Headless Integration of MFA

The following authentication methods will return a Member Session if the Member is not enrolled in MFA OR an intermediate_session_token and an mfa_required object that indicates MFA is required in order to be granted a Session for the Organization:

• sso.authenticate()
• oauth.authenticate()
• magicLinks.authenticate()
• passwords.authenticate()
• discovery.intermediateSessions.exchange()
• passwords.resetByEmail()
• passwords.resetByExistingPassword

If the Member is not yet enrolled in MFA, the response will look as follows:

Indicating that member_authenticated: false due to mfa_required -- but no member_options are present. The Stytch SDK will automatically store the intermediate_session_token and handle passing that with subsequent calls to tie the user's primary and secondary authentication together.

For the primary authentication endpoint(s) you've already integrated add handling to detect when MFA enrollment is required by checking to see if the organization.mfa_methods is ALL_ALLOWED or RESTRICTED. If RESTRICTED use the organization.allowed_mfa_methods to surface only allowed MFA methods to the user.

Check the organization.allowed_mfa_methods and based on the available options, prompt the user to enroll in MFA.

For SMS MFA, prompt the user for their phone number and call the SMS Send method with the number. Make sure the mfa_phone_number is in the E.164 format, e.g. “+14155551234”.

For TOTP MFA, you'll first trigger the TOTP Create method, which will return a qr_code that you will surface to the end user to register their authenticator app.

Using our React SDK this will look like the following:

In vanilla Javascript you would do:

Prompt the user to input their OTP or TOTP code in order to complete the MFA enrollment and authenticate.

Run your application and attempt to login to your Organization with the REQUIRED_FOR_ALL MFA Policy to test out required enrollment in MFA.