Multi-Factor Authentication

Multi-factor authentication (MFA) enhances security by requiring users to provide two or more verification factors prior to accessing their account, greatly reducing the likelihood of account compromise.

API Objects & Endpoints

API Resources	Description
Organization	A top-level tenant that groups members, auth settings, roles, and other identity configurations.
Member	Represents an authenticated user who is a member of a specific Organization.
SMS OTP	A collection of endpoints for enrolling in and performing MFA with SMS OTPs.
TOTP	A collection of endpoints for enrolling in and performing MFA with authenticator apps using TOTP.
Member Session	A managed session that tracks a Member's logged-in state using JWTs or session tokens.

How it works

Stytch supports two different methods of secondary authentication:

SMS One-time passcodes (OTPs)
Authenticator app Time-based One-time passcodes (TOTPs)

Stytch handles:

Enforced enrollment in MFA based on the Organization's MFA Policy (optional or required, allowed secondary methods)
Optional enrollment in MFA, even if Organization does not require it
Enforcing that MFA requirements for the Member and Organization have been met prior to a Session being issued