/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Exporting from Stytch

    Authentication

    Single Sign On

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values

Get support on Slack

Visit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Multi-Factor Authentication

/

Resources

/

Overview

Multi-Factor Authentication

Multi-factor authentication (MFA) enhances security by requiring users to provide two or more verification factors prior to accessing their account, greatly reducing the likelihood of account compromise.

API Objects & Endpoints

API Resources

Description

Organization

A top-level tenant that groups members, auth settings, roles, and other identity configurations.

Member

Represents an authenticated user who is a member of a specific Organization.

SMS OTP

A collection of endpoints for enrolling in and performing MFA with SMS OTPs.

TOTP

A collection of endpoints for enrolling in and performing MFA with authenticator apps using TOTP.

Member Session

A managed session that tracks a Member's logged-in state using JWTs or session tokens.

How it works

Stytch supports two different methods of secondary authentication:

  1. SMS One-time passcodes (OTPs)
  2. Authenticator app Time-based One-time passcodes (TOTPs)

Stytch handles:

  • Enforced enrollment in MFA based on the Organization's MFA Policy (optional or required, allowed secondary methods)
  • Optional enrollment in MFA, even if Organization does not require it
  • Enforcing that MFA requirements for the Member and Organization have been met prior to a Session being issued

API Objects & Endpoints

How it works