> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Overview
> Implement Stytch's MFA using SMS OTP or TOTP as secondary factors.
# Multi-Factor Authentication
**Multi-factor authentication (MFA)** enhances security by requiring users to provide two or more verification factors prior to accessing their account, which reduces the likelihood of account compromise.
Use the MFA API to manage multi-factor authentication on your backend.
Use the MFA SDKs to implement multi-factor authentication in your frontend.
## How it works
Stytch supports two different methods of secondary authentication:
1. **SMS one-time passcodes (OTPs)**. OTPs ask users to enter a unique numeric or alphanumeric code sent via SMS to a recognized mobile phone number.
2. **Authenticator app time-based one-time passcodes (TOTPs)**. TOTPs ask users to confirm control of their device within a certain time frame using a passcode generated by a smartphone app like Authy or Google Authenticator.
Stytch handles:
* Enforced enrollment in MFA based on the Organization's MFA policy, which determines whether MFA is optional or required and which methods are allowed.
* Optional enrollment in MFA, even if Organization does not require it.
* Enforcing that MFA requirements for the Member and Organization have been met prior to a Stytch session being issued.
## OTP considerations
### Cost
When using Stytch's SMS OTP product, Stytch will passthrough SMS costs from our upstream providers. You can see the pricing for each country by visiting [Country Code Allowlists](https://stytch.com/dashboard/country-code-allowlists) in the Stytch Dashboard. This is important to keep in mind as you plan costs and which countries you want to support as pricing can vary significantly by country.
### Country code allowlist
By default, a Stytch project will have only the United States (US) and Canada (CA) enabled for SMS OTP sends. To enable SMS OTP sends to other allowed countries, you can add the country to your country code allowlist in the [Stytch Dashboard](https://stytch.com/dashboard/country-code-allowlists) or via the [`country_code_allowlist endpoint`](/api-reference/pwa/api/v3/country-code-allowlist/set-country-code-allowlist-sms).
Stytch does **not support** sending SMS passcodes to the following countries. If you attempt to add a country listed below to your country code allowlist, the API will return an `country_code_allowlist_invalid_country_codes` error.
| Country | Alpha-2 | Prefix |
| -------------------------------------------- | ------- | ------ |
| Algeria | DZ | +213 |
| Afghanistan | AF | +93 |
| Albania | AL | +355 |
| Andorra | AD | +376 |
| Angola | AO | +244 |
| Antarctica | AQ | +672 |
| Armenia | AM | +374 |
| Aruba | AW | +297 |
| Azerbaijan | AZ | +994 |
| Bahamas | BS | +1242 |
| Bahrain | BH | +973 |
| Bangladesh | BD | +880 |
| Barbados | BB | +1246 |
| Belarus | BY | +375 |
| Belize | BZ | +501 |
| Bermuda | BM | +1441 |
| Bhutan | BT | +975 |
| Bosnia and Herzegovina | BA | +387 |
| Botswana | BW | +267 |
| Bouvet Island | BV | +47 |
| British Virgin Islands | VG | +1284 |
| Burma (Myanmar) | MM | +95 |
| Burundi | BI | +257 |
| Cambodia | KH | +855 |
| Cape Verde | CV | +238 |
| Cayman Islands | KY | +1345 |
| Chad | TD | +235 |
| China – including Hong Kong | CN | +86 |
| Comoros | KM | +269 |
| Congo, Dem Rep | CD | +243 |
