Multi-Factor Authentication
Multi-factor authentication (MFA) enhances security by requiring users to provide two or more verification factors prior to accessing their account, which reduces the likelihood of account compromise.API Reference
Use the MFA API to manage multi-factor authentication on your backend.
Frontend SDKs
Use the MFA SDKs to implement multi-factor authentication in your frontend.
How it works
Stytch supports two different methods of secondary authentication:- SMS one-time passcodes (OTPs). OTPs ask users to enter a unique numeric or alphanumeric code sent via SMS to a recognized mobile phone number.
- Authenticator app time-based one-time passcodes (TOTPs). TOTPs ask users to confirm control of their device within a certain time frame using a passcode generated by a smartphone app like Authy or Google Authenticator.
- Enforced enrollment in MFA based on the Organization’s MFA policy, which determines whether MFA is optional or required and which methods are allowed.
- Optional enrollment in MFA, even if Organization does not require it.
- Enforcing that MFA requirements for the Member and Organization have been met prior to a Stytch session being issued.
OTP considerations
Cost
When using Stytch’s SMS OTP product, OTPs to end users in the United States and Canada are included in your Stytch plan at no additional cost. For international OTPs, Stytch will charge you the same amount that we are charged by our SMS providers with no upcharge. You can see the pricing for each country by visiting Twilio’s pricing page. This is important to keep in mind as you plan costs and which countries you want to support as pricing can vary significantly by country.Country code allowlist
By default, a Stytch project will have only the United States (US) and Canada (CA) enabled for SMS OTP sends. To enable SMS OTP sends to other allowed countries, you can add the country to your country code allowlist in the Stytch Dashboard or via thecountry_code_allowlist endpoint.
Stytch does not support sending SMS passcodes to the following countries. If you attempt to add a country listed below to your country code allowlist, the API will return an country_code_allowlist_invalid_country_codes error.
List of countries where SMS OTPs are not supported
List of countries where SMS OTPs are not supported
| Country | Alpha-2 | Prefix |
|---|---|---|
| Algeria | DZ | +213 |
| Afghanistan | AF | +93 |
| Albania | AL | +355 |
| Andorra | AD | +376 |
| Angola | AO | +244 |
| Antarctica | AQ | +672 |
| Armenia | AM | +374 |
| Aruba | AW | +297 |
| Azerbaijan | AZ | +994 |
| Bahamas | BS | +1242 |
| Bahrain | BH | +973 |
| Bangladesh | BD | +880 |
| Barbados | BB | +1246 |
| Belarus | BY | +375 |
| Belize | BZ | +501 |
| Bermuda | BM | +1441 |
| Bhutan | BT | +975 |
| Bosnia and Herzegovina | BA | +387 |
| Botswana | BW | +267 |
| Bouvet Island | BV | +47 |
| British Virgin Islands | VG | +1284 |
| Burma (Myanmar) | MM | +95 |
| Burundi | BI | +257 |
| Cambodia | KH | +855 |
| Cape Verde | CV | +238 |
| Cayman Islands | KY | +1345 |
| Chad | TD | +235 |
| China – including Hong Kong | CN | +86 |
| Comoros | KM | +269 |
| Congo, Dem Rep | CD | +243 |
| Cote D’Ivoire (Ivory Coast) | CI | +225 |
