Skip to main content

Multi-factor authentication

Overview

Multi-factor authentication (MFA) is a security process that requires users to verify their identity through multiple forms of credentials before gaining access to a system. SuperTokens allows you to integrate MFA in your application using either Email/SMS One-Time Password (OTP) or Time-based One-Time Password (TOTP).

Prerequisites

This feature is only available to paid users.

Magic link via email or SMS is only supported as a first factor for pre-built UI. It will not work as a second factor because if the magic link is opened on a different device, there would be no reference to the existing session (which was created before first factor completion). Instead, you can use OTP based authentication, using email or SMS. It achieves the same level of security as a magic link.

Getting started

The quickest way to get a glimpse of how MFA works with SuperTokens is to use the example app. Just run the following command to get started:

npx create-supertokens-app@latest --recipe=multifactorauth

Besides that, you can check the initial quickstart guide for step-by-step instructions, along with the other guides for more specific use cases.

Before you explore a guide, read through the Important Concepts page first. It explains several topics that get used in each tutorial.

Important Concepts

Go through a quick explanation of how MFA works and some common terminologies.

Quickstart Guide

Implement an authentication flow that uses MFA.

Implement Step Up Authentication

Require additional authentication challenges on specific routes or actions.

Implement Recovery Codes

Allow users to recover their account if they lose access to one of the factors.

Customization

To adjust the functionality to fit your use case you can explore different sections from the documentation.

Require TOTP for all users

Force all users to use TOTP.

Require TOTP for specific users

Enable TOTP only for some of the users.

Require OTP for all users

Force all users to use OTP.

Require OTP for specific users

Enable OTP only for some of the users.

Protect frontend and backend routes

Check for the MFA status on specific routes.