Configure MFA
Configure MFA settings in Logto
Logto provides flexible MFA configuration options to meet different security requirements. You can configure MFA at the global level for all users or enable it on a per-organization basis for multi-tenant applications.
Global MFA configuration
Follow these steps to enable MFAs in users' Logto sign-in flow:
- Navigate to: Console > Multi-factor auth.
- Enable the supported verification factors for your users.
- Primary factors:
- Authenticator App OTP: The most common and widely accepted method. Use a time-based one-time password (TOTP) generated by an authenticator app like Google Authenticator or Authy.
- Passkeys (WebAuthn): A high-security option suitable for web products supporting device biometrics or security keys, etc., ensuring robust protection.
- Backup factors:
- Backup codes: This serves as a backup option when users can't verify any of the primary factors mentioned above. Enabling this option reduces friction for users' access successfully.
- Primary factors:
- Choose if you want to enable Require MFA:
- Enable: Users will be prompted to set up MFA during the sign-in process which cannot be skipped. If the user fails to set up MFA or deletes their MFA settings, they will be locked out of their account until they set up MFA again.
- Disable: Users can skip the MFA setup process during the sign-up flow. They may set up MFA later through your self-service account settings page. Learn more about implementing a user account settings page. And continue to choose the policy for the MFA setup prompt:
- Do not ask users to set up MFA: Users will not be prompted to set up MFA during sign-in.
- Ask users to set up MFA during registration: New users will be prompted to set up MFA during registration, and existing users will see the prompt at their next sign-in. Users can skip this step, and it won't appear again.
- Ask users to set up MFA on their sign-in after registration: New users will be prompted to set up MFA at their second sign-in after registration, and existing users will see the prompt at their next sign-in. Users can skip this step, and it won't appear again.

Organization-level MFA configuration
For products with a multi-tenant architecture that support Organizations, in most cases you don't need to require MFA for all users. Instead, MFA can be enabled on a per-organization basis, allowing you to tailor the requirements based on each client's needs. To get started, refer to Requiring MFA for organization members.
MFA user flow
MFA set-up flow
Once the MFA is enabled, users will be prompted to set up MFA during the sign-in and sign-up process. Users can choose to skip this setup process if and only if the “User-controlled MFA“ policy is enabled.
- Visit sign-in or sign-up page: The user navigates to the sign-in or sign-up page.
- Completes sign-in or sign-up: The user completes the identity verification process within the sign-in or sign-up flow.
- Set up MFA primary factor: The user is prompted to set up their primary MFA factor (either Authenticator app OTP or WebAuthn). If multiple primary factors are enabled, they can choose their preferred option. If the “User-controlled MFA” policy is enabled, they can also skip this step by selecting the "Skip" button.
- Set up MFA backup factor: If Backup codes are enabled, the user is prompted to set up backup codes after successfully configuring their primary authentication factor. Auto generated backup codes will be displayed to the user, which they can download and store securely. User must manually confirm the backup codes to complete the MFA setup process.

MFA verification flow
Users who have set up MFA will be prompted to verify their identity using their configured MFA factors during sign-in. The verification factor will depend on the MFA configuration in Logto and the user settings.
- If a user has set up only one factor, they will verify it directly.
- If a user has set up multiple factors as 2FA, they will need to choose one to verify.
- If all the enabled primary factors are not available to the user, and backup code is enabled, they can use the one-time backup code to verify their identity.

MFA management
Beyond the initial setup during sign-in/sign-up, users can manage their MFA settings through a self-service account center. This provides flexibility for users to bind or unbind MFA factors based on their needs.
Building an account center
You can build a comprehensive account center using Logto's Account API, which allows users to:
- Bind new MFA factors: Add additional authenticator apps, passkeys, or regenerate backup codes
- Unbind existing MFA factors: Remove MFA methods they no longer wish to use
- View current MFA status: See which MFA factors are currently configured
Post-login MFA setup prompts
For applications that don't require MFA during initial registration, you can implement intelligent prompts to encourage MFA setup:
- Conditional prompts: Show MFA setup recommendations based on user behavior or account value
- Security dashboards: Display security scores that improve when MFA is enabled
- Gradual onboarding: Present MFA setup as part of a progressive security enhancement flow
Learn more about implementing these patterns with Account API.