Multi-factor authentication (MFA)
SecureAuth Connect multi-factor authentication (MFA) adds one or more verification steps after the user enters their credentials. You can enforce MFA at three points in the authentication flow: application login, scope consent, and platform login.
MFA enforcement points
Organizations may require multi-factor authentication at the following points:
- Upon user sign in to an application
- Upon scope grant (consent)
- Upon user sign in to SecureAuth
Application login MFA
After a user signs in with their username and password, MFA prompts them to verify their identity through an additional method such as email, SMS, or voice call. The user receives a one-time password (OTP) and enters it to complete authentication. If verification succeeds, the application proceeds to consent and token exchange.
View MFA authentication flow
Scope consent MFA
After the user authenticates (and completes any login MFA), the consent screen displays the scopes requested by the client application. When you enable MFA protection on specific scopes, the user must select a verification method (email, SMS, or voice call) and enter the OTP code. After successful verification, the protected scopes become available for granting.
Platform login MFA
You can require administrators to complete MFA when signing in to the SecureAuth Connect admin console.
One-time passwords (OTPs) and verification codes for MFA
MFA in SecureAuth Connect uses a combination of the knowledge factor (username and password), or passkey, and the possession factor (one-time password, also called a verification code).
OTP codes can be delivered through three channels:
| Delivery channel | Description |
|---|---|
| SMS | OTP sent via text message, supported by Twilio. Requires an SMS provider configured in Tenant Settings > Message Providers > SMS tab. |
| OTP sent via email, supported by any SMTP gateway. Requires an email provider configured in Tenant Settings > Message Providers > Email tab. | |
| Voice call | OTP read aloud during an automated voice call, supported by Twilio Programmable Voice. Requires a voice provider configured in Tenant Settings > Message Providers > Voice tab. |
The verification code length and lifetime are configurable per channel. See Configure verification codes for MFA for details.
OTP configuration overview
OTP-based MFA requires configuration at two levels: tenant and workspace.
| Configuration | Level | Location | Description |
|---|---|---|---|
| Message provider | Tenant | Tenant Settings > Message Providers | Set up the service that delivers OTP codes (email, SMS, or voice). |
| Verification code settings | Tenant | Tenant Settings > MFA Settings | Set code length and lifetime for each delivery channel. See Configure verification codes for MFA. |
| Authentication method | Workspace | Authentication > Settings > Methods | Enable the OTP methods (email, SMS, voice) available to users. |
SMS and voice OTP use the same phone number on the user's profile. Users do not need to register a separate phone number for each channel.
User experience
After you enable MFA, users encounter OTP verification in the following flows:
- Login. During sign-in, users select their preferred verification method (email, SMS, or voice call), receive an OTP, and enter it on the verification screen.
- Registration. New users can choose their preferred MFA method during account registration.
- Activation. Users activating their accounts verify their identity by completing an OTP challenge.
- User portal. Users can view and manage their configured MFA methods in the self-service portal.