Multi-factor authentication (MFA)
Multi-factor authentication requires users to verify their identity using at least two independent factors from different categories:
- Knowledge – something the user knows (password, PIN)
- Possession – something the user has (mobile device, security key, email inbox)
- Inherence – something the user is (fingerprint, facial recognition)
How MFA works
Configure MFA per identity pool by selecting which authentication methods are available as first-factor (1FA) and second-factor (2FA) authentication. When a user signs in with a first factor (for example, a password), SecureAuth Connect checks whether a second factor is required based on the pool configuration and active policies.
The method used for the second factor must differ from the first. Available second-factor methods include SMS OTP, email OTP, voice OTP, TOTP, push notification, symbol challenge, QR code, and passkeys.
MFA enforcement points
Enforce MFA at three points in the authentication flow:
| Enforcement point | When it triggers | Learn more |
|---|---|---|
| Application login | After first-factor authentication, before the user accesses the application. | Require MFA for application login |
| Scope consent | Before granting access to protected data scopes. The user must complete MFA for each protected scope. | Enforce MFA during scope granting |
| Platform login | When an administrator signs in to the SecureAuth Connect admin console. | Require MFA on SecureAuth login |
Users can enable Remember my selection on the sign-in page to keep their chosen method for future logins. As an administrator, you can set a preferred method for both first-factor and second-factor authentication in the identity pool sign-in settings.
You can also configure these options in the identity pool sign-in settings:
- Allow users to log in without 2FA if not configured – Users without any 2FA configured can skip that sign-in step. This lets new users complete sign-in and set up their MFA methods later.
- Reduce 2FA verification on same device – Users are not asked again for 2FA for a defined period of time on the same device. Set to
0sto disable.