Authentication overview
SecureAuth Connect gives you a range of authentication methods to balance security, usability, and reach. You can combine methods as first-factor, second-factor, or step-up authentication depending on your use case.
This section covers how to configure each method, what users experience, and when to use one method over another.
Authentication methods
- All methods
- By use case
- By what users need
Any enabled method can be configured as first-factor or second-factor authentication in the identity pool sign-in settings.
| Method | Description | User needs |
|---|---|---|
| Passkeys | Device-bound cryptographic login, no password | Device with biometrics or security key |
| Email OTP | One-time code sent to email | Email address |
| SMS OTP | One-time code sent via text message | Phone number |
| Voice OTP | One-time code read aloud by phone call | Phone number |
| TOTP | Time-based codes from a mobile authenticator app | Authenticator app (any) |
| Social login | Sign in with Apple, Facebook, GitHub, Google, LinkedIn, Microsoft, or X | Existing social account |
| Push notification | Approve or deny on a mobile device | SecureAuth Authenticate mobile app |
| Symbol | Match a symbol on screen and mobile device | SecureAuth Authenticate mobile app |
| QR code | Scan a QR code with a mobile device to sign in | SecureAuth Authenticate mobile app |
| SSO | Sign in using your company's identity provider | Company IdP account |
| Magic link | One-click email login | Email address |
| Password | Traditional username and password | Username and password |
Consumer apps (B2C)
Minimize friction. Let users sign in with what they already have.
| Method | Why |
|---|---|
| Social login | Users sign in with an existing account. No new password to create. |
| Passkeys | Single biometric tap. Phishing-resistant. No password resets. |
| Email OTP | Works on any device with an email client. No app install needed. |
| Magic link | One click in email. Lowest friction for email-based flows. |
B2B
Stronger security for partners, customers, and their organizations.
| Method | Why |
|---|---|
| SSO | Centralized authentication through a company identity provider. |
| TOTP | Offline codes from an authenticator app. No SMS costs. |
| Push notification | Fast approve/deny on managed devices. |
| Passkeys | Phishing-resistant MFA that satisfies NIST AAL3 requirements. |
High-security flows
Step-up or second-factor for sensitive actions.
| Method | Why |
|---|---|
| Symbol | Anti-phishing. User must match symbols across two screens. |
| Passkeys | Cryptographic proof of device possession. |
| TOTP | Codes never travel over a network. No SIM-swap risk. |
| SMS OTP | Broad reach when users don't have an authenticator app. |
| Voice OTP | Accessible fallback. Works on landlines. |
Nothing (already have an account)
| Method | Details |
|---|---|
| Social login | Users sign in with Apple, Google, Facebook, etc. |
| SSO | Users sign in with their company IdP. |
| Password | Traditional username and password. |
Email address
| Method | Details |
|---|---|
| Email OTP | Code sent to email. Works as 1FA or 2FA. |
| Magic link | One-click link sent to email. |
Phone number
| Method | Details |
|---|---|
| SMS OTP | Code sent via text message. |
| Voice OTP | Code read aloud by phone call. Works on landlines. |
Mobile app (any authenticator)
| Method | Details |
|---|---|
| TOTP | Works with Google Authenticator, Microsoft Authenticator, Authy, etc. |
SecureAuth Authenticate mobile app
| Method | Details |
|---|---|
| Push notification | Approve or deny with one tap. |
| Symbol | Match a symbol for anti-phishing. |
| QR code | Scan and sign in. Good for shared devices. |
Device with biometrics or security key
| Method | Details |
|---|---|
| Passkeys | FIDO2 cryptographic login. Touch ID, Windows Hello, YubiKey. |
How authentication is configured
Authentication in SecureAuth Connect is configured at three levels:
| Level | Where | What you configure |
|---|---|---|
| Tenant | Tenant Settings > Message Providers | Set up delivery channels for OTP (email, SMS, voice). Configure code length and lifetime in MFA Settings. |
| Workspace | Authentication > Settings > Methods | Enable the authentication methods available for the workspace. Add social or enterprise identity providers under Providers. |
| Identity pool | Users > Sign-in and Sign-up | Add methods as first-factor or second-factor. Set a preferred method. |