Configure MFA
Configure MFA settings in Logto
Follow these steps to enable MFAs in users' Logto sign-in flow:
- Navigate to: Console > Multi-factor auth.
- Enable the supported verification factors for your users.
- Primary factors:
- Authenticator App OTP: The most common and widely accepted method. Use a time-based one-time password (TOTP) generated by an authenticator app like Google Authenticator or Authy.
- Passkeys (WebAuthn): A high-security option suitable for web products supporting device biometrics or security keys, etc., ensuring robust protection.
- Backup factors:
- Backup codes: This serves as a backup option when users can't verify any of the primary factors mentioned above. Enabling this option reduces friction for users' access successfully.
- Primary factors:
- Choose if you want to enable Require MFA:
- Enable: Users will be prompted to set up MFA during the sign-in process which cannot be skipped. If the user fails to set up MFA or deletes their MFA settings, they will be locked out of their account until they set up MFA again.
- Disable: Users can skip the MFA setup process during the sign-up flow. They may set up MFA later through your self-service account settings page. Learn more about implementing a user account settings page. And continue to choose the policy for the MFA setup prompt:
- Do not ask users to set up MFA: Users will not be prompted to set up MFA during sign-in.
- Ask users to set up MFA during registration: New users will be prompted to set up MFA during registration, and existing users will see the prompt at their next sign-in. Users can skip this step, and it won't appear again.
- Ask users to set up MFA on their sign-in after registration: New users will be prompted to set up MFA at their second sign-in after registration, and existing users will see the prompt at their next sign-in. Users can skip this step, and it won't appear again.
For products with a multi-tenant architecture that support Organizations, in most cases you don't need to require MFA for all users. Instead, MFA can be enabled on a per-organization basis, allowing you to tailor the requirements based on each client's needs. To get started, refer to Requiring MFA for organization members.
MFA user flow
MFA set-up flow
Once the MFA is enabled, users will be prompted to set up MFA during the sign-in and sign-up process. Users can choose to skip this setup process if and only if the “User-controlled MFA“ policy is enabled.
- Visit sign-in or sign-up page: The user navigates to the sign-in or sign-up page.
- Completes sign-in or sign-up: The user completes the identity verification process within the sign-in or sign-up flow.
- Set up MFA primary factor: The user is prompted to set up their primary MFA factor (either Authenticator app OTP or WebAuthn). If multiple primary factors are enabled, they can choose their preferred option. If the “User-controlled MFA” policy is enabled, they can also skip this step by selecting the "Skip" button.
- Set up MFA backup factor: If Backup codes are enabled, the user is prompted to set up backup codes after successfully configuring their primary authentication factor. Auto generated backup codes will be displayed to the user, which they can download and store securely. User must manually confirm the backup codes to complete the MFA setup process.
MFA verification flow
Users who have set up MFA will be prompted to verify their identity using their configured MFA factors during sign-in. The verification factor will depend on the MFA configuration in Logto and the user settings.
- If a user has set up only one factor, they will verify it directly.
- If a user has set up multiple factors as 2FA, they will need to choose one to verify.
- If all the enabled primary factors are not available to the user, and backup code is enabled, they can use the one-time backup code to verify their identity.
