Multi-Factor Authentication

Multi-factor authentication (MFA) adds an additional layer of security to your application by requiring users to verify their identity using multiple authentication methods.

MFA methods supported

Stytch’s SDK supports several MFA methods that you can integrate into your authentication flow:

Time-based One-Time Passwords (TOTP)

TOTP is a widely-used MFA method that generates time-sensitive codes through authenticator apps like Google Authenticator or Authy.

Create TOTP: Register a new TOTP device for a user
Authenticate TOTP: Verify a TOTP code
Get Recovery Codes: Generate backup codes for account recovery

SMS One-Time Passcodes

Send verification codes to users via SMS for step-up authentication:

Send SMS OTP: Send a one-time code via SMS
Authenticate OTP: Verify the SMS code

WhatsApp One-Time Passcodes

Deliver verification codes through WhatsApp:

Send WhatsApp OTP: Send a one-time code via WhatsApp
Authenticate OTP: Verify the WhatsApp code

Email One-Time Passcodes

Use email as a second factor for authentication:

Send Email OTP: Send a one-time code via email
Authenticate OTP: Verify the email code

WebAuthn / Passkeys

Leverage hardware security keys or biometric authentication:

Register WebAuthn: Register a new WebAuthn credential
Authenticate WebAuthn: Verify using WebAuthn

Implementing MFA flows

Step-up authentication

Require additional verification for sensitive actions even when a user is already authenticated:

// After initial authentication, require MFA for sensitive operation
const totpResponse = await stytch.totps.authenticate({
  totp_code: userInputCode,
  session_duration_minutes: 15
});

Enrollment flow

Guide users through setting up MFA on their account:

Prompt user to enable MFA
Present available MFA methods
Guide through method-specific setup (e.g., scanning QR code for TOTP)
Verify the setup with a test authentication
Provide recovery codes

Recovery options

Always implement backup authentication methods:

Recovery codes for TOTP
Multiple registered devices or phone numbers
Admin-assisted recovery process

Security best practices

Enforce MFA for privileged accounts: Require MFA for admin or sensitive roles
Support multiple methods: Give users flexibility in choosing their preferred MFA method
Secure recovery codes: Store recovery codes securely and remind users to save them
Rate limiting: Implement rate limits on MFA attempts to prevent brute force attacks
Session management: Use shorter session durations for MFA-protected resources

User experience considerations

Make MFA enrollment optional initially, but encourage adoption
Provide clear instructions for each MFA method
Allow users to manage their MFA devices through your app
Remember trusted devices to reduce friction for frequent users
Offer “Don’t ask again on this device” options for lower-risk scenarios

​MFA methods supported

​Time-based One-Time Passwords (TOTP)

​SMS One-Time Passcodes

​WhatsApp One-Time Passcodes

​Email One-Time Passcodes

​WebAuthn / Passkeys

​Implementing MFA flows

​Step-up authentication

​Enrollment flow

​Recovery options

​Security best practices

​User experience considerations