| Cote D'Ivoire (Ivory Coast) | CI | +225 |
| Cuba | CU | +53 |
| Curaçao and Caribbean Netherlands | CW | +599 |
| Cyprus | CY | +357 |
| Democratic Republic of Congo | CD | +243 |
| Djibouti | DJ | +253 |
| Dominica | DM | +1767 |
| East Timor | TL | +670 |
| Egypt | EG | +20 |
| Equatorial Guinea | GQ | +240 |
| Ethiopia | ET | +251 |
| Eritrea | ER | +291 |
| Estonia | EE | +372 |
| Faroe Islands | FO | +298 |
| Fiji | FJ | +679 |
| French Polynesia | PF | +689 |
| French Southern Territories (the) | TF | +262 |
| Gabon | GA | +241 |
| Gambia | GM | +220 |
| Georgia | GE | +995 |
| Gibraltar | GI | +350 |
| Greenland | GL | +299 |
| Guadeloupe | GP | +590 |
| Guam | GU | +1671 |
| Guinea | GN | +224 |
| Haiti | HT | +509 |
| Heard Island and McDonald Islands | HM | +672 |
| Honduras | HN | +504 |
| Indonesia | ID | +62 |
| Israel | IL | +972 |
| Iran | IR | +98 |
| Iraq | IQ | +964 |
| Ivory Coast | CI | +225 |
| Jersey | JE | +44 |
| Jordan | JO | +962 |
| Kazakhstan | KZ | +7 |
| Korea Dem People's Rep | KP | +850 |
| Kosovo | XK | +383 |
| Kuwait | KW | +965 |
| Kyrgyzstan | KG | +996 |
| Laos PDR | LA | +856 |
| Lebanon | LB | +961 |
| Lesotho | LS | +266 |
| Liberia | LR | +231 |
| Libya | LY | +218 |
| Macau | MO | +853 |
| Macedonia | MK | +389 |
| Madagascar | MG | +261 |
| Malawi | MW | +265 |
| Malaysia | MY | +60 |
| Maldives | MV | +960 |
| Mali | ML | +223 |
| Martinque | MQ | +596 |
| Micronesia | FM | +691 |
| Moldova | MD | +373 |
| Mongolia | MN | +976 |
| Montserrat | MS | +1664 |
| Morocco | MA | +212 |
| Mozambique | MZ | +258 |
| Namibia | NA | +264 |
| Niue | NU | +683 |
| Nepal | NP | +977 |
| New Caledonia | NC | +687 |
| Niger | NE | +227 |
| Nigeria | NG | +234 |
| North Korea | KP | +850 |
| Northern Mariana Islands | MP | +1670 |
| Oman | OM | +968 |
| Pakistan | PK | +92 |
| Palestine | PS | +970 |
| Papua New Guinea | PG | +675 |
| Philippines | PH | +63 |
| Pitcairn | PN | +870 |
| Qatar | QA | +974 |
| Republic of North Macedonia | MK | +389 |
| Reunion/Mayotte | RE | +262 |
| Russia | RU | +7 |
| Rwanda | RW | +250 |
| Samoa | WS | +685 |
| Saudi Arabia | SA | +966 |
| Senegal | SN | +221 |
| Serbia | RS | +381 |
| Sierra Leone | SL | +232 |
| Singapore | SG | +65 |
| Solomon Islands | SB | +677 |
| Somalia | SO | +252 |
| South Georgia and the South Sandwich Islands | GS | +500 |
| Sri Lanka | LK | +94 |
| St Vincent Grenadines | VC | +1784 |
| Sudan | SD | +249 |
| Syria | SY | +963 |
| Tajikistan | TJ | +992 |
| Thailand | TH | +66 |
| Togo | TG | +228 |
| Tonga | TO | +676 |
| Tunisia | TN | +216 |
| Tuvalu | TV | +688 |
| Turkmenistan | TM | +993 |
| Turks and Caicos Islands | TC | +1649 |
| U.S. Virgin Islands | VI | +1340 |
| United Arab Emirates | AE | +971 |
| Uganda | UG | +256 |
| Uzbekistan | UZ | +998 |
| Vanuatu | VU | +678 |
| Venezuela | VE | +58 |
| Vietnam | VN | +84 |
| Wallis and Futuna | WF | +681 |
| Yemen | YE | +967 |
| Zambia | ZM | +260 |
| Zimbabwe | ZW | +263 |
| United States Minor Outlying Islands (the) | UM | |
For more information about SMS deliverability and best practices, see our [SMS and WhatsApp deliverability guide](/resources/policies/messaging/deliverability/sms-whatsapp-deliverability).
***
Learn how to use Stytch's Device Fingerprinting (DFP) product to implement a remembered device flow, a form of adaptive MFA, to trigger MFA only on unrecognized logins.