| Cuba | CU | +53 |
| Curaçao and Caribbean Netherlands | CW | +599 |
| Cyprus | CY | +357 |
| Democratic Republic of Congo | CD | +243 |
| Djibouti | DJ | +253 |
| Dominica | DM | +1767 |
| East Timor | TL | +670 |
| Egypt | EG | +20 |
| Equatorial Guinea | GQ | +240 |
| Ethiopia | ET | +251 |
| Eritrea | ER | +291 |
| Estonia | EE | +372 |
| Faroe Islands | FO | +298 |
| Fiji | FJ | +679 |
| French Polynesia | PF | +689 |
| French Southern Territories (the) | TF | +262 |
| Gabon | GA | +241 |
| Gambia | GM | +220 |
| Georgia | GE | +995 |
| Gibraltar | GI | +350 |
| Greenland | GL | +299 |
| Guadeloupe | GP | +590 |
| Guam | GU | +1671 |
| Guinea | GN | +224 |
| Haiti | HT | +509 |
| Heard Island and McDonald Islands | HM | +672 |
| Honduras | HN | +504 |
| Indonesia | ID | +62 |
| Israel | IL | +972 |
| Iran | IR | +98 |
| Iraq | IQ | +964 |
| Ivory Coast | CI | +225 |
| Jersey | JE | +44 |
| Jordan | JO | +962 |
| Kazakhstan | KZ | +7 |
| Korea Dem People’s Rep | KP | +850 |
| Kosovo | XK | +383 |
| Kuwait | KW | +965 |
| Kyrgyzstan | KG | +996 |
| Laos PDR | LA | +856 |
| Lebanon | LB | +961 |
| Lesotho | LS | +266 |
| Liberia | LR | +231 |
| Libya | LY | +218 |
| Macau | MO | +853 |
| Macedonia | MK | +389 |
| Madagascar | MG | +261 |
| Malawi | MW | +265 |
| Malaysia | MY | +60 |
| Maldives | MV | +960 |
| Mali | ML | +223 |
| Martinque | MQ | +596 |
| Micronesia | FM | +691 |
| Moldova | MD | +373 |
| Mongolia | MN | +976 |
| Montserrat | MS | +1664 |
| Morocco | MA | +212 |
| Mozambique | MZ | +258 |
| Namibia | NA | +264 |
| Niue | NU | +683 |
| Nepal | NP | +977 |
| New Caledonia | NC | +687 |
| Niger | NE | +227 |
| Nigeria | NG | +234 |
| North Korea | KP | +850 |
| Northern Mariana Islands | MP | +1670 |
| Oman | OM | +968 |
| Pakistan | PK | +92 |
| Palestine | PS | +970 |
| Papua New Guinea | PG | +675 |
| Philippines | PH | +63 |
| Pitcairn | PN | +870 |
| Qatar | QA | +974 |
| Republic of North Macedonia | MK | +389 |
| Reunion/Mayotte | RE | +262 |
| Russia | RU | +7 |
| Rwanda | RW | +250 |
| Samoa | WS | +685 |
| Saudi Arabia | SA | +966 |
| Senegal | SN | +221 |
| Serbia | RS | +381 |
| Sierra Leone | SL | +232 |
| Singapore | SG | +65 |
| Solomon Islands | SB | +677 |
| Somalia | SO | +252 |
| South Georgia and the South Sandwich Islands | GS | +500 |
| Sri Lanka | LK | +94 |
| St Vincent Grenadines | VC | +1784 |
| Sudan | SD | +249 |
| Syria | SY | +963 |
| Tajikistan | TJ | +992 |
| Thailand | TH | +66 |
| Togo | TG | +228 |
| Tonga | TO | +676 |
| Tunisia | TN | +216 |
| Tuvalu | TV | +688 |
| Turkmenistan | TM | +993 |
| Turks and Caicos Islands | TC | +1649 |
| U.S. Virgin Islands | VI | +1340 |
| United Arab Emirates | AE | +971 |
| Uganda | UG | +256 |
| Uzbekistan | UZ | +998 |
| Vanuatu | VU | +678 |
| Venezuela | VE | +58 |
| Vietnam | VN | +84 |
| Wallis and Futuna | WF | +681 |
| Yemen | YE | +967 |
| Zambia | ZM | +260 |
| Zimbabwe | ZW | +263 |
| United States Minor Outlying Islands (the) | UM |
Adaptive MFA with remembered devices
Learn how to use Stytch’s Device Fingerprinting (DFP) product to implement a remembered device flow, a form of adaptive MFA, to trigger MFA only on unrecognized logins.