> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Multi-Factor Authentication

> Built-in frontend MFA protections

Stytch frontend SDKs allow Users to manage verification factors associated with their accounts. These include sensitive actions such as:

* Adding an email address
* Deleting a phone number
* Adding other new auth factors

These privileged actions require the User's Session to be authenticated with a **secure combination of auth factors**. In other words, the User's Session needs to be **multi-factor authenticated**.

For a Session to be considered secure or have completed MFA, it must include factors from at least **two categories**. Additionally, at least one factor in the Session must be less than an hour old.

Stytch auth factors are split into three general categories:

1. Access to another online account or email address (OAuth, Email Magic Links, Email OTP).
2. Access to a phone number (SMS and WhatsApp OTP).
3. Access to a dedicated 2nd factor (WebAuthn, Passkeys, TOTP).

Here are some examples:

* If a User completes a successful Email Magic Link flow and a successful SMS passcode flow, they will be considered securely authenticated.
* If a User completes an Email Magic Link flow and an OAuth flow with their Google account, they will not be considered securely authenticated.

**Important**: If a User does not have enough registered factors to complete MFA, they are permitted to add a second auth factor without additional steps.