Multi-factor authentication

The Stytch SDK allows Users to manage verification factors associated with their accounts. These include sensitive actions such as:

  • adding an email.
  • deleting a phone number.
  • adding a second auth factor.

These privileged actions require the User's Session to be authenticated with a secure combination of auth factors. In other words, the User's Session needs to be multi-factor authenticated.

For a Session to be considered secure or have completed MFA, it must include factors from at least two categories. Additionally, at least one factor in the Session must be less than an hour old.

Stytch auth factors are split into three general categories:

  1. Access to another online account or email address (OAuth, email magic links, email passcodes, and embeddable magic links).
  2. Access to a phone number (SMS and WhatsApp passcodes).
  3. Access to a dedicated 2nd factor (WebAuthn, Passekys, and TOTP).

Here are some examples:

  • If a User completes a successful Email Magic Link flow and a successful SMS passcode flow, they will be considered securely authenticated.
  • If a User completes an Email Magic Link flow and an OAuth flow with their Google account, they will not be considered securely authenticated.

Important: If a User does not have enough registered factors to complete MFA, they are permitted to add a second auth factor without additional steps.