/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On
    • Resources

      • Overview
        External SSO Connections
        Standalone SSO
    • Integration Guides

      • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth
    • Resources

      • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers
    • Resources

      • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions
    • Resources

      • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims
    • Integration Guides

      • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links
    • Resources

      • Overview
        Email Security Scanner Protections
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication
    • Resources

      • Overview
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC
    • Resources

      • Overview
        Stytch Resources & Roles
        Role assignment
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
    SCIM
    • Resources

      • Overview
        Supported actions
    • Integration Guides

      • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Multi-Factor Authentication

/

Integration Guides

/

Pre-built UI frontend integration

Pre-built UI Integration of MFA

The UI component handles MFA enrollment and authentication automatically, honoring both the Organization's MFA Policy and any optional Member enrollment.

You can adjust the defaults for which MFA options are shown and the order they are presented to the end user through the mfaProductInclude and the mfaProductOrder arrays in the UI config.

var organizationConfig = {
    authFlowType: "Organization",
    mfaProductInclude: ['totp', 'smsOtp'],
    mfaProductOrder: ['totp', 'smsOtp'],
    ...,
  };

However, it is important to note that the Organization's allowed_mfa_methods and the Member's current MFA enrollment options will take precedent over the UI config.

Required MFA Enrollment

The below sequence outlines the flow that will occur after primary authentication, when an Organization's MFA Policy is REQUIRED_FOR_ALL but the Member is not currently enrolled in MFA.

Pre-built UI integration of required MFA enrollment

If neither the Organization or UI config restrict the MFA methods available, the user will be presented with options, ordered according to the mfaProductOrder array.

Pre-built UI when both TOTP and SMS allowedBoth TOTP and SMS OTP allowed by Organization and UI config

If the Organization restricts MFA methods, the UI will surface that option -- even if it is not explicitly included in the UI config.

Pre-built UI when only TOTP allowedOnly TOTP allowed

If the Organization does not restrict MFA methods and mfaProductInclude is explicitly passed in the UI config, the user will only be shown the options allowed by the config.

Pre-built UI when only TOTP allowedOnly SMS OTP allowed

Returning MFA Authentication

Stytch will enforce MFA for members who are enrolled in MFA, either as a requirement for the Organization or optionally.

Pre-built UI integration of MFA authenticationSequence of enforcing MFA when Member is already enrolled

On returning authentication when a user is already enrolled in MFA, Stytch will render the component for the Member's default MFA method. If the Member has multiple MFA Options, they will see an option to switch to their non-default instead.

Pre-built UI for returning MFA authentication using TOTPUI when Member's default MFA method is TOTP, but has SMS OTP as backup

Required MFA Enrollment

Returning MFA Authentication