complete documentation index at: https://www.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Multi-Factor Authentication (MFA)
> Overview of MFA in Dynamic — TOTP and Passkey methods, when MFA is triggered, and links to SDK implementation guides.
## Overview
Multi-factor authentication (MFA) adds a second verification step after the user's primary authentication method. This strengthens account security by requiring something the user **has** (an authenticator app or passkey device) in addition to something they **know** or **are** (password, email, wallet signature, etc.).
This page covers MFA for **end users** of your application. For MFA on the Dynamic Dashboard (admin login), see [Dashboard MFA](/overview/developer-dashboard/mfa).
## Methods (TOTP, Passkey)
### TOTP (Time-based One-Time Password)
TOTP uses an authenticator app (e.g. Google Authenticator, Authy, 1Password) to generate a six-digit code that rotates every 30 seconds. The user registers their authenticator app during setup and enters the current code when prompted for MFA.
### Passkey
Passkey-based MFA uses WebAuthn to verify the user with a hardware security key, biometric (fingerprint, face), or platform authenticator. Unlike passkey as a primary sign-in method, passkey MFA is used as an additional verification step after the user has already authenticated.
## How MFA works in Dynamic
When MFA is enabled and required, Dynamic issues the initial JWT with a `requiresAdditionalAuth` scope after the primary authentication step. This signals that the user must complete an additional verification before the token is fully trusted.
1. User completes primary authentication (email, wallet, social, etc.) and receives a JWT with the `requiresAdditionalAuth` scope.
2. The SDK prompts the user to complete MFA (TOTP code or passkey verification).
3. Upon successful MFA, Dynamic upgrades the JWT scope — removing `requiresAdditionalAuth` — and the user is fully authenticated.
**Critical**: Your backend must verify that the JWT scope list includes `user:basic` before trusting the token. If `user:basic` is not among the scopes (e.g. scope is `requiresAdditionalAuth`), the user has NOT completed authentication. Reject tokens whose scope does not include `user:basic` for all protected operations.
See [Tokens](/overview/authentication/tokens#verifying-the-jwt) for verification details and code examples.
## MFA modes
Dynamic supports different MFA modes depending on when and how MFA is enforced:
* **Session-based MFA**: Required at sign-in. The user must complete MFA every time they authenticate and establish a new session.
* **Action-based MFA**: Required before specific actions (e.g. high-value transactions). MFA is triggered on-demand rather than at login.
MFA is one type of **step-up authentication** — re-verifying before sensitive actions. Step-up can also use re-auth methods (email OTP, SMS OTP, wallet signature). For the full picture (elevated access tokens, scopes, all verification methods), see [Step-up authentication](/overview/authentication/step-up-auth).
## Configuration
Enable and configure MFA in the [dashboard security settings](https://app.dynamic.xyz/dashboard/developer/security). You can choose which MFA methods to offer, whether MFA is required or optional, and when it is triggered.
## SDK implementation guides
### Detailed guides by method and mode
| Guide | JavaScript | React | React Native | Swift | Kotlin | Flutter |
| ----------------- | ----------------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------------- | ------------------- | -------------------- | -------------------------------------------------------------- |
| TOTP | [Guide](/javascript/authentication-methods/mfa/totp) | — | — | [Guide](/swift/mfa) | [Guide](/kotlin/mfa) | — |
| Passkey MFA | [Guide](/javascript/authentication-methods/mfa/passkey) | — | — | [Guide](/swift/mfa) | [Guide](/kotlin/mfa) | — |
| Account-based MFA | [Guide](/javascript/authentication-methods/mfa/account-based) | [Guide](/react/authentication-methods/mfa/account-based) | [Guide](/react-native/authentication-methods/mfa/account-based) | [Guide](/swift/mfa) | [Guide](/kotlin/mfa) | — |
| Action-based MFA | [Guide](/javascript/authentication-methods/mfa/action-based) | [Guide](/react/authentication-methods/mfa/action-based) | [Guide](/react-native/authentication-methods/mfa/action-based) | [Guide](/swift/mfa) | [Guide](/kotlin/mfa) | — |
| Step-up auth | [Guide](/javascript/authentication-methods/step-up-auth/overview) | [Guide](/react/authentication-methods/step-up-auth/overview) | [Guide](/react-native/authentication-methods/step-up-auth/overview) | — | — | [Guide](/flutter/authentication-methods/step-up-auth/overview) |
| Session MFA | [Guide](/javascript/authentication-methods/mfa/session-mfa) | — | — | — | — | — |
| Device management | [Guide](/javascript/authentication-methods/mfa/device-management) | [Guide](/react/authentication-methods/mfa/device-management) | [Guide](/react-native/authentication-methods/mfa/device-management) | — | — | — |
| Recovery codes | [Guide](/javascript/authentication-methods/mfa/recovery-codes) | — | — | — | — | — |