Skip to main content
Multi-Factor Authentication (MFA) requires users to verify their identity using a second authentication factor. MFA is structured in two parts: enrollment (users register a TOTP device or Passkey) and enforcement (when the second factor is required). Enforcement can be session-based (every login), action-based (specific sensitive actions), or both.

MFA Methods

Users can authenticate using either of these methods:
  • TOTP (Time-based One-Time Password): Authenticator apps like Google Authenticator, Authy, or 1Password
  • Passkeys: WebAuthn-based authentication using biometrics or device security keys

Enrollment

Enrollment is when users register a TOTP device or Passkey. If using Dynamic’s UI, this can be required when users are first onboarding. Configuration:
  • Require at onboarding: When enabled, users must set up MFA during signup and cannot complete signup without registering an MFA method (TOTP or Passkey).
Behavior:
  • Users must register at least one MFA method (TOTP or Passkey).
  • With “Require at onboarding” enabled and Dynamic’s UI, registration is required during first-time onboarding.

Enforcement

Enforcement is when the second factor is required. You can enable session-based enforcement (every login), action-based enforcement (specific sensitive actions), or both. Users must have completed enrollment (registered at least one MFA method) before enforcement applies.

Session-based enforcement

When enabled, MFA is required on every login—users must complete an MFA challenge each time they start a new session. Configuration:
  • Session-based MFA (toggle in the dashboard): When enabled, MFA is required on every new login session.
Behavior:
  • Users complete an MFA challenge on every new login session.
  • This is in addition to their primary authentication method.
  • Login is blocked until the MFA challenge is completed.

Action-based enforcement

When enabled, users must verify their identity with a second factor before performing specific sensitive actions (e.g., signing, exporting keys). You can enable one or more of the events below.
Action-based enforcement helps protect users in two important scenarios: if their JWT is stolen (e.g., via phishing or a compromised session), or if there is malware on their device. In both cases, the attacker cannot complete sensitive actions without the second factor.
Events that trigger action-based enforcement:
  • Waas Export: When exporting a private key on an MPC wallet
  • Waas Refresh: When a user’s wallet is delegated to another device, or when they claim a pre-generated wallet for the first time
  • WaaS Sign: When any signature is performed (message, transaction, typed data, authorization, etc.)
  • WaaS Reshare: When a wallet’s delegated access is approved or revoked and the user next signs in
Configuration:
  • Select which events to protect with MFA (Waas Export, Waas Refresh, WaaS Sign, WaaS Reshare) in the dashboard.
Behavior:
  • Users create an MFA token before performing the protected action.
  • The token is validated when the action is executed.
  • Actions are blocked until a valid MFA token is provided.

Dashboard Configuration

Configure end-user MFA in the Security Settings page:
  1. Navigate to Settings > Security in the dashboard.
  2. Enrollment: Enable TOTP and/or Passkeys; toggle “Require at onboarding” to require MFA enrollment during signup.
  3. Enforcement: Choose when the second factor is required:
    • Session-based: Toggle “Session-based MFA” to require MFA on every login.
    • Action-based: Enable TOTP and/or Passkeys for Action MFA (if not already enabled for enrollment), then select which events to protect (Waas Export, Waas Refresh, WaaS Sign, WaaS Reshare). You can enable session-based enforcement, action-based enforcement, or both.

Implementation

After configuring MFA in the dashboard, implement the MFA flow in your application using your SDK: