Multi-factor authentication (MFA) is a security process in which users provide two or more authentication factors to verify their identity.

Enabling MFA

To use MFA, your brand must enable it. The configuration IS_MFA_ENABLED determines if MFA is active. To enable MFA, please raise a ticket with the sustenance team.

MFA Flow

Below is a flow chart indicating the steps involved in OTP validation. The steps are the same for new and existing users of a brand.

The MFA workflow is as follows:

1. Generate token - v1/token/generate
2. Use the session ID and generate MFA OTP - v1/mfa/OTP/generate
3. Validate the OTP - v1/mfa/OTP/validate

MFA flow with 2nd factor identifier

To enable the 2nd factor identifier, use the config CONF_AUTO_FILL_2ND_FACTOR_IDENTIFIER. See General configurations

If you enable it, the auth engine automatically populates the identifier type and value for each API in the MFA flow. This occurs for the particular session for which the token is generated from the primary flow.

The flow diagram below illustrates the steps involved and how the identifier type and value are populated.

The table below shows the four authentication combinations supported in the 2nd factor identifier.

OTP - OTP workflow

Below is a flow diagram indicating the steps involved and how the identifier type and value are populated when the authentication combination is OTP - OTP.

OTP - Password workflow

Below is a flow diagram indicating the steps involved and how the identifier type and value are populated when the authentication combination is OTP - Password.

Password - OTP workflow

Below is a flow diagram indicating the steps involved and how the identifier type and value are populated when the authentication combination is Password - OTP.

Password - Password workflow

Below is a flow diagram indicating the steps involved and how the identifier type and value are populated when the authentication combination is Password - Password.